12.5. Advanced Features of BIND
Most BIND implementations only use named to provide
name resolution services or to act as an authority for a particular
domain or sub-domain. However, BIND version 9 has a number of advanced
features that allow for a more secure and efficient DNS service.
Some of these advanced features, such as DNSSEC, TSIG, and IXFR,
should only be used in network environments with nameservers that
support the features. If your network environment includes non-BIND or
older BIND nameservers, check to see if a particular advanced feature
is available before attempting to use it.
All of the features mentioned here are discussed in greater detail in
the BIND 9 Administrator Reference Manual. See
Section 12.7.1 Installed Documentation for more information.
12.5.1. DNS Protocol Enhancements
BIND supports Incremental Zone Transfers (IXFR), where slave
nameserver will only download the updated portions of a zone modified
on a master nameserver. The standard transfer process requires that
the entire zone be transferred to each slave nameserver for even the
smallest change. For very popular domains with very lengthy zone files
and many slave nameservers, IXFR makes the notification and update
process much less resource intensive.
Note that IXFR is only available if when using dynamic
updating to make changes to master zone records. If
manually editing zone files to make changes, AXFR is used. More
information on dynamic updating is available in the BIND 9
Administrator Reference Manual. See Section 12.7.1 Installed Documentation for more information.
12.5.2. Multiple Views
Through the use of the view statement in
named.conf, BIND can present different
information depending on who is making the request.
This is primarily used to deny sensitive DNS entries from clients
outside of the local network, while allowing queries from clients
inside the local network.
The view statement uses the
match-clients option to match IP addresses or entire
networks and give them special options and zone data.
BIND supports a number of different methods to protect the updating
and transfer of zones, on both master and slave nameservers:
DNSSEC — Short for DNS
SECurity, this feature allows for zones to be
cryptographically signed with a zone key.
In this way, the information about a specific zone can be verified
as coming from a nameserver that has signed it with a particular
private key, as long as the recipient has that nameserver's public
BIND version 9 also supports the SIG(0) public/private key method
of message authentication.
TSIG — Short for
Transaction SIGnatures, this feature allows
a transfer from master to slave is authorized only after verifying
that a shared secret key exists on the master and slave servers.
This feature strengthens the standard IP address-based method of
transfer authorization. An attacker would not only need to have
access to the IP address to transfer the zone, but they would also
need to know the secret key.
BIND version 9 also supports TKEY, which is
another shared secret key method of authorizing zone transfers.
12.5.4. IP version 6
BIND version 9 can provide nameservice in IP version 6 (IPv6)
environments through the use of A6 zone records.
If the network environment includes both IPv4 and IPv6 hosts, use the
lwresd lightweight resolver daemon on all network
clients. This daemon is a very efficient, caching-only nameserver
which understands the new A6 and
DNAME records used under IPv6. See the
lwresd man page for more information.