diff options
Diffstat (limited to 'contrib/bind/doc')
| -rw-r--r-- | contrib/bind/doc/man/dig.1 | 11 | ||||
| -rw-r--r-- | contrib/bind/doc/man/dnssigner.1 | 213 | ||||
| -rw-r--r-- | contrib/bind/doc/man/host.1 | 1 | ||||
| -rw-r--r-- | contrib/bind/doc/man/nslookup.8 | 6 | ||||
| -rw-r--r-- | contrib/bind/doc/misc/IPv6 | 72 | ||||
| -rw-r--r-- | contrib/bind/doc/misc/dns-setup | 1081 | ||||
| -rw-r--r-- | contrib/bind/doc/secure/copyright.txt | 28 | ||||
| -rw-r--r-- | contrib/bind/doc/secure/install.txt | 155 | ||||
| -rw-r--r-- | contrib/bind/doc/secure/readme.txt | 93 | ||||
| -rw-r--r-- | contrib/bind/doc/secure/usage.txt | 215 |
10 files changed, 11 insertions, 1864 deletions
diff --git a/contrib/bind/doc/man/dig.1 b/contrib/bind/doc/man/dig.1 index 67995591452c..e150b0418930 100644 --- a/contrib/bind/doc/man/dig.1 +++ b/contrib/bind/doc/man/dig.1 @@ -1,3 +1,4 @@ +.\" $FreeBSD$ .\" $Id: dig.1,v 8.9 2002/06/18 01:53:43 marka Exp $ .\" .\" ++Copyright++ 1993 @@ -99,7 +100,7 @@ may be either a domain name or a raw (IPv4 / IPv6) Internet address. If this optional field is omitted, .Ic dig will attempt to use the default name server for your machine. -.sp 1 +.Pp .Em Note : If a domain name is specified, this will be resolved using the domain name system resolver (i.e., BIND). If your @@ -128,11 +129,10 @@ environment variable to name a file which is to be used instead of .Pa /etc/resolv.conf -.Po Ns Ev LOCALRES +.Ns Ev (LOCALRES is specific to the .Ic dig -resolver and is not referenced by the standard resolver -.Pc . +resolver and is not referenced by the standard resolver). If the .Ev LOCALRES variable is not set or the specified file @@ -645,7 +645,8 @@ structure. .Sh ENVIRONMENT .Bl -tag -width "LOCALRES " -compact .It Ev LOCALRES -file to use in place of Pa /etc/resolv.conf +file to use in place of +.Pa /etc/resolv.conf .It Ev LOCALDEF default environment file .El diff --git a/contrib/bind/doc/man/dnssigner.1 b/contrib/bind/doc/man/dnssigner.1 deleted file mode 100644 index 1fb4ce4623c2..000000000000 --- a/contrib/bind/doc/man/dnssigner.1 +++ /dev/null @@ -1,213 +0,0 @@ -.\" Copyright (c) 1996 by Internet Software Consortium -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS -.\" ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE -.\" CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL -.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR -.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS -.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS -.\" SOFTWARE. -.\" -.\" $Id: dnssigner.1,v 8.2 1997/03/14 02:29:42 vixie Exp $ -.\" -.Dd October 25, 1996 -.Dt DNSSIGNER @CMD_EXT_U@ -.Os BSD 4 -.Sh NAME -.Nm dnssigner -.Nd add signatures to DNS zone files -.Sh SYNOPSIS -.Nm dnssigner -.Op Cm signer-name Ar default_signer -.Op Cm boot-file Ar file -.Op Cm debug-file Ar file -.Op Cm out-dir Ar directory -.Op Cm seq-no Ar number -.Oo -.Cm expiration-time -.Oo Po Cm + -.Ns \&| -.Ns Cm = -.Pc Oc -.Ns Ar time -.Oc -.Op Cm hide -.Op Cm noaxfr -.Op Cm nosign -.Op Cm verify -.Op Cm update-zonekey -.Op Fl d Ns Ar level -.Sh DESCRIPTION -.Ic Dnssigner -(Sign DNS zone database) is a tool to generate signatures -for DNS (Domain Name System) resource records. It also generates -NXT records for each zone. -.Pp -.Bl -tag -width Fl -.It Cm signer-name Ar default_signer -Specifies a name of the key to use if no signer is defined using the -.Em Li $SIGNER -directive in the boot files. -.It Cm boot-file Ar file -Specifies the control file for -.Ic dnssigner , -which is in the same format as the BIND-4 -.Pa named.boot -file. -.It Cm debug-file Ar file -Redirect debug output to the specified -.Ar file ; -default is -.Pa signer_out -in the current directory. -.It Cm out-dir Ar directory -Write signed files to thie specified -.Ar directory ; -default is to use -.Pa /tmp . -.Pp -.Sy NOTE : -Specify the full path to this directory; relative paths may not work. -.It Xo Cm expiration-time -.Oo Po Cm + -.Ns \&| -.Ns Cm = -.Pc Oc -.Ns Ar time -.Xc -Time when the signature records are to -expire. Using either -.Dq Cm = -or -.Em no -sign before the -.Ar time -argument -.Po i.e., -.Do Op Cm = -.Ns Ar time -.Dc -.Pc , -the -.Ar time -is interpreted as an absolute time in seconds when the records will expire. -.Po Sy NOTE : - All such times are interpreted as Universal Times. -.Pc -With -.Dq Cm + -specified -.Pq i.e., Dq Cm + Ns Ar time , -the -.Ar time -time is interpreted as an offset into the future. -.Pp -If not specified on the command line, the default -.Cm expiration-time -is 3600*24*30 sec (30 days). -.It Cm seq-no Ar number -Force the serial number in the SOA records to the specified value. -If this parameter is not set, the serial number will be set to a value -based on the current time. -.It Cm hide -This flag will cause NXT records in zones with wildcard -records to point to -.Li *.<zone> -as the next host. The purpose of this -flag is to hide all information about valid names in a zone. -.It Cm noaxfr -Turn of generation of zone transfer signature records, -which validate the transfer of an entire zone. -.It Cm nosign -When this flag is specified, the boot files are read, NXT -records are generated and zone file is written to the output -directory. No SIG records are generated. This flag is useful for -quickly checking the format of the data in the boot files, and to -have boot files sorted into DNSSEC order. -.It Cm verify -When this flag is present, -.Ic dnssigner -will verify all -signed records and print out a confirmation message for each SIG -verified. The main use of this flag is to see how long it takes to -generate each signature. -.It Cm update-zonekey -If this flag is specified, then the zonekeys used -to sign files will be updated with new records. Specify this flag if -one or more of the keys have been updated. If there are no zonekeys -specified in the boot files, this flag will insert them. Omitting -zonekeys will cause primary nameservers to reject the zone. -.It Fl d Ns Ar level -Debug level to use for running -.Ic dnssigner ; -these levels are the same as those used by -.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ -.El -.Ss DETAILS -.Ic Dnssigner -reads BIND-4 -.Pa named.boot -and zone files, adds SIG and NXT -records and writes out the records (to one file per zone, regardless of -how many include files the original zone was in). The files generated by -.Ic dnssigner -are ordinary textual zone files and are then normally -loaded by -.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ -to serve the zone. -.Ic Dnssigner -\fBrequires that the PRIVATE key(s) reside in the input directory\fP. -.Pp -Making manual changes to the output files is hazardous, because most -changes will invalidate one or more signatures contained therein. This -will cause the zone to fail to load into -.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ , -or will cause subsequent -failures in retrieving records from the zone. It is far better to make -changes in -.Ic dnssigner's -input files, and rerun -.Ic dnssigner . -.Pp -When -.Ic dnssigner -detects a delegation point, it creates a special file -.Pa <zone_name>.PARENT -which contains the RR's the parent zone signs for the -child zone (NS, KEY, NXT). The intent is that the child will include this -file when loading primary nameservers. Similarly, each zone file ends -with the -.Dq Li #include <zone_name>.PARENT -command. The records -in the -.Pa .PARENT -files are omitted from the SIG(AXFR) calculations as these -records usualy are on a different signing cycle. -.Pp -The -.Em Li Dq $SIGNER Op Ar keyname -directive can be used to change signers in a -zone. If -.Ar keyname -is omitted, signing is turned off. Keys are loaded the -first time the keys are accessed. Only records that are signed by the -zone signer (the key that signs the SOA) are included in the SIG(AXFR) -calculation. It is not generally recommended that multiple keys sign -records in the same zone, unless this is useful for dynamic updates. -.Sh ENVIRONMENT -No environmental variables are used. -.Sh SEE ALSO -.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ , -RSAREF documentation, -Internet-Draft -.Em draft-ietf-dnssec-secext-10.txt -on Secure DNS, or its successor. -.Sh AUTHOR -Olafur Gudmundsson (ogud@tis.com) -.Sh ACKNOWLEDGMENTS -The underlying crypto math is done by the RSAREF or BSAFE libraries. diff --git a/contrib/bind/doc/man/host.1 b/contrib/bind/doc/man/host.1 index 858bd6e7b863..ae5736ab0124 100644 --- a/contrib/bind/doc/man/host.1 +++ b/contrib/bind/doc/man/host.1 @@ -1,3 +1,4 @@ +.\" $FreeBSD$ .\" ++Copyright++ 1993 .\" - .\" Copyright (c) 1993 diff --git a/contrib/bind/doc/man/nslookup.8 b/contrib/bind/doc/man/nslookup.8 index 54c45b67d9a7..e33993ca3ddc 100644 --- a/contrib/bind/doc/man/nslookup.8 +++ b/contrib/bind/doc/man/nslookup.8 @@ -53,6 +53,7 @@ .\" --Copyright-- .\" .\" @(#)nslookup.8 5.3 (Berkeley) 6/24/90 +.\" $FreeBSD$ .\" .Dd June 24, 1990 .Dt NSLOOKUP @SYS_OPS_EXT_U@ @@ -111,8 +112,9 @@ or type The command line length must be less than 256 characters. To treat a built-in command as a host name, precede it with an escape character -.Pq .&\\ . -.Sy N.B.: An unrecognized command will be interpreted as a host name. +.Pq \e +.Sy N.B.: +An unrecognized command will be interpreted as a host name. .Bl -tag -width "lserver" .It Ar host Op Ar server Look up information for diff --git a/contrib/bind/doc/misc/IPv6 b/contrib/bind/doc/misc/IPv6 deleted file mode 100644 index 49fc3f5ec37c..000000000000 --- a/contrib/bind/doc/misc/IPv6 +++ /dev/null @@ -1,72 +0,0 @@ -IPv6 notes for BIND 4.9.3 Patch 2 Candidate 5 (and later?) -Paul Vixie, May 20, 1996 -doc/misc/IPv6 - - *** Introduction *** - -The IPv6 support in this release is latent, in that its presence is not -documented. The support is not optional, since its presence ought not to -affect anyone who does not go looking for it. The support includes: - - inet_ntop() new function. - inet_pton() new function. - RES_USE_INET6 causes gethostby*() to return either real IPv6 - addresses (if available) or mapped (::FFFF:a.b.c.d) - addresses if only IPv4 address records are found. - gethostbyname() can search for T_AAAA in preference to T_A. - gethostbyaddr() can search in IP6.INT for PTR RR's. - named can load, transfer, cache, and dump T_AAAA RRs. - - *** Some notes on the new functions *** - -The inet_pton() and inet_ntop() functions differ from the current (as of -this writing) IPv6 BSD API draft. Discussions were held, primarily between -myself and Rich Stevens, on the ipng@sunroof.eng.sun.com mailing list, and -the BIND definitions of these functions are likely to go into the next draft. -(If not, and BIND has to change its definitions of these functions, then you -will know why I chose not to document them yet!) - -These functions can return error values, and as such the process of porting -code that used inet_aton() to use inet_pton() is not just syntactic. Not all -nonzero values indicate success; consider "-1". Likewise, inet_ntoa() is not -just smaller than inet_ntop() -- it's a whole new approach. Inet_ntop() does -not return a static pointer, the caller has to supply a sized buffer. Also, -inet_ntop() can return NULL, so you should only printf() the result if you -have verified that your arguments will be seen as error free. - -The inet_pton() function is much pickier about its input format than the old -inet_aton() function has been. You can't abbreviate 10.0.0.53 as 10.53 any -more. Hexadecimal isn't accepted. You have to supply four decimal numeric -strings, each of whose value is within the range from 0 to 255. No spaces -are allowed either before, after, or within an address. If you need the older -functionality with all the shortcuts and exceptions, continue using inet_aton() -for your IPv4 address parsing needs. - - *** Some notes on RES_USE_INET6 *** - -You can set this by modifying _res.options after calling res_init(), or you -can turn it on globally by setting "options inet6" in /etc/resolv.conf. This -latter option ought to be used carefully, since _all_ applications will then -receive IPv6 style h_addr_list's from their gethostby*() calls. Once you know -that every application on your system can cope with IPv6 addressing, it is safe -and reasonable to turn on the global option. Otherwise, don't do it. - - *** Some notes on mapped IPv4 addresses *** - -There are two IPv6 prefixes set aside for IPv4 address encapsulation. See -RFC 1884 for a detailed explaination. The ::a.b.c.d form is used for -tunnelling, which means wrapping an IPv4 header around IPv6 packets and using -the existing IPv4 routing infrastructure to reach what are actually IPv6 -endpoints. The ::FFFF:a.b.c.d form can be used on dual-stack (IPv4 and IPv6) -hosts to signal a predominantly IPv6 stack that it should use ``native'' IPv4 -to reach a given destination, even though the socket's address family is -AF_INET6. - -BIND supports both of these address forms, to the extent that inet_pton() will -parse them, inet_ntop() will generate them, gethostby*() will map IPv4 into -IPv6 if the RES_USE_INET6 option is set, and gethostbyaddr() will search the -IN-ADDR.ARPA domain rather than the IP6.INT domain when it needs a PTR RR. -This last bit of behaviour is still under discussion and it's not clear that -tunnelled addresses should be mapped using IN-ADDR.ARPA. In other words, this -bit of behaviour may change in a subsequent BIND release. So now you know -another reason why none of this stuff is ``officially'' documented. diff --git a/contrib/bind/doc/misc/dns-setup b/contrib/bind/doc/misc/dns-setup deleted file mode 100644 index 19f0197f7e81..000000000000 --- a/contrib/bind/doc/misc/dns-setup +++ /dev/null @@ -1,1081 +0,0 @@ - Setting up a basic DNS server for a domain - Revision 1.1.1 - - Craig Richmond - craig@ecel.uwa.edu.au - 15th August 1993 - - -About this document - -I have written this file because it seems that the same questions seem to -pop up time and time again and when I had to install DNS from scratch the -first time, we found very little to help us. - -This document covers setting up a Domain Name Server with authority over -your domain and using a few of the more useful but less well known -(hopefully this document will take care of that) features of nslookup to -get information about the DNS and to work out why yours isn't working. - -If you are using a Sun Workstation and you want to make NIS interact with -the DNS, then this is not the FAQ for you (but it may well be when you try -to set up the DNS). Mark J. McIntosh <Mark.McIntosh@engr.UVic.CA> points -out that it is included in the comp.sys.sun.admin FAQ and for the benefit -of those of you who can't get that (it is posted in comp.sys.sun.admin, -comp.sys.sun.misc, comp.unix.solaris, comp.answers and news.answers) I have -included the relevant parts at the bottom in appendix C. - -Contents: - - Contents - An Overview of the DNS - Installing the DNS - *The Boot File - *The Cache File - *The Forward Mapping File - *The Reverse Mapping File - Delegating authority for domains within your domain - Troubleshooting your named - *Named doesn't work! What is wrong? - *I changed my named database and my local machine has noticed, - but nobody else has the new information? - *My local machine knows about all the name server information, - but no other sites know about me? - *My forward domain names work, but the backward names do not? - How to get useful information from nslookup - *Getting number to name mappings. - *Finding where mail goes when a machine has no IP number. - *Getting a list of machines in a domain from nslookup. - Appendicies - *Appendix A sample root.cache file - *Appendix B Excerpt from RFC 1340 - Assigned Numbers - July 1992 - *Appendix C Installing DNS on a Sun when running NIS - - -An Overview of the DNS: - -The Domain Name System is the software that lets you have name to number -mappings on your computers. The name decel.ecel.uwa.edu.au is the number -130.95.4.2 and vice versa. This is achieved through the DNS. The DNS is a -heirarchy. There are a small number of root domain name servers that are -responsible for tracking the top level domains and who is under them. The -root domain servers between them know about all the people who have name -servers that are authoritive for domains under the root. - -Being authoritive means that if a server is asked about something in that -domain, it can say with no ambiguity whether or not a given piece of -information is true. For example. We have domains x.z and y.z. There are -by definition authoritive name servers for both of these domains and we -shall assume that the name server in both of these cases is a machine -called nic.x.z and nic.y.z but that really makes no difference. - -If someone asks nic.x.z whether there is a machine called a.x.z, then -nic.x.z can authoritively say, yes or no because it is the authoritive name -server for that domain. If someone asks nic.x.z whether there is a machine -called a.y.z then nic.x.z asks nic.y.z whether such a machine exists (and -caches this for future requests). It asks nic.y.z because nic.y.z is the -authoritive name server for the domain y.z. The information about -authoritive name servers is stored in the DNS itself and as long as you -have a pointer to a name server who is more knowledgable than yourself then -you are set. - -When a change is made, it propogates slowly out through the internet to -eventually reach all machines. The following was supplied by Mark Andrews -Mark.Andrews@syd.dms.csiro.au. - - If both the primary and all secondaries are up and talking when - a zone update occurs and for the refresh period after the - update the old data will live for max(refresh + mininum) - average (refresh/2 +mininum) for the zone. New information will - be available from all servers after refresh. - -So with a refresh of 3 hours and a minimum of a day, you can expect -everything to be working a day after it is changed. If you have a longer -minimum, it may take a couple of days before things return to normal. - -There is also a difference between a zone and a domain. The domain is the -entire set of machines that are contained within an organisational domain -name. For example, the domain uwa.edu.au contains all the machines at the -University of Western Australia. A Zone is the area of the DNS for which a -server is responsible. The University of Western Australia is a large -organisation and trying to track all changes to machines at a central -location would be difficult. The authoritive name server for the zone -uwa.edu.au delegates the authority for the zone ecel.uwa.edu.au to -decel.ecel.uwa.edu.au. Machine foo.ecel.uwa.edu.au is in the zone that -decel is authoritive for. Machine bar.uwa.edu.au is in the zone that -uniwa.uwa.edu.au is authoritive for. - -Installing the DNS: - -First I'll assume you already have a copy of the Domain Name Server -software. It is probably called named or in.named depending on your -flavour of unix. I never had to get a copy, but if anyone thinks that -information should be here then by all means tell me and I'll put it in. -If you intend on using the package called Bind, then you should be sure -that you get version 4.9, which is the most recent version at this point in -time. - -The Boot File: - -First step is to create the file named.boot. This describes to named -(we'll dispense with the in.named. Take them to be the same) where the -information that it requires can be found. This file is normally found in -/etc/named.boot and I personally tend to leave it there because then I know -where to find it. If you don't want to leave it there but place it in a -directory with the rest of your named files, then there is usually an -option on named to specify the location of the boot file. - -Your typical boot file will look like this if you are an unimportant leaf -node and there are other name servers at your site. - -directory /etc/namedfiles - -cache . root.cache -primary ecel.uwa.edu.au ecel.uwa.domain -primary 0.0.127.in-addr.arpa 0.0.127.domain -primary 4.95.130.in-addr.arpa 4.95.130.domain -forwarders 130.95.128.1 - -Here is an alternative layout used by Christophe Wolfhugel -<Christophe.Wolfhugel@grasp.insa-lyon.fr> He finds this easier because of -the large number of domains he has. The structure is essentially the same, -but the file names use the domain name rather than the IP subnet to -describe the contents. - -directory /usr/local/etc/bind -cache . p/root -; -; Primary servers -; -primary fr.net p/fr.net -primary frmug.fr.net p/frmug.fr.net -primary 127.in-addr.arpa p/127 -; -; Secondary servers -; -secondary ensta.fr 147.250.1.1 s/ensta.fr -secondary gatelink.fr.net 134.214.100.1 s/gatelink.fr.net -secondary insa-lyon.fr 134.214.100.1 s/insa-lyon.fr -secondary loesje.org 145.18.226.21 s/loesje.org -secondary nl.loesje.org 145.18.226.21 s/nl.loesje.org -secondary pcl.ac.uk 161.74.160.5 s/pcl.ac.uk -secondary univ-lyon1.fr 134.214.100.1 s/univ-lyon1.fr -secondary wmin.ac.uk 161.74.160.5 s/wmin.ac.uk -secondary westminster.ac.uk 161.74.160.5 s/westminster.ac.uk -; -; -; Secondary for addresses -; -secondary 74.161.in-addr.arpa 161.74.160.5 s/161.74 -secondary 214.134.in-addr.arpa 134.214.100.1 s/134.214 -secondary 250.147.in-addr.arpa 147.250.1.1 s/147.250 -; -; Classes C -; -secondary 56.44.192.in-addr.arpa 147.250.1.1 s/192.44.56 -secondary 57.44.192.in-addr.arpa 147.250.1.1 s/192.44.57 - -The lines in the named.boot file have the following meanings. - -directory - -This is the path that named will place in front of all file names -referenced from here on. If no directory is specified, it looks for files -relative to /etc. - -cache - -This is the information that named uses to get started. Named must know -the IP number of some other name servers at least to get started. -Information in the cache is treated differently depending on your version -of named. Some versions of named use the information included in the cache -permenantly and others retain but ignore the cache information once up and -running. - -primary - -This is one of the domains for which this machine is authorative for. You -put the entire domain name in. You need forwards and reverse lookups. The -first value is the domain to append to every name included in that file. -(There are some exceptions, but they will be explained later) The name at -the end of the line is the name of the file (relative to /etc of the -directory if you specified one). The filename can have slashes in it to -refer to subdirectories so if you have a lot of domains you may want to -split it up. - -BE VERY CAREFUL TO PUT THE NUMBERS BACK TO FRONT FOR THE REVERSE LOOK UP -FILE. The example given above is for the subnet ecel.uwa.edu.au whose IP -address is 130.95.4.*. The reverse name must be 4.95.130.in-addr.arpa. -It must be backwards and it must end with .in-addr.arpa. If your reverse -name lookups don't work, check this. If they still don't work, check this -again. - -forwarders - -This is a list of IP numbers for forward requests for sites about which we -are unsure. A good choice here is the name server which is authoritive for -the zone above you. - -secondary (This line is not in the example, but is worth mentioning.) - -A secondary line indicates that you wish to be a secondary name server for -this domain. You do not need to do this usually. All it does is help make -the DNS more robust. You should have at least one secondary server for -your site, but you do not need to be a secondary server for anyone else. -You can by all means, but you don't need to be. If you want to be a -secondary server for another domain, then place the line - -secondary gu.uwa.edu.au 130.95.100.3 130.95.128.1 - -in your named.boot. This will make your named try the servers on both of -the machines specified to see if it can obtain the information about those -domains. You can specify a number of IP addresses for the machines to -query that probably depends on your machine. Your copy of named will upon -startup go and query all the information it can get about the domain in -question and remember it and act as though it were authoritive for that -domain. - -Next you will want to start creating the data files that contain the name -definitions. - -The cache file: - -You can get a copy of the cache file from FTP.RS.INTERNIC.NET. The current -copy can be found in Appendix A. - -The Forward Mapping file: -The file ecel.uwa.edu.au. will be used for the example with a couple of -machines left in for the purpose of the exercise. Here is a copy of what -the file looks like with explanations following. - -; Authoritative data for ecel.uwa.edu.au -; -@ IN SOA decel.ecel.uwa.edu.au. postmaster.ecel.uwa.edu.au. ( - 93071200 ; Serial (yymmddxx) - 10800 ; Refresh 3 hours - 3600 ; Retry 1 hour - 3600000 ; Expire 1000 hours - 86400 ) ; Minimum 24 hours - IN A 130.95.4.2 - IN MX 100 decel - IN MX 150 uniwa.uwa.edu.au. - IN MX 200 relay1.uu.net. - IN MX 200 relay2.uu.net. - -localhost IN A 127.0.0.1 - -decel IN A 130.95.4.2 - IN HINFO SUN4/110 UNIX - IN MX 100 decel - IN MX 150 uniwa.uwa.edu.au. - IN MX 200 relay1.uu.net - IN MX 200 relay2.uu.net - -gopher IN CNAME decel.ecel.uwa.edu.au. - -accfin IN A 130.95.4.3 - IN HINFO SUN4/110 UNIX - IN MX 100 decel - IN MX 150 uniwa.uwa.edu.au. - IN MX 200 relay1.uu.net - IN MX 200 relay2.uu.net - -chris-mac IN A 130.95.4.5 - IN HINFO MAC-II MACOS - -The comment character is ';' so the first two lines are just comments -indicating the contents of the file. - -All values from here on have IN in them. This indicates that the value is -an InterNet record. There are a couple of other types, but all you need -concern yourself with is internet ones. - -The SOA record is the Start Of Authority record. It contains the -information that other nameservers will learn about this domain and how to -treat the information they are given about it. The '@' as the first -character in the line indicates that you wish to define things about the -domain for which this file is responsible. The domain name is found in the -named.boot file in the corresponding line to this filename. All -information listed refers to the most recent machine/domain name so all -records from the '@' until 'localhost' refer to the '@'. The SOA record -has 5 magic numbers. First magic number is the serial number. If you -change the file, change the serial number. If you don't, no other name -servers will update their information. The old information will sit around -for a very long time. - -Refresh is the time between refreshing information about the SOA (correct -me if I am wrong). Retry is the frequency of retrying if an authorative -server cannot be contacted. Expire is how long a secondary name server -will keep information about a zone without successfully updating it or -confirming that the data is up to date. This is to help the information -withstand fairly lengthy downtimes of machines or connections in the -network without having to recollect all the information. Minimum is the -default time to live value handed out by a nameserver for all records in -a zone without an explicit TTL value. This is how long the data will live -after being handed out. The two pieces of information before the 5 magic -numbers are the machine that is considered the origin of all of this -information. Generally the machine that is running your named is a good -one for here. The second is an email address for someone who can fix any -problems that may occur with the DNS. Good ones here are postmaster, -hostmaster or root. NOTE: You use dots and not '@' for the email address. - -eg root.decel.ecel.uwa.edu.au is correct - and - root@decel.ecel.uwa.edu.au is incorrect. - -We now have an address to map ecel.uwa.edu.au to. The address is -130.95.4.2 which happens to be decel, our main machine. If you try to find -an IP number for the domain ecel.uwa.edu.au it will get you the machine -decel.ecel.uwa.edu.au's IP number. This is a nicety which means that -people who have non-MX record mailers can still mail fred@ecel.uwa.edu.au -and don't have to find the name of a machine name under the domain to mail. - -Now we have a couple of MX records for the domain itself. The MX records -specify where to send mail destined for the machine/domain that the MX -record is for. In this case we would prefer if all mail for -fred@ecel.uwa.edu.au is sent to decel.ecel.uwa.edu.au. If that does not -work, we would like it to go to uniwa.uwa.edu.au because there are a number -of machines that might have no idea how to get to us, but may be able to get -to uniwa. And failing that, try the site relay1.uu.net. A small number -indicates that this site should be tried first. The larget the number the -further down the list of sites to try the site is. NOTE: Not all machines -have mailers that pay attention to MX records. Some only pay attention to -IP numbers, which is really stupid. All machines are required to have -MX-capable Mail Transfer Agents (MTA) as there are many addresses that can -only be reached via this means. - -There is an entry for localhost now. Note that this is somewhat of a -kludge and should probably be handled far more elegantly. By placing -localhost here, a machine comes into existance called -localhost.ecel.uwa.edu.au. If you finger it, or telnet to it, you get your -own machine, because the name lookup returns 127.0.0.1 which is the special -case for your own machine. I have used a couple of different DNS packages. -The old BSD one let you put things into the cache which would always work, -but would not be exported to other nameservers. In the newer Sun one, they -are left in the cache and are mostly ignored once named is up and running. -This isn't a bad solution, its just not a good one. - -Decel is the main machine in our domain. It has the IP number 130.95.4.2 -and that is what this next line shows. It also has a HINFO entry. HINFO -is Host Info which is meant to be some sort of an indication of what the -machine is and what it runs. The values are two white space seperated -values. First being the hardware and second being the software. HINFO is -not compulsory, its just nice to have sometimes. We also have some MX -records so that mail destined for decel has some other avenues before it -bounces back to the sender if undeliverable. - -It is a good idea to give all machines capable of handling mail an MX -record because this can be cached on remote machines and will help to -reduce the load on the network. - -gopher.ecel.uwa.edu.au is the gopher server in our division. Now because -we are cheapskates and don't want to go and splurge on a seperate machine -just for handling gopher requests we have made it a CNAME to our main -machine. While it may seem pointless it does have one main advantage. -When we discover that our placing terrabytes of popular quicktime movies -on our gopher server (no we haven't and we don't intend to) causes an -unbearable load on our main machine, we can quickly move the CNAME to -point at a new machine by changing the name mentioned in the CNAME. Then -the slime of the world can continue to get their essential movies with a -minimal interuption to the network. Other good CNAMEs to maintain are -things like ftp, mailhost, netfind, archie, whois, and even dns (though the -most obvious use for this fails). It also makes it easier for people to -find these services in your domain. - -We should probably start using WKS records for things like gopher and whois -rather than making DNS names for them. The tools are not in wide -circulation for this to work though. (Plus all those comments in many DNS -implementation of "Not implemented" next to the WKS record) - -Finally we have a macintosh which belongs to my boss. All it needs is an -IP number, and we have included the HINFO so that you can see that it is in -fact a macII running a Mac System. To get the list of preferred values, -you should get a copy of RFC 1340. It lists lots of useful information -such as /etc/services values, ethernet manufacturer hardware addresses, -HINFO defualts and many others. I will include the list as it stands at -the moment, but if any RFC superceeds 1340, then it will have a more -complete list. See Appendix B for that list. - -NOTE: If Chris had a very high profile and wanted his mac to appear like a -fully connected unix machine as far as internet services were concerned, he -could simply place an MX record such as - - IN MX 100 decel - -after his machine and any mail sent to chris@chris-mac.ecel.uwa.edu.au -would be automatically rerouted to decel. - -The Reverse Mapping File - -The reverse name lookup is handled in a most bizarre fashion. Well it all -makes sense, but it is not immediately obvious. - -All of the reverse name lookups are done by finding the PTR record -associated with the name w.x.y.z.in-addr.arpa. So to find the name -associated with the IP number 1.2.3.4, we look for information stored in -the DNS under the name 4.3.2.1.in-addr.arpa. They are organised this way -so that when you are allocated a B class subnet for example, you get all of -the IP numbers in the domain 130.95. Now to turn that into a reverse name -lookup domain, you have to invert the numbers or your registered domains -will be spread all over the place. It is a mess and you need not understand -the finer points of it all. All you need to know is that you put the -reverse name lookup files back to front. - -Here is the sample reverse name lookup files to go with our example. - -0.0.127.in-addr.arpa --- -; Reverse mapping of domain names 0.0.127.in-addr.arpa -; Nobody pays attention to this, it is only so 127.0.0.1 -> localhost. -@ IN SOA decel.ecel.uwa.edu.au. postmaster.ecel.uwa.edu.au. ( - 91061801 ; Serial (yymmddxx) - 10800 ; Refresh 3 hours - 3600 ; Retry 1 hour - 3600000 ; Expire 1000 hours - 86400 ) ; Minimum 24 hours -; -1 IN PTR localhost.ecel.uwa.edu.au. --- - -4.95.130.in-addr.arpa --- -; reverse mapping of domain names 4.95.130.in-addr.arpa -; -@ IN SOA decel.ecel.uwa.edu.au. postmaster.ecel.uwa.edu.au. ( - 92050300 ; Serial (yymmddxx format) - 10800 ; Refresh 3hHours - 3600 ; Retry 1 hour - 3600000 ; Expire 1000 hours - 86400 ) ; Minimum 24 hours -2 IN PTR decel.ecel.uwa.edu.au. -3 IN PTR accfin.ecel.uwa.edu.au. -5 IN PTR chris-mac.ecel.uwa.edu.au. --- - -It is important to remember that you must have a second start of authority -record for the reverse name lookups. Each reverse name lookup file must -have its own SOA record. The reverse name lookup on the 127 domain is -debatable seeing as there is likely to be only one number in the file and -it is blatantly obvious what it is going to map to. - -The SOA details are the same as in the forward mapping. - -Each of the numbers listed down the left hand side indicates that the line -contains information for that number of the subnet. Each of the subnets -must be the more significant digits. eg the 130.95.4 of an IP number -130.95.4.2 is implicit for all numbers mentioned in the file. - -The PTR must point to a machine that can be found in the DNS. If the name -is not in the DNS, some versions of named just bomb out at this point. - -Reverse name lookups are not compulsory, but nice to have. It means that -when people log into machines, they get names indicating where they are -logged in from. It makes it easier for you to spot things that are wrong -and it is far less cryptic than having lots of numbers everywhere. Also if -you do not have a name for your machine, some brain dead protocols such as -talk will not allow you to connect. - -Since I had this I had one suggestion of an alternative way to do the -localhost entry. I think it is a matter of personal opinion so I'll -include it here in case anyone things that this is a more appropriate -method. - -The following is courtesy of jep@convex.nl (JEP de Bie) - - The way I did it was: - - 1) add in /etc/named.boot: - - primary . localhost - primary 127.in-addr.ARPA. IP127 - -(Craig: It has been suggested by Mark Andrews that this is a bad practice - particularly if you have upgraded to Bind 4.9. You also run the risk of - polluting the root name servers. This comes down to a battle of idealogy - and practicality. Think twice before declaring yourself authorative for - the root domain.) - - So I not only declare myself (falsely? - probably, but nobody is going to - listen anyway most likely [CPR]:-) athorative in the 127.in-addr.ARPA domain - but also in the . (root) domain. - - 2) the file localhost has: - - $ORIGIN . - localhost IN A 127.0.0.1 - - 3) and the file IP127: - - $ORIGIN 127.in-addr.ARPA. - 1.0.0 IN PTR localhost. - - 4) and I have in my own domain file (convex.nl) the line: - - $ORIGIN convex.nl. - localhost IN CNAME localhost. - - The advantage (elegancy?) is that a query (A) of localhost. gives the - reverse of the query of 1.0.0.127.in-addr.ARPA. And it also shows that - localhost.convex.nl is only a nickname to something more absolute. - (While the notion of localhost is of course relative :-)). - - And I also think there is a subtle difference between the lines - - primary 127.in-addr.ARPA. IP127 - and - primary 0.0.127.in-addr.ARPA. 4.95.130.domain - ============= - JEP de Bie - jep@convex.nl - ============= - - - -Delegating authority for domains within your domain: - -When you start having a very big domain that can be broken into logical and -seperate entities that can look after their own DNS information, you will -probably want to do this. Maintain a central area for the things that -everyone needs to see and delegate the authority for the other parts of the -organisation so that they can manage themselves. - -Another essential piece of information is that every domain that exists -must have it NS records associated with it. These NS records denote the -name servers that are queried for information about that zone. For your -zone to be recognised by the outside world, the server responsible for the -zone above you must have created a NS record for your machine in your -domain. For example, putting the computer club onto the network and giving -them control over their own part of the domain space we have the following. - -The machine authorative for gu.uwa.edu.au is mackerel and the machine -authorative for ucc.gu.uwa.edu.au is marlin. - -in mackerel's data for gu.uwa.edu.au we have the following - -@ IN SOA ... - IN A 130.95.100.3 - IN MX mackerel.gu.uwa.edu.au. - IN MX uniwa.uwa.edu.au. - -marlin IN A 130.95.100.4 - -ucc IN NS marlin.gu.uwa.edu.au. - IN NS mackerel.gu.uwa.edu.au. - -Marlin is also given an IP in our domain as a convenience. If they blow up -their name serving there is less that can go wrong because people can still -see that machine which is a start. You could place "marlin.ucc" in the -first column and leave the machine totally inside the ucc domain as well. - -The second NS line is because mackerel will be acting as secondary name -server for the ucc.gu domain. Do not include this line if you are not -authorative for the information included in the sub-domain. - - -Troubleshooting your named: - -Named doesn't work! What is wrong? - -Step 1: Run nslookup and see what nameserver it tries to connect you to. -If nslookup connects you to the wrong nameserver, create a /etc/resolv.conf -file that points your machine at the correct nameserver. If there is no -resolv.conf file, the the resolver uses the nameserver on the local -machine. - -Step 2: Make sure that named is actually running. - -Step 3: Restart named and see if you get any error messages on the -console and in also check /usr/adm/messages. - -Step 4: If named is running, nslookup connects to the appropriate -nameserver and nslookup can answer simple questions, but other programs -such as 'ping' do not work with names, then you need to install resolv+ -most likely. - - -I changed my named database and my local machine has noticed, but nobody -else has the new information? - -Change the serial number in the SOA for any domains that you modified and -restart named. Wait an hour and check again. The information propogates -out. It won't change immediately. - - -My local machine knows about all the name server information, but no other -sites know about me? - -Find an upstream nameserver (one that has an SOA for something in your -domain) and ask them to be a secondary name server for you. eg if you are -ecel.uwa.edu.au, ask someone who has an SOA for the domain uwa.edu.au. -Get NS records (and glue) added to your parent zone for your zone. This is -called delegating. It should be done formally like this or you will get -inconsistant answers out of the DNS. ALL NAMSERVERS FOR YOUR ZONE SHOULD -BE LISTED IN THIS MANNER. - - -My forward domain names work, but the backward names do not? - -Make sure the numbers are back to front and have the in-addr.arpa on the -end. -Make sure you reverse zone is registered. For Class C nets this can be done -by mailing to hostmaster@internic.net. For class A & B nets make sure that -you are registeres with the primary for your net and that the net itself -is registered with hostmaster@internic.net. - - -How to get useful information from nslookup: - -Nslookup is a very useful program but I'm sure there are less than 20 -people worldwide who know how to use it to its full usefulness. I'm most -certainly not one of them. If you don't like using nslookup, there is at -least one other program called dig, that has most/all(?) of the -functionality of nslookup and is a hell of a lot easier to use. - -I won't go into dig much here except to say that it is a lot easier to get -this information out of. I won't bother because nslookup ships with almost -all machines that come with network software. - -To run nslookup, you usually just type nslookup. It will tell you the -server it connects to. You can specify a different server if you want. -This is useful when you want to tell if your named information is -consistent with other servers. - -Getting name to number mappings. - -Type the name of the machine. Typing 'decel' is enough if the machine is -local. - -(Once you have run nslookup successfully) -> decel -Server: ecel.uwa.edu.au -Address: 130.95.4.2 - -Name: decel.ecel.uwa.edu.au -Address: 130.95.4.2 - -> - -One curious quirk of some name resolvers is that if you type a -machine name, they will try a number of permutations. For example if my -machine is in the domain ecel.uwa.edu.au and I try to find a machine -called fred, the resolver will try the following. - - fred.ecel.uwa.edu.au. - fred.uwa.edu.au. - fred.edu.au. - fred.au. - fred. - -This can be useful, but more often than not, you would simply prefer a good -way to make aliases for machines that are commonly referenced. If you are -running resolv+, you should just be able to put common machines into the -host file. - -DIG: dig <machine name> - -Getting number to name mappings. - -Nslookup defaults to finding you the Address of the name specified. For -reverse lookups you already have the address and you want to find the -name that goes with it. If you read and understood the bit above where it -describes how to create the number to name mapping file, you would guess -that you need to find the PTR record instead of the A record. So you do -the following. - -> set type=ptr -> 2.4.95.130.in-addr.arpa -Server: decel.ecel.uwa.edu.au -Address: 130.95.4.2 - -2.4.95.130.in-addr.arpa host name = decel.ecel.uwa.edu.au -> - -nslookup tells you that the ptr for the machine name -2.4.95.130.in-addr.arpa points to the host decel.ecel.uwa.edu.au. - -DIG: dig -x <machine number> - -Finding where mail goes when a machine has no IP number. - -When a machine is not IP connected, it needs to specify to the world, where -to send the mail so that it can dial up and collect it every now and then. -This is accomplished by setting up an MX record for the site and not giving -it an IP number. To get the information out of nslookup as to where the -mail goes, do the following. - -> set type=mx -> dialix.oz.au -Server: decel.ecel.uwa.oz.au -Address: 130.95.4.2 - -Non-authoritative answer: -dialix.oz.au preference = 100, mail exchanger = uniwa.uwa.OZ.AU -dialix.oz.au preference = 200, mail exchanger = munnari.OZ.AU -Authoritative answers can be found from: -uniwa.uwa.OZ.AU inet address = 130.95.128.1 -munnari.OZ.AU inet address = 128.250.1.21 -munnari.OZ.AU inet address = 192.43.207.1 -mulga.cs.mu.OZ.AU inet address = 128.250.35.21 -mulga.cs.mu.OZ.AU inet address = 192.43.207.2 -dmssyd.syd.dms.CSIRO.AU inet address = 130.155.16.1 -ns.UU.NET inet address = 137.39.1.3 - -You tell nslookup that you want to search for mx records and then you give -it the name of the machine. It tells you the preference for the mail -(small means more preferable), and who the mail should be sent to. It also -includes sites that are authorative (have this name in their named database -files) for this MX record. There are multiple sites as a backup. As can -be seen, our local public internet access company dialix would like all of -their mail to be sent to uniwa, where they collect it from. If uniwa is -not up, send it to munnari and munnari will get it to uniwa eventually. - -NOTE: For historical reasons Australia used to be .oz which was changed to -.oz.au to move to the ISO standard extensions upon the advent of IP. We -are now moving to a more normal heirarchy which is where the .edu.au comes -from. Pity, I liked having oz. - -DIG: dig <zone> mx - -Getting a list of machines in a domain from nslookup. - -Find a server that is authorative for the domain or just generally all -knowing. To find a good server, find all the soa records for a given -domain. To do this, you set type=soa and enter the domain just like in the -two previous examples. - -Once you have a server type - -> ls gu.uwa.edu.au. -[uniwa.uwa.edu.au] -Host or domain name Internet address - gu server = mackerel.gu.uwa.edu.au - gu server = uniwa.uwa.edu.au - gu 130.95.100.3 - snuffle-upagus 130.95.100.131 - mullet 130.95.100.2 - mackerel 130.95.100.3 - marlin 130.95.100.4 - gugate 130.95.100.1 - gugate 130.95.100.129 - helpdesk 130.95.100.180 - lan 130.95.100.0 - big-bird 130.95.100.130 - -To get a list of all the machines in the domain. - -If you wanted to find a list of all of the MX records for the domain, you -can put a -m flag in the ls command. - -> ls -m gu.uwa.edu.au. -[uniwa.uwa.edu.au] -Host or domain name Metric Host - gu 100 mackerel.gu.uwa.edu.au - gu 200 uniwa.uwa.edu.au - -This only works for a limited selection of the different types. - -DIG: dig axfr <zone> @<server> - - - -Appendix A - - -; -; This file holds the information on root name servers needed to -; initialize cache of Internet domain name servers -; (e.g. reference this file in the "cache . <file>" -; configuration file of BIND domain name servers). -; -; This file is made available by InterNIC registration services -; under anonymous FTP as -; file /domain/named.root -; on server FTP.RS.INTERNIC.NET -; -OR- under Gopher at RS.INTERNIC.NET -; under menu InterNIC Registration Services (NSI) -; submenu InterNIC Registration Archives -; file named.root -; -; last update: April 21, 1993 -; related version of root zone: 930421 -; -. 99999999 IN NS NS.INTERNIC.NET. -NS.INTERNIC.NET. 99999999 A 198.41.0.4 -. 99999999 NS KAVA.NISC.SRI.COM. -KAVA.NISC.SRI.COM. 99999999 A 192.33.33.24 -. 99999999 NS C.NYSER.NET. -C.NYSER.NET. 99999999 A 192.33.4.12 -. 99999999 NS TERP.UMD.EDU. -TERP.UMD.EDU. 99999999 A 128.8.10.90 -. 99999999 NS NS.NASA.GOV. -NS.NASA.GOV. 99999999 A 128.102.16.10 - 99999999 A 192.52.195.10 -. 99999999 NS NS.NIC.DDN.MIL. -NS.NIC.DDN.MIL. 99999999 A 192.112.36.4 -. 99999999 NS AOS.ARL.ARMY.MIL. -AOS.ARL.ARMY.MIL. 99999999 A 128.63.4.82 - 99999999 A 192.5.25.82 -. 99999999 NS NIC.NORDU.NET. -NIC.NORDU.NET. 99999999 A 192.36.148.17 -; End of File - - -Appendix B - -An Excerpt from -RFC 1340 Assigned Numbers July 1992 - - - MACHINE NAMES - - These are the Official Machine Names as they appear in the Domain Name - System HINFO records and the NIC Host Table. Their use is described in - RFC-952 [53]. - - A machine name or CPU type may be up to 40 characters taken from the - set of uppercase letters, digits, and the two punctuation characters - hyphen and slash. It must start with a letter, and end with a letter - or digit. - - ALTO DEC-1080 - ALTOS-6800 DEC-1090 - AMDAHL-V7 DEC-1090B - APOLLO DEC-1090T - ATARI-104ST DEC-2020T - ATT-3B1 DEC-2040 - ATT-3B2 DEC-2040T - ATT-3B20 DEC-2050T - ATT-7300 DEC-2060 - BBN-C/60 DEC-2060T - BURROUGHS-B/29 DEC-2065 - BURROUGHS-B/4800 DEC-FALCON - BUTTERFLY DEC-KS10 - C/30 DEC-VAX-11730 - C/70 DORADO - CADLINC DPS8/70M - CADR ELXSI-6400 - CDC-170 EVEREX-386 - CDC-170/750 FOONLY-F2 - CDC-173 FOONLY-F3 - CELERITY-1200 FOONLY-F4 - CLUB-386 GOULD - COMPAQ-386/20 GOULD-6050 - COMTEN-3690 GOULD-6080 - CP8040 GOULD-9050 - CRAY-1 GOULD-9080 - CRAY-X/MP H-316 - CRAY-2 H-60/68 - CTIWS-117 H-68 - DANDELION H-68/80 - DEC-10 H-89 - DEC-1050 HONEYWELL-DPS-6 - DEC-1077 HONEYWELL-DPS-8/70 - HP3000 ONYX-Z8000 - HP3000/64 PDP-11 - IBM-158 PDP-11/3 - IBM-360/67 PDP-11/23 - IBM-370/3033 PDP-11/24 - IBM-3081 PDP-11/34 - IBM-3084QX PDP-11/40 - IBM-3101 PDP-11/44 - IBM-4331 PDP-11/45 - IBM-4341 PDP-11/50 - IBM-4361 PDP-11/70 - IBM-4381 PDP-11/73 - IBM-4956 PE-7/32 - IBM-6152 PE-3205 - IBM-PC PERQ - IBM-PC/AT PLEXUS-P/60 - IBM-PC/RT PLI - IBM-PC/XT PLURIBUS - IBM-SERIES/1 PRIME-2350 - IMAGEN PRIME-2450 - IMAGEN-8/300 PRIME-2755 - IMSAI PRIME-9655 - INTEGRATED-SOLUTIONS PRIME-9755 - INTEGRATED-SOLUTIONS-68K PRIME-9955II - INTEGRATED-SOLUTIONS-CREATOR PRIME-2250 - INTEGRATED-SOLUTIONS-CREATOR-8 PRIME-2655 - INTEL-386 PRIME-9955 - INTEL-IPSC PRIME-9950 - IS-1 PRIME-9650 - IS-68010 PRIME-9750 - LMI PRIME-2250 - LSI-11 PRIME-750 - LSI-11/2 PRIME-850 - LSI-11/23 PRIME-550II - LSI-11/73 PYRAMID-90 - M68000 PYRAMID-90MX - MAC-II PYRAMID-90X - MASSCOMP RIDGE - MC500 RIDGE-32 - MC68000 RIDGE-32C - MICROPORT ROLM-1666 - MICROVAX S1-MKIIA - MICROVAX-I SMI - MV/8000 SEQUENT-BALANCE-8000 - NAS3-5 SIEMENS - NCR-COMTEN-3690 SILICON-GRAPHICS - NEXT/N1000-316 SILICON-GRAPHICS-IRIS - NOW SGI-IRIS-2400 - SGI-IRIS-2500 SUN-3/50 - SGI-IRIS-3010 SUN-3/60 - SGI-IRIS-3020 SUN-3/75 - SGI-IRIS-3030 SUN-3/80 - SGI-IRIS-3110 SUN-3/110 - SGI-IRIS-3115 SUN-3/140 - SGI-IRIS-3120 SUN-3/150 - SGI-IRIS-3130 SUN-3/160 - SGI-IRIS-4D/20 SUN-3/180 - SGI-IRIS-4D/20G SUN-3/200 - SGI-IRIS-4D/25 SUN-3/260 - SGI-IRIS-4D/25G SUN-3/280 - SGI-IRIS-4D/25S SUN-3/470 - SGI-IRIS-4D/50 SUN-3/480 - SGI-IRIS-4D/50G SUN-4/60 - SGI-IRIS-4D/50GT SUN-4/110 - SGI-IRIS-4D/60 SUN-4/150 - SGI-IRIS-4D/60G SUN-4/200 - SGI-IRIS-4D/60T SUN-4/260 - SGI-IRIS-4D/60GT SUN-4/280 - SGI-IRIS-4D/70 SUN-4/330 - SGI-IRIS-4D/70G SUN-4/370 - SGI-IRIS-4D/70GT SUN-4/390 - SGI-IRIS-4D/80GT SUN-50 - SGI-IRIS-4D/80S SUN-100 - SGI-IRIS-4D/120GTX SUN-120 - SGI-IRIS-4D/120S SUN-130 - SGI-IRIS-4D/210GTX SUN-150 - SGI-IRIS-4D/210S SUN-170 - SGI-IRIS-4D/220GTX SUN-386i/250 - SGI-IRIS-4D/220S SUN-68000 - SGI-IRIS-4D/240GTX SYMBOLICS-3600 - SGI-IRIS-4D/240S SYMBOLICS-3670 - SGI-IRIS-4D/280GTX SYMMETRIC-375 - SGI-IRIS-4D/280S SYMULT - SGI-IRIS-CS/12 TANDEM-TXP - SGI-IRIS-4SERVER-8 TANDY-6000 - SPERRY-DCP/10 TEK-6130 - SUN TI-EXPLORER - SUN-2 TP-4000 - SUN-2/50 TRS-80 - SUN-2/100 UNIVAC-1100 - SUN-2/120 UNIVAC-1100/60 - SUN-2/130 UNIVAC-1100/62 - SUN-2/140 UNIVAC-1100/63 - SUN-2/150 UNIVAC-1100/64 - SUN-2/160 UNIVAC-1100/70 - SUN-2/170 UNIVAC-1160 - UNKNOWN - VAX-11/725 - VAX-11/730 - VAX-11/750 - VAX-11/780 - VAX-11/785 - VAX-11/790 - VAX-11/8600 - VAX-8600 - WANG-PC002 - WANG-VS100 - WANG-VS400 - WYSE-386 - XEROX-1108 - XEROX-8010 - ZENITH-148 - - SYSTEM NAMES - - These are the Official System Names as they appear in the Domain Name - System HINFO records and the NIC Host Table. Their use is described - in RFC-952 [53]. - - A system name may be up to 40 characters taken from the set of upper- - case letters, digits, and the three punctuation characters hyphen, - period, and slash. It must start with a letter, and end with a - letter or digit. - - AEGIS LISP SUN OS 3.5 - APOLLO LISPM SUN OS 4.0 - AIX/370 LOCUS SWIFT - AIX-PS/2 MACOS TAC - BS-2000 MINOS TANDEM - CEDAR MOS TENEX - CGW MPE5 TOPS10 - CHORUS MSDOS TOPS20 - CHRYSALIS MULTICS TOS - CMOS MUSIC TP3010 - CMS MUSIC/SP TRSDOS - COS MVS ULTRIX - CPIX MVS/SP UNIX - CTOS NEXUS UNIX-BSD - CTSS NMS UNIX-V1AT - DCN NONSTOP UNIX-V - DDNOS NOS-2 UNIX-V.1 - DOMAIN NTOS UNIX-V.2 - DOS OS/DDP UNIX-V.3 - EDX OS/2 UNIX-PC - ELF OS4 UNKNOWN - EMBOS OS86 UT2D - EMMOS OSX V - EPOS PCDOS VM - FOONEX PERQ/OS VM/370 - FUZZ PLI VM/CMS - GCOS PSDOS/MIT VM/SP - GPOS PRIMOS VMS - HDOS RMX/RDOS VMS/EUNICE - IMAGEN ROS VRTX - INTERCOM RSX11M WAITS - IMPRESS RTE-A WANG - INTERLISP SATOPS WIN32 - IOS SCO-XENIX/386 X11R3 - IRIX SCS XDE - ISI-68020 SIMP XENIX - ITS SUN - - - -Appendix C Installing DNS on a Sun when running NIS - -==================== - 2) How to get DNS to be used when running NIS ? - - First setup the appropriate /etc/resolv.conf file. - Something like this should do the "trick". - - ; - ; Data file for a client. - ; - domain local domain - nameserver address of primary domain nameserver - nameserver address of secondary domain nameserver - - where: "local domain" is the domain part of the hostnames. - For example, if your hostname is "thor.ece.uc.edu" - your "local domain" is "ece.uc.edu". - - You will need to put a copy of this resolv.conf on - all NIS(YP) servers including slaves. - - Under SunOS 4.1 and greater, change the "B=" at the top - of the /var/yp/Makefile to "B=-b" and setup NIS in the - usual fashion. - - You will need reboot or restart ypserv for these changes - to take affect. - - Under 4.0.x, edit the Makefile or apply the following "diff": - -*** Makefile.orig Wed Jan 10 13:22:11 1990 ---- Makefile Wed Jan 10 13:22:01 1990 -*************** -*** 63 **** -! | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/hosts.byname; \ ---- 63 ---- -! | $(MAKEDBM) -b - $(YPDBDIR)/$(DOM)/hosts.byname; \ -*************** -*** 66 **** -! | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/hosts.byaddr; \ ---- 66 ---- -! | $(MAKEDBM) -b - $(YPDBDIR)/$(DOM)/hosts.byaddr; \ -==================== - diff --git a/contrib/bind/doc/secure/copyright.txt b/contrib/bind/doc/secure/copyright.txt deleted file mode 100644 index cc3835608906..000000000000 --- a/contrib/bind/doc/secure/copyright.txt +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Portions Copyright (c) 1995,1996 by Trusted Information Systems, Inc. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TRUSTED INFORMATION - * SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL - * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR - * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS - * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. - * - * Trusted Information Systems, Inc. has received approval from the - * United States Government for export and reexport of TIS/DNSSEC - * software from the United States of America under the provisions of - * the Export Administration Regulations (EAR) General Software Note - * (GSN) license exception for mass market software. Under the - * provisions of this license, this software may be exported or - * reexported to all destinations except for the embargoed countries of - * Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export - * or reexport of TIS/DNSSEC software to the embargoed countries - * requires additional, specific licensing approval from the United - * States Government. - */ diff --git a/contrib/bind/doc/secure/install.txt b/contrib/bind/doc/secure/install.txt deleted file mode 100644 index bb5bc94c211d..000000000000 --- a/contrib/bind/doc/secure/install.txt +++ /dev/null @@ -1,155 +0,0 @@ - -INSTALL_SEC - - Bind with Secure DNS (TIS/DNSSEC) - Version 1.3.0 Beta - September 1996 - -This version has been compiled and tested on SUNOS 4.1.3, -FreeBSD-2.1.5-REL and Linux 2.0.11. -There may be still be portability problems. -If you have access to other hardware platforms please let us know if -there are any problems porting and send us patches, to include in -future releases. - -This version of secure Bind uses RSAREF-2.0 library from RSA, -First you should get/read the RSAREF FAQ - http://www.consensus.com/rsaref-faq.html -Then you can copy RSAREF from - ftp://ftp.rsa.com/rsaref/README - -You need to read this README file carefully for further instructions. - -Installation: (this version is based on 4.9.4-REL-P1). - -1. The tar ball will create a directory sec_bind in the current directory - untar the archive - The content of the sec_bind directory has the same directory - structure as bind distribution with the addition of the directories - dnssec_lib/ and signer/, some named directories have been - deleted from the distribution. - - dnssec_lib/ contains the library files for signature generation - signer/ contains tools for signing bind boot files and - generating keys. - - In addition, there is a new file, "res/res_sign.c", which - contains library routines that are required in the resolver - for displaying new RR types. - - You need to tailor sec_bind/Makefile to your system as you do - with bind distributions. - - The sec_bind distribution expects to find RSAREF in the - rsaref/ subdirectory. If you install RSAREF in a different - place you can place a pointer to the RSAREF installation - directory in place of sec_bind/rsaref. - - sec_bind/Makefile expects to find the RSAREF library file - at sec_bind/rsaref/lib/rsaref.a. The RSAREF distribution - does not contain that directory. If you are installing RSAREF - for the first time create that directory copy the correct - Makefile from the appropriate rsaref/install/ subdirectory. - Sec_bind will compile RSAREF for you. - - We recommend that you use an ANSI C compliant compiler to - compile this distribution. - -2. Follow Bind installation guidelines on your system - - Set your normal configuration in conf/options.h with the - following exceptions/additions: - ROUND_ROBIN must be OFF (for right now) - DNS_SECURITY must be ON - RSAREF must be ON if you have a copy of RSAREF. - This version of sec_bind does not work well without RSAREF. - -3. make - If you are going to use make install everything will work right - out of the box. If you are going to run programs out of the - sec_bind directory you need to set the DESTEXEC variables - accordingly. - -4. Once everything compiles you can run the simple test that is include in - the distribution. - - First you need to edit the file signer/simple_test/test.boot to - set directory directive to the full path of the directory this - file is in. - - Now the signer program can be run to sign the simple_test data. - The signed zone will be written to /tmp - % cd sec_bind/signer - % make test - The passwords for the keys in the distribution are: - Key: Password: - foo.bar foo.bar - mobile.foo.bar mobile - fix.foo.bar fix.foo.bar - sub.foo.bar sub.foo.bar - some.bar some.bar - - Notice the differences between simple_test/test.boot and - /tmp/test.boot. The pubkey directive are required for correct - behavior of new named. - - To check the if named can read the new zone files and verify - the signatures run following commands - % cd ../named - % make test - - Exit/error code 66 indicates that program completed normally - in "load-only" mode (new -l flag). - - If you want to load up named run same command as make test does - without -l flag. (the -d 3 flag is to make sure the process - does not do a fork). - % ./named -p 12345 -b /tmp/test.boot -d 3 - - % cd ../tools - % ./dig @localhost snore.foo.bar. -p 12345 - This should return an A record + SIG(A) record - % ./dig @localhost no_such_name.foo.bar. -p 12345 - This should return a NXT record +SIG(NXT) for *.foo.bar. - - You can also test against our nameserver for zone sd-bogus.tis.com - the host is uranus.hq.tis.com(192.94.214.95) - % ./dig @uranus.hq.tis.com sd-bogus.tis.com. soa - will return the SOA and SIG(SOA) + KEY - % ./dig @uranus.hq.tis.com sd-bogus.tis.com. mb - will return NXT for sd-bogus.tis.com - % ./dig @uranus.hq.tis.com foo.sd-bogus.tis.com. ns - will NS +KEY for foo.sd-bog.tis.com. - -5. Converting your setup to secure DNS zones. - need to create a key for your zone. - If you have a copy of the last release of sec_bind the key file - format has changed and you need to regenerate all your keys, Sorry. - The new format for private key files is portable between - different architectures and operating systems, the encryption - of the key file is compatible with the des program. - - To generate key use sec_bind/signer/key_gen. To generate zone key - for name you.bar, with 512 bit modulus and exponent of 3, - execute following command - - % cd signer - % ./key_gen -z -g 512 you.bar - - key_gen will ask for an encryption password for the private - key file, if you do not want to encrypt the key hit <Return>. - The program will output resource record suitable for zone file. - key_gen creates two files you.bar.priv and foo.bar.public. - - If you want, at any time, to display the public key for foo.bar - run key_gen without the -g flag or cat file foo.bar.public. - key_gen without any flags will print out the usage information. - key_gen has extensive error checking on flags. - - To modify the flags field for an existing key run key_gen with - the new flags but without the -g flag. - - Note: The key above is suitable for signing records but not for - encrypting data. - -6. Send problems, fixes and suggestions to dns-security@tis.com. diff --git a/contrib/bind/doc/secure/readme.txt b/contrib/bind/doc/secure/readme.txt deleted file mode 100644 index d7b422ab1caa..000000000000 --- a/contrib/bind/doc/secure/readme.txt +++ /dev/null @@ -1,93 +0,0 @@ - - Secure DNS (TIS/DNSSEC) - September 1996 - -Copyright (C) 1995,1996 Trusted Information Systems, Incorporated - -Trusted Information Systems, Inc. has received approval from the -United States Government for export and reexport of TIS/DNSSEC -software from the United States of America under the provisions of -the Export Administration Regulations (EAR) General Software Note -(GSN) license exception for mass market software. Under the -provisions of this license, this software may be exported or -reexported to all destinations except for the embargoed countries of -Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export -or reexport of TIS/DNSSEC software to the embargoed countries -requires additional, specific licensing approval from the United -States Government. - -Trusted Information Systems, Inc., is pleased to -provide a reference implementation of the secure Domain Name System -(TIS/DNSSEC). In order to foster acceptance of secure DNS and provide -the community with a usable, working version of this technology, -TIS/DNSSEC is being made available for broad use on the following basis. - -- Trusted Information Systems makes no representation about the - suitability of this software for any purpose. It is provided "as is" - without express or implied warranty. - -- TIS/DNSSEC is distributed in source code form, with all modules written - in the C programming language. It runs on many UNIX derived platforms - and is integrated with the Bind implementation of the DNS protocol. - -- This beta version of TIS/DNSSEC may be used, copied, and modified for - testing and evaluation purposes without fee during the beta test - period, provided that this notice appears in supporting documentation - and is retained in all software modules in which it appears. Any other - use requires specific, written prior permission from Trusted Information - Systems. - -TIS maintains the email distribution list dns-security@tis.com for -discussion of secure DNS. To join, send email to - dns-security-request@tis.com. - -TIS/DNSSEC technical questions and bug reports should be addressed to - dns-security@tis.com. - -To reach the maintainers of TIS/DNSSEC send mail to - tisdnssec-support@tis.com - -TIS/DNSSEC is a product of Trusted Information Systems, Inc. - -This is an beta version of Bind with secure DNS extensions it uses -RSAREF which you must obtain separately. - -Implemented and tested in this version: - Portable key storage format. - Improved authentication API - Support for using different authentication packages. - All Security RRs including KEY SIG, NXT, and support for wild cards - tool for generating KEYs - tool for signing RRs in boot files - verification of RRs on load - verification of RRs over the wire - transmission of SIG RRs - returns NXT when name and/or type does not exist - storage of NXT, KEY, and SIG RRs with CNAME RR - AD/ID bits added to header and setting of these bits - key storage and retrieval - dig and nslookup can display new header bits and RRs - AXFR signature RR - keyfile directive - $SIGNER directive (to turn on and off signing) - adding KEY to answers with NS or SOA - SOA sequence numbers are now set each time zone is signed - SIG AXFR ignores label count of names - generation and inclusion of .PARENT files - Returns only one NXT at delegation points unless two are required - Expired SIG records are now returned in response to query - -Implemented but not fully tested: - -Known bugs: - -Not implemented: - ROUND_ROBIN behaviour - zone transfer in SIG(AXFR) sort order. - transaction SIGs - verification in resolver. (stub resolvers must trust local servers - resolver library is to low level to implement security) - knowing when to trust the AD bit in responses - -Read files INSTALL_SEC and USAGE_SEC for installation and user -instructions, respectively. diff --git a/contrib/bind/doc/secure/usage.txt b/contrib/bind/doc/secure/usage.txt deleted file mode 100644 index aa8eebc670aa..000000000000 --- a/contrib/bind/doc/secure/usage.txt +++ /dev/null @@ -1,215 +0,0 @@ - - USAGE_SEC - Secure DNS (TIS/DNSSEC) - September 1996 - -This is the usage documentation for TIS' Secure DNS (TIS/DNSSEC) version -BETA-1.3. This looks like a standard named distribution, with -the following exceptions - - this version is coded against BIND-4.9.4-P1 - - there are three new directories in this distribution - dnssec_lib - signer - rsaref - - - rsaref/ is place holder directory for RSAREF distribution. - You must get RSAREF on your own. - - signer/ contains two applications needed by DNSSEC: - signer: tool to sign zones - key_gen: tool to generate keys - dnssec_lib/ contains common library routines that are used by - named, key_gen and signer. - This is where most of the DNSSEC work is done. - -Before compiling you need to do your standard configurations for named -and the edits explained in INSTALL_SEC. This version has been tested -on SUNOS4.1.3. This version includes portability fixes from previous -beta releases for Linux, Solaris-2.4, HPUX-9 and FreeBSD. - -CHANGES TO BIND - -res/ - - There are minor changes to the files in the res directory. Most of - the changes have to do with displaying NXT - records. There are also some changes related to translating - domain names into uncompressed lower case names upon request. - -tools/ - Minor changes to recognize NXT records and display them. - -named/ - Added code to read and write new record types. - Added code to do signature validation on read. - Added code to return appropriate SIG records. - Added security flags to databuf and zoneinfo structures. - Names can now have CNAME record and security RR's. - Records are stored and transmitted in DNS SEC sort order. - -conf/ - - Turned off ROUND_ROBIN option and installed new sorting required - for signature verification. - -signer/ - NXT record generation. - Key generation - Signing of zones - Converting data records to format required for signatures. - -dnssec_lib/ - Interfacing with Crypto library. - Verifying signatures, - preparing data for signing and verification - -The role of <zone>.PARENT files: - -DNSSEC specification requires change who is authorative for certain -resource records. In order to support certification hierarchy each -zone KEY RR must be signed by parent zone. The parent signed KEY RR -must be distributed by the zone itself as it is the most authorative -for its own records. - -To facilitate this TIS/DNSSEC signer program creates a <name>.PARENT -file for every name in a zone that has a NS record. This file contains -the KEY records stored under this name and -NXT record and corresponding SIG records. If no KEY record is found -for a name with a NS record a NULL-KEY record is generated to indicate -that the child is INSECURE. - -Each <zone>.PARENT file must be sent via an out of band mechanism to -the appropriate primary for the zone, for inclusion. signer program -adds an $INCLUDE <zone>.PARENT command at the end of each zone file, -if no file exists an warning message is printed. - -Potential PROBLEM: It is likely that the parent and child are on a -different signing schedule. If new <zone>.PARENT file is put on the -primary, due to the fact that the zone data changed but the SOA did -not, it may take a long time for new records to propagate to the -secondaries. This is only a problem if zone has added/deleted a KEY -or if the the signatures will expire in the near future. To overcome -this problem, resign your zone when any of above conditions is true. -DNS NOTIFY and/or DNS DYNUPDATE may fix this problem in the future. - -TIS/DNSSEC SOA serial numbers. To facilitate prompt distribution of -zone data to secondaries, signer takes over the management of SOA -serial numbers. Each time signer signs a zone it sets the serial -number to a value reflecting the time the zone was signed, in standard -Unix time seconds since 1970/1/1 0:0:0 GMT. - -How to configure a secure zone. - Create a directory <zone> to contain your zone files. - Create a output directory <outdir> for the signer output. - Put in <zone> a boot file that includes the files from that zone. - Create a KEY for the zone by running key_gen, Name the key <domain>. - - Run signer on your zone writing to the output directory <outdir>. - Signer will rewrite the boot file to include new directive - "pubkey" of the key used to sign the file. If there where - any pubkey declarations in the input boot file they will be - deleted. - Signer generates files that correspond to the load files specified. - - In case of load file that $INCLUDEs another load file, signer will - merge them to the output file. - You will notice that the output files are significantly larger. - The output files will be in a different order than the input files, - all records are sorted into DNSSEC sort order. - NXT and SIG records have been added. - - If there are any NS records for a name other than the zone name of - each input file you will see messages that NULL KEY records - have been created, if this is not correct behavior, add - the correct KEY RRs. - For each domain name that has a NS record but is not a zone name - of load file you will see a file named <name>.PARENT, - this file contains the KEY record for that name and an - NXT record + 2 SIG records. - This file needs to be sent to the nameserver that is primary for that - zone. There are two reasons for this: - 1. To support Certification Hierarchy, each zone key is - signed by the parent zone key. - 2. Zone is the most trustworthy source for itself unless - these records are loaded into the primary server for - the zone, the records may not get propagated. - -how to run SEC_NAMED: - -Included in the distribution there is a small test setup: - -# run signer -./signer boot-f simple_test/test.boot [out-dir /tmp] -# or -make test -# This takes few minutes to run depending on your machine and the size -# of the key selected -# all output files will be stored in /tmp unless out-dir is specified - -# -# Now we are ready to run named -cd ../named -./named -p 12345 -b /tmp/test.boot.save [-d x] - -# -# you can now check for data in the data base -# using the new dig. -# -cd ../tools -./dig @yourhost snore.foo.bar. any in -p 12345 - -# -# Output from new dig will be something like this -# -; <<>> DiG 2.1 <<>> @dnssrv snore.foo.bar. any in -p -; (1 server found) -;; res options: init recurs defnam dnsrch -;; got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 -;; flags: qr rd ra; Ques: 1, Ans: 11, Auth: 0, Addit: 1 -;; QUESTIONS: -;; snore.foo.bar, type = ANY, class = IN - -;; ANSWERS: -snore.foo.bar. 259200 A 10.17.3.20 -snore.foo.bar. 259200 SIG A ( - 1 3; alg labels - 259200 ; TTL - 19950506200636 ; Signature expiration - 19950406200659 ; time signed - 47437 ; Key foot print - foo.bar. ; Signers name - FsqeW3hstM8Q6v8PMCGPsVMfO6dEpHjFgKm2dJRaofFtCQ/CT9O6Vo7J5zgkV+5ciWQwuZwvzW071jnZ1i27Ip/8vqdKGHC63tjWkCHSZV0= - ) ; END Signature -snore.foo.bar. 259200 MX 96 who.foo.bar. -snore.foo.bar. 259200 MX 100 foo.bar. -snore.foo.bar. 259200 MX 120 xxx.foo.bar. -snore.foo.bar. 259200 MX 130 maGellan.foo.bar. -snore.foo.bar. 259200 MX 140 bozo.foo.bar. -snore.foo.bar. 259200 SIG MX ( - 1 3; alg labels - 259200 ; TTL - 19950506200636 ; Signature expiration - 19950406200659 ; time signed - 47437 ; Key foot print - foo.bar. ; Signers name - EV0cJqF3pUOgktggTrFf55YGwQFbUqPJAMTnAkHK3+Z/Ya6GgwwNOGRzq/FYm5P4E+yIj6WUYFh9Ex5eX5TwiIsjM/hy173lSa3qm/ljDk8= - ) ; END Signature -snore.foo.bar. 259200 NXT xxx.foo.bar. -snore.foo.bar. 259200 SIG NXT ( - 1 3; alg labels - 259200 ; TTL - 19950506200636 ; Signature expiration - 19950406200659 ; time signed - 47437 ; Key foot print - foo.bar. ; Signers name - eJUHVm5Q5qYQYFVOW0L5Of67HQvQ9+7T7sQqHv7ayTT2sMnXudxviYv43vALMMwBcJFXFEhLhwYwN7pUDssD/w5si/6JJQTi1o30S8si3zE= - ) ; END Signature - -;; Total query time: 195 msec -;; FROM: dnssrv to SERVER: dnssrv 10.17.3.1 -;; WHEN: Thu Apr 6 16:20:32 1995 -;; MSG SIZE sent: 31 rcvd: 662 |