Bind 4 has some additional features. The following sections describe them. DebuggingStarting named with the -d command-line option or running ndc debug turns on debugging output. If you don't have ndc, sending SIGUSR1 to increment the debug level also accomplishes this. By default, this is written to /usr/tmp/named.run. This in addition to, or in place of, query logging can help you figure out whether someone is sending you bogus information or bombarding you with queries, slowing down your system. However, using just query logging might be sufficient. Sending SIGUSR2 disables debugging. Sending SIGINT to named is analogous to the ndc dumpdb command. It dumps the entire database and cache contents to a file, probably called /var/tmp/named_dump.db. This file then enables you to examine whether the zone data was loaded correctly and whether anything odd is in the cache . Reloading ZonesIf you don't have the ndc program, you can cause a named.boot and zone reload by sending named a SIGHUP. This also forces SOA queries, for serial number comparison, to the master servers. Any updated slave zones are also updated by force when SIGHUP is sent . Zone Access ListsBIND 4 has a feature called secure_zone, which lets you define an ACL for a zone. Although secure_zone is implemented by embedding secure_zone records in the zone file, they are in fact not RRs and are not transferred in a zone transfer. So, even if you have secure_zone set up on a master server, none of the slaves will have the necessary information. Additionally, BIND implements no way to distribute them. If you need slave servers and secure_zone to secure the zone(s), you must find some way to distribute them other than traditional zone transfer. The BOG suggests that secure_zone is useful for Hesiod (zone class HS) password zones to restrict the availability of passwords outside local networks. But, secure_zone is perhaps best forgotten. This example is from the BOG : secure_zone HS TXT "130.215.0.0:255.255.0.0" secure_zone HS TXT "128.23.10.56:H" Similar to xfrnets, BIND knows which class the given network addresses are, and if no subnet mask is given, the class mask is used. In the first line of the previous example, a subnet mask is given. The second line specifies a lone host. BIND 8 has ACLs for this. ACLs are not transferred by zone transfer either but at least they are not removed by zone transfers. They stay put in the named.conf file . |