Networking Domain Name System

System

i

Networking

Domain

Name

System

Version

5

Release

4

System

i

Networking

Domain

Name

System

Version

5

Release

4

Note

Beforeusingthisinformationandtheproductitsupports,read theinformationin“Notices,”on page37.

SixthEdition(February2006)

Contents

Domain

Name

System

.

.

.

.

.

.

.

.

. 1

PrintablePDF . . . 1

DomainNameSystemconcepts . . . 1

Understandingzones . . . 2

UnderstandingDomainNameSystemqueries . . 3

DomainNameSystemdomainsetup . . . 5

Dynamicupdates. . . 5

BIND8features . . . 6

DomainNameSystemresourcerecords . . . . 8

MailandMailExchangerrecords . . . 11

Examples:DomainNameSystem . . . 12

Example:SingleDomainNameSystemserverfor anintranet. . . 12

Example:SingleDomainNameSystemserver withInternetaccess. . . 14

Example:DomainNameSystemandDynamic HostConfigurationProtocolonthesameSystem i . . . 16

Example:SplittingDomainNameSystemover firewall. . . 18

PlanningforDomainNameSystem . . . 20

DeterminingDomainNameSystemauthorities 20 Determiningdomainstructure . . . 20

Planningsecuritymeasures . . . 21

DomainNameSystemrequirements . . . 22

DeterminingifDomainNameSystemisinstalled 23 InstallingDomainNameSystem . . . 23

ConfiguringDomainNameSystem . . . 23

AccessingDomainNameSysteminiSeries Navigator . . . 23

Configuringnameservers . . . 23

Creatinganameserverinstance . . . 24

EditingDomainNameSystemserver properties . . . 24

Configuringzonesonanameserver . . . . 24

ConfiguringDomainNameSystemtoreceive dynamicupdates . . . 25

ImportingDomainNameSystemfiles . . . . 26

Recordvalidation . . . 26

AccessingexternalDomainNameSystemdata 26 ManagingDomainNameSystem . . . 27

VerifyingtheDomainNameSystemfunctionis working . . . 27

Managingsecuritykeys . . . 28

ManagingDomainNameSystemkeys . . . . 28

Managingdynamicupdatekeys . . . 28

AccessingDomainNameSystemserverstatistics 28 Accessingserverstatistics . . . 29

Accessinganactiveserverdatabase . . . . 29

MaintainingDomainNameSystemconfiguration files . . . 29

AdvancedDomainNameSystemfeatures . . . 32

ChangingDomainNameSystemattributes. . 32

StartingorstoppingDomainNameSystem servers . . . 32

Changingdebugvalues . . . 32

TroubleshootingDomainNameSystem . . . 33

LoggingDomainNameSystemservermessages 33 ChangingDomainNameSystemdebugsettings 35 RelatedinformationforDomainNameSystem . . 35

Appendix.

Notices

.

.

.

.

.

.

.

.

.

. 37

ProgrammingInterfaceInformation . . . 38

Trademarks . . . 39

Domain

Name

System

DomainNameSystem(DNS)isadistributed databasesystemformanaginghostnamesandtheir associatedInternetProtocol(IP)addresses.

UsingDNSmeansthatpeoplecanusesimplenames,suchaswww.jkltoys.comtolocateahost,rather thanusingtheIPaddress(xxx.xxx.xxx.xxx).Asingleservermight onlybe responsibleforknowingthe hostnamesandIPaddressesforasmallsubsetofa zone,butDNSserverscanworktogethertomapall domainnamestotheirIPaddresses.DNSserversworking togetheriswhatallowscomputersto

communicateacrosstheInternet.

ForIBM®_OS/400®_{Version5Release1 (V5R1),DNSservicesare basedontheindustry-standardDNS}

implementation,known asBerkeleyInternetName Domain(BIND)version8. PreviousIBMOS/400DNS serviceswere basedonBINDversion4.9.3.TousethenewBIND version8DNSserver,youmust have i5/OS® _{option31(DNS)andoption33(PASE)installedonyourIBM Systemi}™_{model.Ifyoudonot}

havePASEinstalled,youcanstillrunthesameDNSserverbased onBINDversion4.9.3thatwas availableinpreviousreleases. However,themigrationtoBIND 8providesimprovedfunctionsand incorporatesbettersecurityforyour DNSserver.

Note: ThistopicdiscussesnewfeaturesbasedonBIND8.IfyouarenotusingPASEtorunDNSbased

onBIND8, seetheV4R5DNSbookfor informationregardingDNSbased onBIND 4.9.3.

Printable

PDF

Usethistoview andprintaPDFofthis information.

ToviewordownloadthePDFversionofthisdocument,selectDomainNameSystem(about625KB).

Saving

PDF

files

Tosavea PDFonyour workstationforviewingorprinting:

1. Right-clickthePDFinyourbrowser(right-click thelinkabove).

2. Click theoption thatsavesthePDFlocally.

3. Navigatetothedirectoryinwhichyouwanttosave thePDF.

4. Click Save.

Downloading

Adobe

Reader

YouneedAdobe Readerinstalledonyoursystem tovieworprintthesePDFs.Youcandownloada free copyfromtheAdobeWebsite(www.adobe.com/products/acrobat/readstep.html)

.

Domain

Name

System

concepts

DomainName System(DNS)isadistributed databasesystemformanaginghostnamesandtheir associatedInternetProtocol(IP)addresses.UsingDNSmeansthatpeoplecanusesimple names,suchas www.jkltoys.com,tolocateahost,ratherthanusingtheIPaddress(xxx.xxx.xxx.xxx).

AsingleservermightonlyberesponsibleforknowingthehostnamesandIPaddressesfor asmall subsetofazone, butDNSserverscanworktogethertomapalldomainnamestotheirIPaddresses.DNS serversworkingtogether iswhatallowscomputerstocommunicateacrosstheInternet.

|

|

DNSdataisbroken upintoahierarchyofdomains.Serversareresponsibletoknowonlya smallportion ofdata,suchasa singlesubdomain.Theportion ofadomainforwhichtheserverisdirectlyresponsible iscalled azone.ADNSserverthathascompletehost informationand dataforazoneisauthoritativefor thezone.An authoritativeservercananswerqueries abouthosts initszone, usingitsownresource records.Thequeryprocessdependsonanumber offactors.UnderstandingDNSqueries explainsthe pathsa clientcanusetoresolvea query.

Understanding

zones

DomainName System(DNS)dataisdividedintomanageablesetsofdatacalledzones.Andeachofthese setsisa specificzonetype.

ZonescontainnameandIPaddressinformationaboutoneormorepartsofaDNSdomain.Aserverthat containsalloftheinformationfora zoneistheauthoritativeserverforthedomain.Sometimesitmakes sensetodelegatetheauthorityforansweringDNSqueriesfora particularsubdomaintoanotherDNS server.Inthiscase, theDNSserverforthedomaincanbeconfigured toreferthesubdomainqueriesto theappropriateserver.

Forbackupandredundancy,zonedataisoftenstored onserversotherthantheauthoritativeDNSserver. Theseotherserversare calledsecondaryservers,whichloadzonedatafromtheauthoritativeserver. Configuringsecondaryserversallows youtobalancethedemandonserversandalso providesabackup incasetheprimaryservergoesdown. Secondaryserversobtainzonedatabydoingzonetransfersfrom theauthoritativeserver.Whena secondaryserverisinitialized, itloadsa completecopyofthezonedata fromtheprimaryserver.Thesecondaryserveralso reloadszonedatafromtheprimaryserverorfrom othersecondariesforthatdomainwhenzonedatachanges.

DNS

zone

types

Youcanusei5/OSDNStodefineseveraltypesof zonestohelp youmanage DNSdata:

Primaryzone

Primaryzoneloadszonedatadirectlyfromafileona host.Itcancontaina subzone,or child zone.Itcanalsocontainresourcerecords,suchashost,alias(CNAME),address (A),orreverse mappingpointer(PTR)records.

Note: Primaryzonesare sometimesreferredtoasmasterzonesinotherBINDdocumentation.

Subzone

Asubzone definesa zonewithin theprimaryzone.Subzonesallowyoutoorganize zone dataintomanageablepieces.

Childzone

Achildzonedefinesasubzoneand delegatesresponsibilityforthesubzonedata toone ormorenameservers.

Alias(CNAME)

An aliasdefinesanalternatenamefora primarydomainname.

Host AhostobjectmapsAand PTRrecordstoahost.Additional resourcerecordscan be associatedwitha host.

Secondaryzone

Secondaryzoneloadszonedatafromazone’sprimaryserveroranothersecondaryserver.It maintainsa completecopyof thezoneforwhichitisasecondary.

Stubzone

Forwardzone

Aforwardzonedirectsallqueriesforthatparticularzonetootherservers.

Related concepts

“UnderstandingDomainNameSystemqueries”

DomainNameSystem(DNS)canresolve queriesonbehalfofclients.

Related tasks

“Configuringzonesonanameserver”onpage24

Afteryouconfigurea DomainName System(DNS)serverinstance,youneedtoconfigurethezones forthenameserver.

Related reference

“Example: SingleDomainNameSystemserverforanintranet”onpage12

Thisexampledepictsa simplesubnet witha DomainNameSystem(DNS)serverforinternaluse.

“DomainNameSystemresourcerecords”onpage8

ResourcerecordsareusedtostoredataaboutdomainnamesandIPaddresses.Thistopiccontains a searchablelistof resourcerecordssupportedforthei5/OSoperatingsystem.

Understanding

Domain

Name

System

queries

DomainName System(DNS)canresolvequeries onbehalfof clients.

Supposethathostdataentry queriestheDNSserverfor graphics.mycompany.com.TheDNSserveruses itsown zonedataand respondswiththeIPaddress10.1.1.253.

NowsupposedataentryrequeststheIPaddressofwww.jkl.com.ThishostisnotintheDNSserver’s zone data.Thereare nowtwopathsthatcanbefollowed,recursionoriteration.Ifa DNSserverisset touse recursion,theservercanqueryorcontactotherDNSserversonbehalfoftherequestingclienttofully resolvethename,then sendananswerbacktotheclient.IftheDNSserverqueriesanotherDNSserver, therequestingserverwillcachetheanswer,soitcanuseitthenext timethatitreceivesthatquery.A clientcanattempttocontact otherDNSservers onitsownbehalftoresolve aname.Intheprocesscalled

Related reference

“Understandingzones” onpage2

DomainNameSystem(DNS)dataisdividedintomanageablesetsofdatacalledzones.And eachof thesesetsisaspecific zonetype.

“Example: SingleDomainNameSystemserverwithInternet access”onpage14

Thisexampledepictsa simplesubnet witha DomainNameSystem(DNS)serverconnecteddirectly totheInternet.

Domain

Name

System

domain

setup

DomainName System(DNS)domainsetup requiresdomainnameregistrationtopreventothersfrom usingyourdomainname.

DNSallowsyoutoservenamesand addressesonanintranet,orinternalnetwork.Italso allowsyouto servenamesandaddressestotherestoftheworld throughtheInternet.Ifyouwanttosetupdomains ontheInternet, youarerequiredtoregisteradomainname.

Ifyouare settingupanintranet,youarenotrequiredtoregistera domainnameforinternaluse. Whethertoregisteranintranetnamedependsonwhetheryouwanttoensurethatnooneelsecanever usethenameontheInternet,independent ofyourinternaluse.Registeringa namethatyouaregoingto useinternally ensuresthatyouwillneverhavea conflictif youlaterwanttousethedomainname externally.

Domainregistrationcanbe performedbydirectcontactwith anauthorizeddomainnameregistrar,or throughsomeInternet ServiceProviders(ISPs).Some ISPsofferaservicetosubmit domainname registrationrequestsonyourbehalf.TheInternetNetwork InformationCenter (InterNIC)maintainsa directoryofalldomainnameregistrarsthatare authorizedbytheInternet CorporationforAssigned Namesand Numbers(ICANN).

Related reference

“Example: SingleDomainNameSystemserverwithInternet access”onpage14

Thisexampledepictsa simplesubnet witha DomainNameSystem(DNS)serverconnecteddirectly totheInternet.

Related information

InternetNetwork InformationCenter (InterNIC)

Dynamic

updates

i5/OSDomainNameSystem(DNS)basedonBIND8 supportsdynamicupdates.Theseallowoutside sources,suchasDynamic HostConfigurationProtocol(DHCP), tosendupdatestotheDNSserver.In addition,youcanalsouseDNSclienttoolstoperformdynamicupdates.

DHCPisaTCP/IPstandardthatusesacentralservertomanage IPaddressesand otherconfiguration detailsfor anentirenetwork.ADHCPserverrespondstorequestsfromclients,dynamically assigning propertiestothem.DHCPallowsyoutodefinenetworkhostconfigurationparametersata central locationandautomatetheconfigurationofhosts.ItisoftenusedtoassigntemporaryIPaddressesto clientsfornetworksthatcontainmoreclients thanthenumber ofIPaddressesavailable.

Inthepast, allDNSdatawasstoredinstaticdatabases.AllDNSresourcerecordshad tobecreatedand maintainedbytheadministrator.Now,DNSservers runningBIND8 canbeconfiguredtoacceptrequests fromothersourcestoupdatezonedatadynamically.

usingDHCPreceivesanIPaddress,thatdataisimmediatelysenttotheDNSserver.Using thismethod, DNScancontinuetosuccessfullyresolvequeriesforhosts, evenwhentheirIPaddresseschange. YoucanconfigureDHCPtoupdateaddressmapping(A)records,reverse-lookuppointer(PTR)records, orbothonbehalfofaclient.TheArecord mapsamachine’shostnametoitsIPaddress.ThePTRrecord mapsamachine’sIPaddresstoitshostname.Whenaclient’saddresschanges,DHCPcanautomatically sendanupdatetotheDNSserversootherhostsinthenetworkcanlocatetheclientthrough DNS queriesatitsnewIPaddress.For eachrecordthatisupdateddynamically, anassociatedText(TXT) recordiswrittentoidentifythattherecordwas writtenbyDHCP.

Note: IfyousetDHCPtoupdateonlyPTRrecords,youmustconfigure DNStoallowupdatesfrom

clients sothateveryclientcanupdateitsArecord.NotallDHCPclientssupport makingtheirown Arecordupdaterequests.Consultthedocumentationforyour clientplatformbeforechoosing this method.

Dynamiczonesaresecuredbycreatinga listofauthorizedsourcesthatare allowedtosendupdates.You candefineauthorizedsources usingindividualIPaddresses,wholesubnets, packetsthathavebeen signedusingashared secretkey(calleda TransactionSignature,orTSIG),oranycombinationofthose methods.DNSverifiesthatincomingrequestpacketsarecomingfromanauthorized sourcebefore updatingtheresourcerecords.

DynamicupdatescanbeperformedbetweenDNSandDHCPona singleSystemimodel,between differentSystemi models,orbetweenaSystemimodeland othersystemsthatarecapable ofdynamic updates.

Note: Thedynamicupdateapplicationprogramming interface(API)QTOBUPTisrequiredonservers

thataresendingdynamicupdatestoDNS.Itisinstalledautomaticallywithi5/OSOption31,DNS.

Related concepts

Dynamic HostConfigurationProtocol Related tasks

“ConfiguringDomainNameSystemtoreceivedynamicupdates”onpage25

DomainNameSystem(DNS)serversrunningBIND8canbeconfigured toacceptrequestsfromother sources toupdatezonedatadynamically.Thistopicprovidesinstructionsforconfiguringthe

allow-updateoptionsoDNScanreceivedynamicupdates.

Configuring theDHCPtosenddynamicupdatestoDNS Related reference

“Example: DomainNameSystemandDynamic HostConfigurationProtocolonthesameSystemi”on

page16

ThisexampledepictsDomainNameSystem(DNS)andDynamicHostConfigurationProtocol(DHCP) onthesameSystemimodel.

“DomainName Systemresourcerecords”onpage8

ResourcerecordsareusedtostoredataaboutdomainnamesandIPaddresses.Thistopiccontains a searchable listof resourcerecordssupportedforthei5/OSoperatingsystem.

QTOBUPT

“BIND8features”

Besidesdynamicupdates,BIND8offersseveralfeaturestoenhanceperformanceofyour Domain Name System(DNS)server.

BIND

8

features

DNShasbeenredesigned touseBIND8 fori5/OS.IfyoudonothavePASEinstalled,youcancontinue toconfigureandrunthepreviouslyreleased OS/400DNSserverbasedonBIND4.9.3.TheDNSsystem requirementstopicexplains whatyouneedtorunBIND 8DNSonyourSystemimodel.Usingthenew DNSallowsyoutotakeadvantageofthefollowingfeatures:

Multiple

DNS

servers

running

on

a

single

System

i

Inpreviousreleases,onlyoneDNSservercanbe configured.NowyoucanconfiguremultipleDNS servers,orinstances.Thisallowsyouto setuplogicaldivisionbetweenservers.Whenyoucreate multipleinstances,youmustexplicitly definethelisten-oninterface IPaddressesforeachone.Two DNS instancescannotlistenonthesame interface.

Onepracticalapplication ofmultipleserversissplitDNS,whereoneserverisauthoritativeforan internalnetwork, andasecond serverisusedforexternalqueries.

Conditional

forwarding

ConditionalforwardingallowsyoutoconfigureyourDNSservertofine-tuneyourforwarding

preferences.Youcanset aservertoforwardallqueries forwhichitdoesnotknowtheanswer.Youcan setforwardingat agloballevel,butaddexceptionstodomains forwhichyouwanttoforcenormal iterativeresolution.Or,youcansetnormaliterativeresolutionat thegloballevel, thenforceforwarding withincertaindomains.

Secure

dynamic

updates

DynamicHostConfigurationProtocol(DHCP)and otherauthorized sourcescansenddynamicresource recordupdates,usingTransactionSignatures(TSIG)orsourceIPaddress authorization,orboth.This reducestheneedformanualupdatesofzonedatawhileensuringthatonlyauthorizedsources areused forupdates.

NOTIFY

WhenNOTIFYisturnedon,theDNSNOTIFYfunctionisactivated wheneverzonedataisupdatedon theprimaryserver.Theprimaryserversendsouta messageindicatingthatdatahaschangedtoall knownsecondaryservers.Secondaryservers canthenrespondwith azonetransferrequestforupdated zonedata.Thishelpsimprovesecondaryserversupportbykeepingbackupzonedatacurrent.

Zone

transfers

(IXFR

and

AXFR)

Inthepast, wheneversecondaryservers neededtoreloadzonedata,theyhad toloadtheentiredataset inanAll zonetransfer (AXFR).BIND 8supportsanewzonetransfermethod:incremental zonetransfer (IXFR).IXFRisaway thatotherservers cantransfer onlychanged data,insteadoftheentirezone. Whenenabled ontheprimaryserver,datachangesare assigneda flagtoindicatethatachangehas occurred.Whena secondaryserverrequestsazoneupdateinan IXFR,theprimary serverwillsendjust thenewdata.IXFRisespeciallyusefulwhenazoneisdynamically updated.Thistransferreducesthe trafficloadbysendingsmalleramountsofdata.

Note: Boththeprimaryserverandsecondaryservermust beIXFR-enabledtousethis feature. Related concepts

“DomainNameSystemrequirements”onpage22

Consider thesesoftwarerequirementstorunDomainNameSystem(DNS)onyourSystemimodel.

“Dynamicupdates”onpage5

sources,suchasDynamicHostConfigurationProtocol(DHCP),tosend updatestotheDNSserver.In addition,youcanalsouseDNSclienttoolstoperform dynamicupdates.

Related reference

“Example: SplittingDomainNameSystemoverfirewall”onpage18

ThisexampledepictsDomainNameSystem(DNS)operatingoverafirewalltoprotectinternaldata fromtheInternet,whileallowinginternaluserstoaccessdataontheInternet.

“Planningsecuritymeasures”onpage21

DomainNameSystem(DNS)providessecurityoptionstolimitoutsideaccesstoyour server.

Domain

Name

System

resource

records

ResourcerecordsareusedtostoredataaboutdomainnamesandIPaddresses.Thistopiccontainsa searchablelistofresourcerecordssupportedforthei5/OSoperatingsystem.

ADNSzonedatabaseismadeupofa collectionofresourcerecords.Eachresourcerecord specifies informationaboutaparticularobject.For example,addressmapping(A)recordsmapahost nametoan IPaddress,andreverse-lookuppointer(PTR)recordsmapanIPaddresstoahostname. Theserveruses theserecordstoanswerqueriesforhosts initszone. Formoreinformation,usethetabletoview DNS resourcerecords.

Table1.Resourcerecordlookuptable

Resourcerecord Abbreviation Description

AddressMappingrecords A TheArecordspecifiestheIPaddress

ofthishost.Arecordsareusedto resolveaqueryfortheIPaddressof aspecificdomainname.Thisrecord typeisdefinedinRequestfor Comments(RFC)1035.

AndrewFileSystemDatabaserecords AFSDB TheAFSDBrecordspecifiestheAFS®

orDCEaddressoftheobject.AFSDB recordsareusedlikeArecordsto mapadomainnametoitsAFSDB address;ortomapfromthedomain nameofacelltoauthenticatedname serversforthatcell.Thisrecordtype isdefinedinRFC1183.

CanonicalNamerecords CNAME TheCNAMErecordspecifiesthe

actualdomainnameofthisobject. WhenDNSqueriesanaliasedname andfindsaCNAMErecordpointing tothecanonicalname,itthenqueries thatcanonicaldomainname.This recordtypeisdefinedinRFC1035.

HostInformationrecords HINFO TheHINFOrecordspecifiesgeneral

Table1.Resourcerecordlookuptable (continued)

Resourcerecord Abbreviation Description

IntegratedServicesDigitalNetwork records

ISDN TheISDNrecordspecifiesthe

addressofthisobject.Thisrecord mapsahostnametotheISDN address.TheyareusedonlyinISDN networks.Thisrecordtypeisdefined inRFC1183.

IPVersion6Addressrecords AAAA TheAAAArecordspecifiesthe

128-bitaddressofahost.AAAA recordsareusedlikeArecordsto mapahostnametoitsIPaddress. UseAAAArecordstosupportIP version6addresses,whichdonotfit thestandardArecordformat.This recordtypeisdefinedinRFC1886.

Locationrecords LOC TheLOCrecordspecifiesthephysical

locationofnetworkcomponents. Theserecordscanbeusedby applicationstoevaluatenetwork efficiencyormapthephysical network.Thisrecordtypeisdefined inRFC1876.

MailExchangerrecords MX TheMXrecordsdefinesamail

exchangerhostformailsenttothis domain.Theserecordsareusedby SimpleMailTransferProtocol(SMTP) tolocatehoststhatprocessesor forwardsmailforthisdomain,along withpreferencevaluesforeachmail exchangerhost.Eachmailexchanger hostmusthaveacorrespondinghost address(A)recordsinavalidzone. ThisrecordtypeisdefinedinRFC 1035.

MailGrouprecords MG TheMGrecordsspecifiesthemail

groupdomainname.Thisrecord typeisdefinedinRFC1035.

Mailboxrecords MB TheMBrecordsspecifiesthehost

domainnamewhichcontainsthe mailboxforthisobject.Mailsentto thedomainisdirectedtothehost specifiedintheMBrecord.This recordtypeisdefinedinRFC1035.

MailboxInformationrecords MINFO TheMINFOrecordsspecifiesthe

Table1.Resourcerecordlookuptable (continued)

Resourcerecord Abbreviation Description

MailboxRenamerecords MR TheMRrecordsspecifiesanew

domainnameforamailbox.Usethe MRrecordasaforwardingentryfor auserwhohasmovedtoadifferent mailbox.Thisrecordtypeisdefined inRFC1035.

NameServerrecords NS TheNSrecordspecifiesan

authoritativenameserverforthis host.Thisrecordtypeisdefinedin RFC1035.

NetworkServiceAccessProtocol records

NSAP TheNSAPrecordspecifiesthe

addressofaNSAPresource.NSAP recordsareusedtomapdomain namestoNSAPaddresses.This recordtypeisdefinedinRFC1706.

PublicKeyrecords KEY TheKEYrecordspecifiesapublickey

thatisassociatedwithaDNSname. Thekeycanbeforazone,auser,or ahost.Thisrecordtypeisdefinedin RFC2065.

ResponsiblePersonrecords RP TheRPrecordspecifiestheinternet

mailaddressanddescriptionofthe personresponsibleforthiszoneor host.Thisrecordtypeisdefinedin RFC1183.

Reverse-lookupPointerrecords PTR ThePTRrecordspecifiesthedomain nameofahostforwhichyouwanta PTRrecorddefined.PTRrecords allowahostnamelookup,givenan IPaddress.Thisrecordtypeis definedinRFC1035.

RouteThroughrecords RT TheRTrecordspecifiesahost

domainnamethatcanactasa forwarderofIPpacketsforthishost. ThisrecordtypeisdefinedinRFC 1183.

StartofAuthorityrecords SOA TheSOArecordspecifiesthatthis

Table1.Resourcerecordlookuptable (continued)

Resourcerecord Abbreviation Description

Textrecords TXT TheTXTrecordspecifiesmultiple

stringsoftext,upto255characters longeach,tobeassociatedwitha domainname.TXTrecordscanbe usedalongwithresponsibleperson (RP)recordstoprovideinformation aboutwhoisresponsibleforazone. ThisrecordtypeisdefinedinRFC 1035.

TXTrecordsareusedbyi5/OS DHCPfordynamicupdates.The DHCPserverwritesanassociated TXTrecordforeachPTRandA recordupdatethatisdonebythe DHCPserver.DHCPrecordshavea prefixofAS400DHCP.

Well-KnownServicesrecords WKS TheWKSrecordspecifiesthe

well-knownservicessupportedby theobject.Mostcommonly,WKS recordsindicatewhethertcporudp orbothprotocolsaresupportedfor thisaddress.Thisrecordtypeis definedinRFC1035.

X.400AddressMappingrecords PX ThePXrecordsisapointerto

X.400/RFC822mappinginformation. ThisrecordtypeisdefinedinRFC 1664.

X25AddressMappingrecords X25 TheX25recordspecifiestheaddress

ofanX25resource.Thisrecordmaps ahostnametothePSDNaddress. TheyareusedonlyinX25networks. ThisrecordtypeisdefinedinRFC 1183.

Related concepts

“MailandMail Exchangerrecords”

DomainNameSystem(DNS)supportsadvancedmail routingthroughtheuseofMailand Mail Exchanger(MX)records.

Related reference

“Example: SingleDomainNameSystemserverforanintranet”onpage12

Thisexampledepictsa simplesubnet witha DomainNameSystem(DNS)serverforinternaluse.

“Understandingzones” onpage2

DomainNameSystem(DNS)dataisdividedintomanageablesetsofdatacalledzones.And eachof thesesetsisaspecific zonetype.

Mail

and

Mail

Exchanger

records

DomainName System(DNS)supportsadvancedmailrouting throughtheuseofMail andMail Exchanger(MX)records.

DNSincludesinformationforsendingelectronicmailbyusingmailexchangerinformation.If the networkisusingDNS,an SMTPapplicationdoesnotdelivermail addressedtohostTEST.IBM.COMby openinga TCPconnectiontoTEST.IBM.COM. SMTPfirstqueries theDNSservertofindoutwhichhost serverscanbeusedtodeliverthemessage.

Deliver

mail

to

a

specific

address

DNSserversuseresourcerecordsthatareknown asmailexchanger(MX)records.MXrecordsmapa domainorhostnametoapreferencevalue andhostname. MXrecordsare generallyusedtodesignate thatonehostisusedtoprocess mailforanotherhost.Therecordsarealsousedtodesignateanotherhost todelivermail to,ifthefirsthostcannotbereached.Inotherwords,theyallowmailthatisaddressedto onehosttobedeliveredtoadifferenthost.

MultipleMXresourcerecordsmightexist forthesame domainorhostname.WhenmultipleMXrecords existforthesamedomainorhost,thepreference(orpriority)value ofeachrecorddeterminestheorder inwhichtheyaretried.Thelowest preferencevaluecorresponds tothemostpreferredrecord,whichis triedfirst.Whenthemostpreferredhostcannotbereached,thesendingmail applicationtriestocontact thenext,lesspreferredMXhost.Thedomainadministrator,orthecreatoroftheMXrecord,setsthe preferencevalue.

ADNSservercanrespondwith anemptylistof MXresourcerecordswhenthenameisintheDNS server’sauthoritybuthasnoMXassignedtoit.Whenthisoccurs, thesendingmail applicationmight try toestablishaconnectionwith thedestinationhostdirectly.

Note: Using awildcard(example:*.mycompany.com)inMX recordsfora domainisnotsuggested.

Example:

MX

record

for

a

host

Inthefollowingexample,thesystem,bypreference,deliversmail forfsc5.test.ibm.comtothehostitself. Ifthehostcannotbe reached,thesystemmight deliverthemail topsfred.test.ibm.comorto

mvs.test.ibm.com(ifpsfred.test.ibm.comalsocannotbe reached).Thisisan exampleofwhatthese MX recordswilllooklike:

fsc5.test.ibm.com IN MX 0 fsc5.test.ibm.com

IN MX 2 psfred.test.ibm.com

IN MX 4 mvs.test.ibm.com

Related reference

“DomainName Systemresourcerecords”onpage8

ResourcerecordsareusedtostoredataaboutdomainnamesandIPaddresses.Thistopiccontains a searchable listof resourcerecordssupportedforthei5/OSoperatingsystem.

Examples:

Domain

Name

System

Youcanusetheseexamples tounderstandhow touseDomainNameSystem(DNS)inyournetwork. DNSisa distributeddatabase systemformanaginghost namesand theirassociatedIPaddresses.The followingexampleshelptoexplainhow DNSworks,and howyoucanuseitinyour network.The examplesdescribethesetupand reasonsitwillbe used.They alsolinktorelatedconceptsthatyoumight findusefultounderstandthepictures.

Example:

Single

Domain

Name

System

server

for

an

intranet

serverforthemycompany.comzone.

EachhostinthezonehasanIPaddressanda domainname.Theadministratormustmanuallydefinethe hostsintheDNSzonedatabycreatingresourcerecords.Addressmapping(A)recordsmapthenameof amachine toitsassociatedIPaddress.Thisallows otherhosts onthenetworktoquerytheDNSserverto findtheIPaddress assignedtoaparticularhostname. Reverse-lookuppointer(PTR)recordsmaptheIP addressofa machinetoitsassociatedname.Thisallows otherhosts onthenetworktoquerytheDNS servertofindthehostnamethatcorresponds toanIPaddress.

InadditiontoAandPTR records,DNSsupportsmanyotherresourcerecordsthatmightberequired, dependingonwhatotherTCP/IPbased applicationsthatyouarerunningonyourintranet.Forexample, ifyouarerunninginternale-mailsystems,youmight needtoaddmailexchanger(MX)recordssothat SMTPcanqueryDNStofindoutwhichsystemsarerunningthemailservers.

Ifthissmallnetworkwere partofa largerintranet,it mightbe necessarytodefineinternalrootservers.

Secondary

servers

Secondaryserversload zonedatafromtheauthoritativeserver.Secondary serversobtainzonedataby doingzonetransfersfromtheauthoritativeserver.Whena secondarynameserverstarts,itrequestsall dataforthespecifieddomainfromtheprimarynameserver.Asecondarynameserverrequestsupdated datafromtheprimaryservereitherbecauseitreceivesnotificationfromtheprimarynameserver(if the NOTIFYfunction isbeingused)orbecauseitqueries theprimary nameserveranddeterminesthatthe datahaschanged.Inthefigureabove,themysystemiserverispartofan intranet.Anothersystem, mysystemi2,hasbeenconfiguredtoactasasecondaryDNSserverforthemycompany.comzone.The secondaryservercanbe usedtobalancethedemandonserversand alsotoprovidea backupincasethe primaryservergoesdown.Itisagoodpracticetohaveatleastone secondaryserverforeveryzone.

Related reference

“DomainName Systemresourcerecords”onpage8

ResourcerecordsareusedtostoredataaboutdomainnamesandIPaddresses.Thistopiccontains a searchable listof resourcerecordssupportedforthei5/OSoperatingsystem.

“Understandingzones” onpage2

DomainNameSystem(DNS)dataisdividedintomanageablesetsofdatacalledzones.And eachof these setsisaspecific zonetype.

“Example: SingleDomainNameSystemserverwithInternet access”

Thisexampledepictsa simplesubnet witha DomainNameSystem(DNS)serverconnecteddirectly totheInternet.

Example:

Single

Domain

Name

System

server

with

Internet

access

Thisexampledepictsasimple subnetwith aDomainNameSystem(DNS)serverconnecteddirectlyto theInternet.

ToresolveInternetaddresses,youneed todoatleast oneofthefollowingtasks: v DefineInternetrootservers

YoucanloadthedefaultInternet rootserversautomatically,butyoumight needtoupdatethelist. Theseserverscanhelptoresolveaddressesoutsideofyour ownzone.For instructionsforobtaining thecurrentInternetrootservers,seeAccessingexternal DomainNameSystemdata.

v Enableforwarding

Youcansetupforwardingtopassqueries forzonesoutsideofmycompany.comtoexternalDNS servers,suchasDNSservers runbyyourInternet serviceprovider(ISP).Ifyouwanttoenable

searchingbybothforwardingandrootservers,youneedtosettheforward optiontofirst.Theserver firsttriesforwardingand thenqueriestherootserversonlyifforwardingfailstoresolvethequery. Thefollowingconfigurationchanges mightalso berequired:

v AssignunrestrictedIPaddresses

Intheexample above,10.x.x.xaddressesareshown.However, thesearerestricted addressesand cannot beusedoutsideofanintranet.They areshownbelow forexamplepurposes,butyourown IP

addressesisdeterminedbyyourISPandothernetworkingfactors. v Registeryour domainname

IfyouarevisibletotheInternetand havenotalreadyregistered,youneedtoregisteradomainname. v Establishafirewall

Itisnotsuggestedthatyouallowyour DNStobedirectlyconnectedtotheInternet.Youneedto configureafirewallortakeotherprecautionstosecureyour Systemimodel.

Related concepts

“DomainName Systemdomainsetup”onpage5

DomainNameSystem(DNS)domainsetuprequiresdomainnameregistration topreventothersfrom usingyourdomainname.

Systemiand Internetsecurity

“UnderstandingDomainNameSystemqueries”onpage3

DomainNameSystem(DNS)canresolve queriesonbehalfofclients.

Related reference

“Example: SingleDomainNameSystemserverforanintranet”onpage12

Thisexampledepictsa simplesubnet witha DomainNameSystem(DNS)serverforinternaluse.

Example:

Domain

Name

System

and

Dynamic

Host

Configuration

Protocol

on

the

same

System

i

ThisexampledepictsDomainName System(DNS)and DynamicHostConfigurationProtocol(DHCP)on thesameSystemimodel.

Theconfigurationcanbe usedto updateDNSzonedatadynamicallywhenDHCPassignsIPaddresses tohosts.

Previousversionsof DHCPandDNSwere independentofeachother.IfDHCPassignedanewIP addresstoa client,theDNSrecordshadtobe manuallyupdatedbytheadministrator.Inthisexample,if thegraphicsfileserver’s IPaddress changesbecauseitisassignedbyDHCP, thenitsdependentclients willbe unabletomapa networkdrivetoitshostnamebecausetheDNSrecordswillcontainthefile server’spreviousIPaddress.

Withthei5/OSDNSserverbasedonBIND8, youcanconfigureyourDNSzonetoacceptdynamic updatestoDNSrecordsinconjunctionwithintermittent addresschangesthrough DHCP.Forexample, whenthegraphicsfileserverrenewsitsleaseandisassignedanIPaddressof10.1.1.250bytheDHCP server,theassociatedDNSrecordswillbe updateddynamically.Thisallowstheotherclients toquerythe DNSserverforthegraphicsfileserverbyitshostnamewithoutinterruption.

ToconfigureaDNSzonetoacceptdynamicupdates,completethefollowingtasks: v Identifythedynamiczone

Youcannotmanuallyupdateadynamiczonewhiletheserverisrunning. Doingsomight cause interferencewith incomingdynamicupdates.Manualupdatescanbemadewhen theserveris stopped,but youwillloseanydynamicupdatessentwhiletheserverisdown.Forthisreason, you mightwanttoconfigureaseparate dynamiczonetominimizetheneedformanualupdates.See Determiningdomainstructure formoreinformationaboutconfiguringyour zonestousethedynamic updatefunction.

v Configuretheallow-updateoption

Anyzonewith theallow-updateoptionconfiguredisconsidereda dynamiczone.Theallow-update optionissetona per-zonebasis.Toacceptdynamicupdates,theallow-updateoptionmust beenabled forthiszone. Forthisexample,themycompany.comzonehasallow-updatedata,butotherzones definedontheservercanbeconfigured tobestaticordynamic.

v ConfigureDHCPtosend dynamicupdates

Youmustauthorizeyour DHCPservertoupdatetheDNSrecordsfortheIPaddressesithas distributed.

v

Configuresecondaryserverupdatepreferences

Tokeepsecondaryservers current,youcanconfigureDNStousetheNOTIFYfunction tosenda messagetosecondaryserversforthemycompany.comzonewhenzonedatachanges.Youshouldalso configureincrementalzonetransfers(IXFR),whichenablesIXFR-enabledsecondaryserverstotrack andloadonlytheupdatedzonedata,insteadoftheentirezone.

IfyourunDNSandDHCPondifferentservers,therearesomeadditionalconfigurationrequirementsfor theDHCPserver.

Related concepts

“Dynamicupdates”onpage5

i5/OSDomainName System(DNS)based onBIND 8supportsdynamicupdates.Theseallowoutside sources,suchasDynamicHostConfigurationProtocol(DHCP),tosend updatestotheDNSserver.In addition,youcanalsouseDNSclienttoolstoperform dynamicupdates.

Related tasks

Configuring theDHCPtosenddynamicupdatestoDNS Related reference

Example:DNSandDHCPondifferentSystemiplatforms

Example:

Splitting

Domain

Name

System

over

firewall

ThisexampledepictsDomainName System(DNS)operatingovera firewalltoprotect internaldatafrom theInternet,whileallowinginternaluserstoaccessdataontheInternet.

Thefollowingfiguredepictsasimple subnetnetworkthatusesa firewallforsecurity.Withi5/OSDNS basedonBIND8,youcansetupmultiple DNSservers onasingleSystemimodel.Supposethatthe companyhasaninternalnetworkwith reservedIPspaceandan externalsectionofa networkthatis availabletothepublic.

Thecompanywantsitsinternalclients tobeable toresolveexternalhostnamesand toexchangemail withpeopleontheoutside.The companyalsowantsitsinternalresolverstohaveaccesstocertain internal-onlyzonesthatarenotavailableatall outsideoftheinternalnetwork. However,theydonot wantanyoutsideresolversto beabletoaccesstheinternalnetwork.

Theexternalserver,DNSB,isconfiguredwith aprimaryzonemycompany.com.Thiszonedataincludes onlytheresourcerecordsthatareintendedtobe partofthepublicdomain.Theinternalserver,DNSA, is configuredwitha primaryzonemycompany.com,but thezonedatadefinedonDNSAcontainsintranet resourcerecords.Theforwardersoption isdefinedas10.1.2.5.ThisforcesDNSAtoforwardqueries it cannotresolve totheDNSBserver.

Ifyouare concernedabouttheintegrityofyour firewallorothersecuritythreats,youhavetheoptionof usingthelisten-onoptiontohelpprotect internaldata.Todothis,youcanconfiguretheinternalserver toonlyallowqueries totheinternalmycompany.comzonefrominternalhosts.Inorderforallthis to

workproperly,internalclientsneedto beconfiguredtoqueryonlytheDNSAserver.Youneedto considerthefollowingconfigurationsettingstosetupsplitDNS:

v Listen-on

InotherDNSexamples, onlyoneDNSserverisonaSystemimodel.Itissettolistenonallinterface IPaddresses.Whenever youhavemultipleDNSserversona Systemi model,youmust definethe interfaceIPaddressesthateachonelistenson.TwoDNSserverscannotlistenonthesameaddress.In thiscase, assumethatallqueries thatcomeinfromthefirewallare sentinon10.1.2.5.Thesequeries shouldbesenttotheexternalserver.Therefore,DNSBisconfiguredtolistenon10.1.2.5.The internal server,DNSA,isconfiguredtoacceptqueriesfromanythingonthe10.1.x.xinterfaceIPaddresses except10.1.2.5.Toeffectivelyexcludethis address,theAddressMatchList(AML)musthavethe excludedaddress listedbeforetheincludedaddressprefix.

v AddressMatchList(AML)order

ThefirstelementintheAMLthatagivenaddressmatches isused.Forexample,toallowalladdresses onthe10.1.x.xnetworkexcept10.1.2.5,theACLelementsmust beintheorder(!10.1.2.5;10.1/16).In thiscase, theaddress 10.1.2.5iscomparedtothefirst elementand willimmediatelybedenied. Iftheelementsarereversed(10.1/16;!10.1.2.5),theIPaddress10.1.2.5willbe allowedaccessbecause theserverwillcompare ittothefirstelement,whichmatches,and allowitwithoutcheckingtherestof therules.

Related reference

“BIND8features” onpage6

Besidesdynamicupdates,BIND8offersseveralfeaturestoenhanceperformanceofyour Domain Name System(DNS)server.

Planning

for

Domain

Name

System

DomainName System(DNS)offersa varietyofsolutions.BeforeyouconfigureDNS,itisimportantto planhow itworkswithin yournetwork.Subjects, suchasnetworkstructure,performance,and security, shouldbeassessedbefore youimplementDNS.

Determining

Domain

Name

System

authorities

TherearespecialauthorizationrequirementsfortheDomainNameSystem(DNS)administrator.You shouldalsoconsidersecurityimplicationsofauthorization.

WhenyousetupDNS,youshouldtakesecurityprecautionstoprotectyour configuration.Youneedto establishwhichusersare authorizedtomakechanges totheconfiguration.

Aminimumlevelofauthorityisrequiredtoallowyour administratortoconfigureand administerDNS. GrantingallobjectaccessensuresthattheadministratoriscapableofperformingDNSadministrative tasks.ItissuggestedthatuserswhoconfigureDNShavesecurityofficeraccesswith allobject(*ALLOBJ) authority.UseiSeries™_{Navigatortoauthorizeusers.Ifyouneedmore information,read ″Granting}

authoritytotheDNSadministrator″intheDNSonlinehelp.

Note: Ifanadministrator’s profiledoesnothavefullauthority,specific accessand authoritytoallDNS

directoriesandrelatedconfigurationfilesmust begranted.

Related reference

“MaintainingDomainNameSystemconfigurationfiles”onpage29

Youcanusei5/OSDNStocreateandmanageDNSserverinstancesonyourSystemimodel.The configurationfilesforDNSaremanagedbyiSeries Navigator.Youmust notmanuallyeditthefiles. AlwaysuseiSeries Navigatortocreate,change,ordeleteDNSconfigurationfiles.

Itisimportanttodeterminehowyoudivideyour domainorsubdomainsintozones,how tobestserve networkdemand,accesstotheInternet, andhowtonegotiatefirewalls.Thesefactorscanbe complexand mustbe dealtwithcase-by-case.RefertoauthoritativesourcessuchastheO’Reilly DNSandBINDbook forin-depthguidelines.

Ifyouconfigurea DomainName System(DNS)zoneasa dynamiczone,youcannotmakemanual changestozonedatawhiletheserverisrunning.Doing somight causeinterferencewithincoming dynamicupdates.Ifit isnecessarytomake manualupdates,stoptheserver,make thechanges,and then restarttheserver.Dynamic updatessenttoastoppedDNSserverwillnever becompleted. Forthis reason,youmightwanttoconfigureadynamiczoneand astaticzoneseparately.Youcandothisby creatingentirelyseparatezones,orbydefininganew subdomain,suchasdynamic.mycompany.com,for thoseclientsthatwillbemaintaineddynamically.

i5/OSDNSprovidesa graphicalinterfaceforconfiguringyoursystems. Insomecases,theinterfaceuses terminologyorconceptsthatmightbe representeddifferentlyinothersources.Ifyourefertoother informationsourceswhenyouareplanningforyourDNSconfiguration,it mightbehelpfultoremember thefollowingitems:

v Allzonesandobjectsdefinedina Systemi modelareorganized withinthefoldersForwardLookup

Zonesand ReverseLookupZones.Forwardlookupzonesarethezonesthatareusedtomapdomain namestoIPaddresses,suchasArecords.The reverselookupzonesare thezonesthatareusedtomap IPaddressestodomainnames,suchasPTRrecords.

v i5/OSDNSrefers toprimaryzonesandsecondaryzones.

v Theinterfaceusessubzones,whichsomesourcesrefertoassubdomains.Achildzoneisa subzonefor

whichyouhavedelegatedresponsibilitytooneormore nameservers.

Planning

security

measures

DomainName System(DNS)providessecurityoptionstolimitoutsideaccesstoyourserver. SecuringyourDNSserverisessential.Inadditiontothesecurityconsiderationsinthistopic,DNS securityand Systemi securityare coveredina varietyofsources includingtheSystemiplatformandthe Internettopiccollection.ThebookDNSandBIND alsocoverssecurityrelatedtoDNS.

Address

match

lists

DNSusesaddress matchliststoallowordenyoutsideentitiesaccesstocertainDNSfunctions.These listscanincludespecific IPaddresses,a subnet(usinganIPprefix),orusingTransactionSignature(TSIG) keys.Youcandefinealistofentitiestowhichyouwanttoallowordenyaccessinanaddressmatchlist. Ifyouwanttobeable toreuseanaddressmatchlist,youcansave thelistasanaccesscontrollist(ACL). Thenwheneveryouneedtoprovidethelist,youcancalltheACLand theentirelistwillbeloaded.

Address

match

list

element

order

Thefirstelementinanaddressmatchlistthata givenaddressmatchesisused.For example,toallowall addressesonthe10.1.1.xnetworkexcept10.1.1.5, thematchlistelementsmust beintheorder(!10.1.1.5; 10.1.1/24).Inthiscase,theaddress10.1.1.5willbe comparedtothefirst elementand willimmediatelybe denied.

Iftheelementsarereversed(10.1.1/24;!10.1.1.5),theIPaddress10.1.1.5willbe allowedaccessbecause theserverwillcompareit tothefirst element,whichmatches,and allowit withoutcheckingtherestof therules.

Access

control

options

allow-update

Inorderforyour DNSservertoacceptdynamicupdatesfromanyoutsidesources,youmust enabletheallow-updateoption.

allow-query

Specifieswhichhosts areallowedtoquerythisserver.Ifnotspecified,thedefaultistoallow queriesfromallhosts.

allow-transfer

Specifieswhichhosts areallowedtoreceivezonetransfersfromtheserver.Ifnotspecified,the defaultistoallowtransfersfromallhosts.

allow-recursion

Specifieswhichhosts areallowedtomake recursivequeries throughthisserver.Ifnotspecified, thedefaultistoallowrecursivequeriesfromallhosts.

blackhole

Specifiesalistofaddressesthattheserverdoesnotacceptqueriesfromorusetoresolvea query. Queriesfromthese addresseswillnotberesponded to.

Related concepts

Systemiand Internetsecurity Related reference

“BIND8features” onpage6

Besidesdynamicupdates,BIND8offersseveralfeaturestoenhanceperformanceofyour Domain Name System(DNS)server.

Domain

Name

System

requirements

Considerthesesoftware requirementstorunDomainName System(DNS)onyour Systemi model. TheDNSoptionfeature,Option31,cannotbe installedautomaticallywiththeoperatingsystem.You mustspecificallyselectDNSforinstallation.TheDNSserveraddedfor i5/OSisbasedonthe

industry-standardDNSimplementationknownasBIND8.Previous OS/400DNSserviceswerebased on BIND4.9.3,andarestill availableini5/OS.

AfterDNSisinstalled,youarebydefaultconfiguredtosetupa singleDNSserverusingtheBIND 4.9.3-basedDNSservercapabilitiesthatwereavailableinprevious releases.Ifyouwanttorunoneor moreDNSserversusingBIND8,youmustinstall PASE.PASEisSS1Option33.AfterPASE isinstalled, iSeriesNavigatorautomaticallyhandlesconfiguringthecorrectBINDimplementation.

Ifyoudo notusePASE,youwillnotbeabletotakeadvantageof alloftheBIND8features. Ifyoudo notusePASE,youcanstill runthesameDNSserverbasedonBIND4.9.3thatwas availableinprevious releases.SeetheV4R5DNSinformationcentertopicforBIND4.9.3documentation.

IfyouwanttoconfigureaDHCPserveronadifferentplatformtosendupdatestothis DNSserver, Option31mustbeinstalledonthatDHCPserveraswell.TheDynamic HostConfigurationProtocol (DHCP)serverusesprogramming interfacesprovidedbyOption31toperformdynamicupdates.

Related concepts i5/OSPASE

“ConfiguringDomainNameSystem”onpage23

YoucanuseiSeries Navigatortoconfigurenameserversandtoresolve queriesoutsideofyour domain.

Related reference

Related information

V4R5DNS

Determining

if

Domain

Name

System

is

installed

Todetermineif DomainName System(DNS)isinstalled,followthesesteps. 1. Atthecommandline, typeGO LICPGMandpressEnter.

2. Type 10(Displayinstalledlicensedprograms)andpressEnter.

3. Pagedownto5722SS1DomainNameSystem(SS1Option31).IfDNSisinstalledsuccessfully,the

Installed Statuswillbe*compatible,asshown here: LicPgm Installed Status Description

5722SS1 *COMPATIBLE Domain Name System

4. PressF3toexitthedisplay.

Installing

Domain

Name

System

ToinstallDomainNameSystem(DNS),followthesesteps. 1. Atthecommandline, typeGO LICPGMandpressEnter.

2. Type 11(Installlicensedprograms)andpressEnter.

3. Type 1 (Install)in theOptionfield next toDomainNameSystem andpressEnter.

4. PressEnteragaintoconfirmtheinstallation.

Configuring

Domain

Name

System

YoucanuseiSeriesNavigatortoconfigurenameserversand toresolvequeriesoutside ofyourdomain. Beforeyouworkwith yourDomainNameSystem(DNS)configuration,seeDNSsystemrequirementsto installthenecessaryDNScomponents.

Related concepts

“DomainNameSystemrequirements”onpage22

Consider thesesoftwarerequirementstorunDomainNameSystem(DNS)onyourSystemimodel.

Accessing

Domain

Name

System

in

iSeries

Navigator

Theseinstructions guideyoutotheDNSconfigurationinterface iniSeriesNavigator.

Ifyouare usingPASE,youwillbe abletoconfigureDNSserversbased onBIND8.Ifyouare notusing PASE,youcanstillrunthesameDNSserverbasedonBIND4.9.3thatwasavailable inpreviousreleases. SeetheV4R5DNSinformationcenter topicforinformationregardingDNSbased onBIND4.9.3.

Ifyouare configuringDNSforthefirsttime, followthesesteps:

1. IniSeriesNavigator,expand yoursystem→Network→ Servers→ DNS.

2. Right-clickDNSandselectNewConfiguration. Related concepts

GettingtoknowiSeriesNavigator

Configuring

name

servers

DomainName System(DNS)allowsyoutocreatemultiplenameserverinstances.Thistopicprovides instructionsforconfiguringanameserver.

Ifyouwanttocreatemultipleinstances, repeattheseprocedureuntilallinstancesyouwanthavebeen created.Youcanspecifyindependentproperties,suchasdebuglevelsandautostartvalues,foreachname serverinstance.Whenyoucreateanew instance,separateconfigurationfilesarecreated.

Related reference

“MaintainingDomainNameSystemconfigurationfiles”onpage29

Youcanusei5/OSDNStocreateandmanageDNSserverinstancesonyourSystemimodel.The configurationfilesforDNSaremanagedbyiSeries Navigator.Youmust notmanuallyeditthefiles. AlwaysuseiSeries Navigatortocreate,change,ordeleteDNSconfigurationfiles.

Creating

a

name

server

instance

TheNewDomainName System(DNS)Configurationwizardcanhelp youtodefineaDNSserver instance.

TostarttheNewDNSConfiguration wizard,followthesesteps:

1. IniSeriesNavigator,expandyoursystem→ Network→ Servers→DNS.

2. Intheleftpane,right-click DNSandselectNewNameServer...

3. Followthewizard’sinstructionstocompletetheconfigurationprocess.

Thewizardrequiresthefollowinginput:

DNSservername:

Entera nameforyourDNSserver.Itcanbe upto5characterslongandmust startwithan alphabeticcharacter.Ifyoucreatemultipleservers,eachmust haveauniquename.Thisnameis referredtoastheDNSserver″instance″nameinotherareasofthesystem.

Listen-onIPaddresses:

TwoDNSserverscannotlistenonthesame IPaddress.ThedefaultsettingistolistenonALLIP addresses.Ifyouarecreatingadditionalserverinstances, neithercanbe configuredtolistenon ALL.YoumustspecifytheIPaddressesforeachserver.

Rootservers:

Youmight loadthelistofdefaultInternetrootservers orspecifyyour ownrootservers,suchas internalrootserversforan intranet.

Note: Youshouldonlyconsider loadingthedefaultInternetrootservers ifyouare onthe

Internet andexpectyourDNStobeable tofullyresolveInternetnames.

Serverstart-up:

YoucanspecifywhethertheservershouldautostartwhenTCP/IPisstarted.Whenyouoperate multipleservers,individualinstancescanbestartedandended independentlyofeachother.

Editing

Domain

Name

System

server

properties

Afteryoucreateanameserver,youcaneditpropertiessuchasallow-updateanddebuglevels.These optionsapply onlytotheserverinstanceyouchange.

ToeditthepropertiesoftheDomainNameSystem(DNS)serverinstance,followthese steps: 1. IniSeriesNavigator,expandyoursystem→ Network→ Servers→DNS.

2. Intherightpane,right-click yourDNSserverandselectConfiguration.

3. Right-clickDNSServerand selectProperties.

Configuring

zones

on

a

name

server

AfteryouconfigureaDomainNameSystem(DNS)serverinstance,youneedtoconfigurethezonesfor thenameserver.

2. Intherightpane,right-click yourDNSserverandselectConfiguration.

3. IntheDNSConfigurationwindow,selectthezonetypethatyouwanttocreatebyright-clicking

either theForward LookupZoneortheReverseLookupZonefolder. 4. Followthewizard’sinstructionstocompletethecreationprocess.

Related concepts

“AccessingexternalDomainNameSystemdata”onpage26

WhenyoucreateDomainNameSystem(DNS)zonedata,yourserverwillbeableto resolvequeries tothatzone.

Related tasks

“ConfiguringDomainNameSystemtoreceivedynamicupdates”

DomainNameSystem(DNS)serversrunningBIND8canbeconfigured toacceptrequestsfromother sources toupdatezonedatadynamically.Thistopicprovidesinstructionsforconfiguringthe

allow-updateoptionsoDNScanreceivedynamicupdates.

“ImportingDomainNameSystemfiles”onpage26

DomainNameSystem(DNS)canimportexistingzonedatafiles.Followthesetime-saving procedures forcreatinga newzonefromanexistingconfigurationfile.

Related reference

“Understandingzones” onpage2

DomainNameSystem(DNS)dataisdividedintomanageablesetsofdatacalledzones.And eachof thesesetsisaspecific zonetype.

Configuring

Domain

Name

System

to

receive

dynamic

updates

DomainName System(DNS)serversrunningBIND8 canbeconfiguredtoacceptrequestsfromother sourcestoupdatezonedatadynamically. Thistopicprovides instructionsforconfiguringthe

allow-updateoption soDNScanreceivedynamicupdates.

Whencreatingdynamiczones,youshouldconsider yournetworkstructure.Ifpartsof yourdomainstill requiresmanual updates,youmightwanttoconsidersettingupseparate staticanddynamiczones.If youneedtomake manualupdatestoadynamiczone, youmust stopthedynamiczoneserverand restartitafter youhavecompletedtheupdates.Stopping theserverforcesittosynchronize alldynamic updatesthathavebeenmadesincetheserverloadeditszonedatafromthezonedatabase.Ifyoudonot stoptheserver,youwilllosealldynamicupdatesthatareprocessedsince itisstarted.However,

stoppingtheservertomakemanual updatesmeansyoumight missdynamicupdatesthataresentwhile theserverisdown.

DNSindicatesthatazoneisdynamicwhenobjectsaredefinedintheallow-updatestatement. To configuretheallow-updateoption,followthesesteps:

1. IniSeriesNavigator,expand yoursystem→Network→ Servers→ DNS.

2. Intherightpane,right-click yourDNSserverandselectConfiguration.

3. IntheDNSConfigurationwindow,expandForward LookupZoneorReverseLookupZone.

4. Right-clicktheprimaryzonethatyouwanttoeditandselectProperties.

5. InthePrimaryZonePropertiespage,clicktheOptionstab.

6. On theOptionspage,expandAccessControl →allow-update.

7. DNSusesanaddress matchlistto verifyauthorizedupdates.Toaddanobjecttotheaddressmatch

list,selectanaddressmatchlistelementtypeandclick Add.Youcanaddan IPAddress,IPPrefix, AccessControlList,orKey.

8. Whenyouhavefinishedupdatingtheaddressmatchlist,clickOKtoclosetheOptions page. Related tasks

“Configuringzonesonanameserver”onpage24

Configuring theDHCPtosenddynamicupdatestoDNS

Importing

Domain

Name

System

files

DomainName System(DNS)canimportexistingzonedatafiles.Followthesetime-savingproceduresfor creatinganew zonefroman existingconfigurationfile.

Youcancreatea primaryzonebyimportinga zonedatafile,orbyconverting existinghost tables.Refer toConvertinghosttables

tocreatezonedatafromahosttable.

Youcanimportanyfilethatisavalidzoneconfigurationfilebased onBINDsyntax.Thefileshouldbe locatedinanIFSdirectory.Whenimported,DNSverifiesthatitisavalidzonedatafileandaddsitto theNAMED.CONFfileforthis serverinstance.

Toimporta zonefile,followthese steps:

1. IniSeriesNavigator, expandyoursystem→ Network→ Servers→ DNS.

2. Intherightpane,double-click theDNSserverinstance intowhichyouwanttoimportthezone.

3. Intheleftpane,right-click DNSserverandselectImport Zone.

4. Followthewizard’sinstructionstoimporttheprimaryzone. Related tasks

“Configuringzonesonanameserver”onpage24

Afteryouconfigurea DomainName System(DNS)serverinstance,youneedtoconfigurethezones forthenameserver.

Record

validation

TheImportdomaindatafunction readsand validateseachrecord ofthefilethatisbeingimported. AftertheImportdomaindatafunction hasfinished,anyrecordsinerrorcanbeexaminedindividuallyon theOtherRecordspropertypageoftheimportedzone.

Notes:

1. Importinga largeprimarydomainmighttakeseveralminutes.

2. Theimportdomaindatafunction doesnotsupport the$includedirective.Importdomain

data’svaliditycheckingprocess identifieslinesthatcontainthe$includedirectiveaslinesin error.

Accessing

external

Domain

Name

System

data

WhenyoucreateDomainName System(DNS)zonedata,your serverwillbe abletoresolvequeries to thatzone.

Rootserversare criticaltothefunctionof aDNSserverthatisdirectlyconnectedtotheInternetor a largeintranet.DNSservers mustuserootserverstoanswerqueriesabouthosts otherthanthosethatare containedintheirowndomain files.

Toreachoutfor moreinformation,a DNSserverhastoknowwheretolook.OntheInternet,thefirst placethata DNSserverlooksistherootservers.Therootservers directa DNSservertowardother serversinthehierarchyuntilananswerisfound,oritisdeterminedthatthereisnoanswer.

iSeries

Navigator’s

default

root

servers

list

thedefaultlistiscurrentbycomparingit tothelistontheInterNICsite.Update yourconfiguration’s rootserverlistto keepitcurrent.

Getting

Internet

root

server

addresses

Thetop-levelrootserver’s addresseschangefromtimetotime,and itistheDNSadministrator’s

responsibilitytokeepthemcurrent.InterNICmaintainsacurrentlistofInternet rootserveraddresses.To obtainacurrentlistofInternet rootservers,followthesesteps:

1. Anonymous FTPtotheInterNICserver:FTP.RS.INTERNIC.NET

2. Download thisfile:/domain/named.root

3. Store thefilein thefollowingdirectory path:Integrated FileSystem/Root/QIBM/ProdData/OS400/

DNS/ROOT.FILE

ADNSserverbehind afirewallmighthavenorootserversdefined. Inthis case,theDNSservercan resolvequeriesonlyfromentriesthatexist initsown primarydomaindatabasefiles,oritscache.It mightforwardoff-sitequeriestothefirewallDNS.Inthiscase, thefirewallDNSserveractsasa forwarder.

Intranet

root

servers

IfyourDNSserverispartofa largeintranet,youmighthaveinternalrootservers.IfyourDNSserver willnotbeaccessingtheInternet,youdonotneedtoloadthedefaultInternet servers.However,you shouldaddyour internalrootserverssothatyourDNSservercanresolveinternaladdressesoutsideof itsdomain.

Related tasks

“Configuringzonesonanameserver”onpage24

Afteryouconfigurea DomainName System(DNS)serverinstance,youneedtoconfigurethezones forthenameserver.

Managing

Domain

Name

System

ManagingDomainNameSystem(DNS)includesverifyingthattheDNSfunctionisworking,monitoring performance,andmaintainingDNSdataandfiles.

Verifying

the

Domain

Name

System

function

is

working

NameServer Lookup(NSLookup)isa toolthatisusedtoquerytheDomainName System(DNS)server foranIPaddress.ThisverifiesthattheDNSserverisworking.

Requestthehost namethatisassociatedwiththeloopbackIPaddress(127.0.0.1).Itshouldrespondwith thehostname(localhost).Youshouldalso queryspecific namesthataredefinedintheserverinstance thatyouaretryingtoverify.Thiswillconfirmthatthespecific serverinstance youare testingis functioningproperly.

ToverifyDNSfunctionwith NSLookup,followthesesteps:

1. Atthecommandline,type NSLOOKUPDMNNAMSVR(n.n.n.n),where n.n.n.nisanaddress thatyouhave

configured theserverinstance youaretestingtolistenon.

2. Atthecommandline, typeNSLOOKUPandpressEnter.Thisstartsan NSLookupquerysession.

3. Type serverfollowedbyyourservernameandpressEnter.For example:server

myiseries.mycompany.com.Thisinformationdisplays:

Server: myiseries.mycompany.com Address: n.n.n.n

4. Enter127.0.0.1 onthecommandlineand pressEnter.

Thisinformationshoulddisplay,includingtheloopback hostname:

> 127.0.0.1 Server: myiseries.mycompany.com Address: n.n.n.n Name: localhost Address: 127.0.0.1

TheDNSserverisrespondingcorrectlyif itreturnstheloopback hostname:localhost. 5. TypeexitandpressEntertoquittheNSLOOKUPterminalsession.

Note: IfyouneedhelpusingNSLookup,type? andpressEnter.

Managing

security

keys

Securitykeysallowyoutolimit accesstoyour DomainNameSystem(DNS)data.

TherearetwotypesofkeysrelatedtoDNS.Theyeachplaya differentroleinsecuringyour DNS configuration.Thefollowingdescriptionsexplainhoweachrelatestoyour DNSserver.

Managing

Domain

Name

System

keys

TheDomainName System(DNS)keysare keysdefinedfor BINDandusedbytheDNSserveraspartof theverificationofanincoming update.

Youcanconfigurea keyandassignitaname. Then,whenyouwanttoprotect aDNSobject,suchasa dynamiczone,youcanspecifythekeyintheAddressMatchList.

TomanageDNSkeys,followthese steps:

1. IniSeriesNavigator, expandyoursystem→ Network→ Servers→ DNS.

2. Intherightpane,right-click theDNSserverinstance thatyouwanttoopenandselectConfiguration.

3. IntheDNSConfigurationwindow,selectFile→ManageKeys.

Managing

dynamic

update

keys

DynamicupdatekeysareusedforsecuringdynamicupdatesbytheDynamicHostConfiguration Protocol(DHCP)server.

Thesekeysmust bepresentwhenDomainNameSystem(DNS)andDHCPare onthesame Systemi model.IfDHCPisonadifferentSystemimodel,youmust createthesame dynamicupdatekeyoneach Systemimodeltoallowsecuredynamicupdates.

Tomanagedynamicupdatekeys,followthesesteps:

1. IniSeriesNavigator, expandyoursystem→ Network→ Servers→ DNS.

2. Right-clickDNSandselectManageDynamicUpdateKeys.

Accessing

Domain

Name

System

server

statistics

Databasedump andstatisticstoolscanhelp youreviewand manageserverperformance.

DomainName System(DNS)providesseveraldiagnostic tools.They canbeusedtomonitorperformance ofyourserver.

Related reference

configurationfilesforDNSaremanagedbyiSeries Navigator.Youmust notmanuallyeditthefiles. AlwaysuseiSeries Navigatortocreate,change,ordeleteDNSconfigurationfiles.

Accessing

server

statistics

Theserverstatisticssummarizethenumberof queriesandresponsestheserverreceivedsincethelast timetheserverrestartedorreloadeditsdatabase.

DomainName System(DNS)allowsyoutoviewthestatisticsforaserverinstance.Informationis continuallyappendedtothisfileuntilyoudeletethefile.Thisinformationmight beusefulinevaluating howmuchtraffictheserverreceives,andintrackingdownproblems.More informationaboutserver statisticsisavailableintheDNSonlinehelp topicUnderstandingDNSserverstatistics.

Toaccessserverstatistics, followthesesteps:

1. IniSeriesNavigator,expand yoursystem→Network→ Servers→ DNS.

2. Intherightpane,right-click yourDNSserverandselectConfiguration.

3. IntheDNSconfigurationwindow,selectView→ServerStatistics.

Accessing

an

active

server

database

Theactiveserverdatabasecontainszoneandhostinformation,includingsomezoneproperties,suchas startofauthority(SOA)information,andthrough hostproperties,suchasmailexchanger(MX)

information,whichmight beusefulintrackingdownproblems.

DomainName System(DNS)allowsyoutoviewa dumpoftheauthoritativedata,cachedata,andhints dataforaserverinstance.Thedump includestheinformationfromalloftheserver’s primaryand secondaryzones(forwardand reversemapping zones),aswellasinformationthattheserverhas obtainedfromqueries.

Youcanview theactiveserverdatabase dumpusingiSeriesNavigator.Ifyouneedtosavea copyofthe files,thedatabasedump filenameisNAMED_DUMP.DB inyour i5/OSdirectorypath: IntegratedFile

System/Root/QIBM/UserData/OS400/DNS/<serverinstance>,where <serverinstance>isthenameofthe DNSserverinstance.Moreinformationabouttheactiveserverdatabaseisavailablein theDNSonline helptopicUnderstandingthe DNSserverdatabasedump.

Toaccesstheactiveserverdatabasedump,followthesesteps:

1. IniSeriesNavigator,expand yoursystem→Network→ Servers→ DNS.

2. Intherightpane,right-click yourDNSserverandselectConfiguration.

3. IntheDNSconfigurationwindow,selectView→ActiveServerDatabase.

Maintaining

Domain

Name

System

configuration

files

Youcanusei5/OSDNStocreateand manageDNSserverinstancesonyour Systemi model.The configurationfiles forDNSaremanagedbyiSeriesNavigator.Youmustnotmanuallyeditthefiles. AlwaysuseiSeriesNavigatortocreate,change,ordeleteDNSconfigurationfiles.

DNSconfigurationfiles arestoredintheintegratedfilesystempathslisted below.

Note: Thefilestructure belowappliestoDNSrunningonBIND8.IfyouareusingDNSbasedonBIND

4.9.3,seeBackingupDNSconfigurationfilesand maintaininglogfiles

intheV4R5DNS InformationCentertopic.

Inthefollowingtable,filesare listedinthehierarchyof pathsshown.Fileswitha saveicon

should bebackeduptoprotect data.Fileswitha deleteicon

Name Icon Description

QIBM/UserData/OS400/DNS/ StartingpointdirectoryforDNS.

ATTRIBUTES DNSusesthisfiletodetermine

whichBINDversionyouareusing. QIBM/UserData/OS400/DNS/

<instance-n>/

StartingpointdirectoryforaDNS instance.

ATTRIBUTES Configurationattributesusedby

i5/OSDNS.

NAMED.CONF Thisfilecontainsconfigurationdata.

Usedtotelltheserverwhatspecific zonesitismanaging,wherethezone filesare,whichzonescanbe

dynamicallyupdated,whereits forwardingserversare,andother optionsettings.

BOOT.AS400BIND4 BIND4.9.3serverconfigurationand

policiesfilethatisconvertedtothe BIND8NAMED.CONFfileforthis instance.Thisfileiscreatedifyou migrateaBIND4.9.3servertoBIND 8.Itservesasabackupformigration, andcanbedeletedwhentheBIND8 serverisworkingproperly.

NAMED.CA Listofrootserversforthisserver

instance.

NAMED_DUMP.DB Serverdatadumpcreatedforthe

activeserverdatabase.

NAMED.STATS Serverstatistics.

NAMED.PID HoldsProcessIDofrunningserver.

ThisfileiscreatedeachtimetheDNS serverisstarted.Itisusedforthe Database,Statistics,andUpdate serverfunctions.Donotdeleteor editthisfile.

QUERYLOG TheDNSserverlogofqueries

received.Thefileiscreatedwhenthe DNSserverlogisactive.When active,thisfilebecomeslargeandit shouldbedeletedonaregularbasis.

<zone-name-a>.DB Zonefileforaparticulardomainto beservedbythisserver.Containsall oftheresourcerecordsforthiszone.

Name Icon Description

*.ixfr.* Incrementalzonetransfer(IXFR)files.

Thesefilesareusedbysecondary serverstoloadonlychangeddata sincethelastzonetransfer.As updatesaremade,thenumberof IXFRfileswillgrow.Youshould periodicallydeletetheolderIXFR files.Leavingfilesthatwerecreated withinadayortwowillallowmost secondariestostillloadIXFRs.Ifyou deleteallofthefiles,thesecondary willrequestafulltransfer(AXFR).

TMP Directoryusedbyserverinstancefor

creatingtemporaryworkfiles.

QIBM/UserData/OS400/DNS/TMP TempdirectoryusedbyQTOBH2N

programtocreateintermediatefiles dumpedfromthehosttableforlater importusingiSeriesNavigator. QIBM/UserData/OS400/DNS/_DYN/ Directorythatholdsfilesrequiredfor

dynamicupdates.

<key_id-name-x>._KID FilecontainingaBIND8key statementforthekey_idnamed

<key_id-name-x>.

<key_id-name-x>._DUK.<zone-name-a> Dynamicupdatekeyrequiredto initiateadynamicupdaterequestto

<zone-name-a>usingthe

<key_id-name-x>key.

<key_id-name-y>._KID FilecontainingaBIND8key statementforthekey_idnamed

<key_id-name-y>.

<key_id-name-y>._DUK.<zone-name-a> Dynamicupdatekeyrequiredto initiateadynamicupdaterequestto

<zone-name-a>usingthe

<key_id-name-y>key.

<key_id-name-y>._DUK.<zone-name-b> Dynamicupdatekeyrequiredto initiateadynamicupdaterequestto

<zone-name-b>usingthe

<key_id-name-y>key.

Related concepts

“DeterminingDomainNameSystemauthorities”onpage20

Therearespecial authorizationrequirementsfortheDomainName System(DNS)administrator.You shouldalsoconsider securityimplicationsofauthorization.

“AccessingDomainName Systemserverstatistics”onpage28

Databasedumpand statisticstoolscanhelpyoureviewandmanageserverperformance.

Related tasks

“Configuringnameservers”onpage23