Dns Protocol Enhancements; Multiple Views; Security - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

All of the features mentioned are discussed in greater detail in the BIND 9 Administrator Reference
Manual referenced in Section 17.7.1, "Installed

17.5.1. DNS Protocol Enhancements

BIND supports Incremental Zone Transfers (IXFR), where a slave nameserver only downloads the
updated portions of a zone modified on a master nameserver. The standard transfer process requires
that the entire zone be transferred to each slave nameserver for even the smallest change. For
very popular domains with very lengthy zone files and many slave nameservers, IXFR makes the
notification and update process much less resource-intensive.
Note that IXFR is only available when using dynamic updating to make changes to master zone
records. If manually editing zone files to make changes, Automatic Zone Transfer (AXFR) is used.
More information on dynamic updating is available in the BIND 9 Administrator Reference Manual
Section 17.7.1, "Installed
referenced in

17.5.2. Multiple Views

Through the use of the view statement in named.conf, BIND can present different information
depending on which network a request originates from.
This is primarily used to deny sensitive DNS entries from clients outside of the local network, while
allowing queries from clients inside the local network.
The view statement uses the match-clients option to match IP addresses or entire networks and
give them special options and zone data.

17.5.3. Security

BIND supports a number of different methods to protect the updating and transfer of zones, on both
master and slave nameservers:
DNSSEC
Short for DNS SECurity, this feature allows for zones to be cryptographically signed with a zone
key.
In this way, the information about a specific zone can be verified as coming from a nameserver
that has signed it with a particular private key, as long as the recipient has that nameserver's
public key.
BIND version 9 also supports the SIG(0) public/private key method of message authentication.
TSIG
Short for Transaction SIGnatures, this feature allows a transfer from master to slave only after
verifying that a shared secret key exists on both nameservers.
This feature strengthens the standard IP address-based method of transfer authorization. An
attacker would not only need to have access to the IP address to transfer the zone, but they would
also need to know the secret key.
BIND version 9 also supports TKEY, which is another shared secret key method of authorizing
zone transfers.
Documentation".
Documentation".
DNS Protocol Enhancements
221