9f57c06d41
- explain what happens if we get clock skew
79 lines
1.6 KiB
Plaintext
79 lines
1.6 KiB
Plaintext
# $NetBSD: named.conf,v 1.7 2013/04/25 20:28:05 christos Exp $
|
|
|
|
# boot file for secondary name server
|
|
# Note that there should be one primary entry for each SOA record.
|
|
# If you cannot get DNSSEC to work, and you see the following message:
|
|
# DNSKEY: verify failed due to bad signature (keyid=19036): \
|
|
# RRSIG validity period has not begun
|
|
# Fix your clock. You can comment out the dnssec entries temporarily to
|
|
# get to an ntp server.
|
|
|
|
options {
|
|
directory "/etc/namedb";
|
|
dnssec-enable yes;
|
|
dnssec-validation auto;
|
|
dnssec-lookaside auto;
|
|
managed-keys-directory "keys";
|
|
bindkeys-file "bind.keys";
|
|
allow-recursion { localhost; localnets; };
|
|
|
|
#
|
|
# This forces all queries to come from port 53; might be
|
|
# needed for firewall traversals but should be avoided if
|
|
# at all possible because of the risk of spoofing attacks.
|
|
#
|
|
#query-source address * port 53;
|
|
};
|
|
|
|
zone "." {
|
|
type hint;
|
|
file "root.cache";
|
|
};
|
|
|
|
zone "localhost" {
|
|
type master;
|
|
file "localhost";
|
|
};
|
|
|
|
zone "127.IN-ADDR.ARPA" {
|
|
type master;
|
|
file "127";
|
|
};
|
|
|
|
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
|
|
type master;
|
|
file "loopback.v6";
|
|
};
|
|
|
|
# example secondary server config:
|
|
#
|
|
# zone "Berkeley.EDU" {
|
|
# type slave;
|
|
# file "berkeley.edu.cache";
|
|
# masters {
|
|
# 128.32.130.11;
|
|
# 128.32.133.1;
|
|
# };
|
|
# };
|
|
|
|
# zone "32.128.IN-ADDR.ARPA" {
|
|
# type slave;
|
|
# file "128.32.cache";
|
|
# masters {
|
|
# 128.32.130.11;
|
|
# 128.32.133.1;
|
|
# };
|
|
# };
|
|
|
|
# example primary server config:
|
|
#
|
|
# zone "Berkeley.EDU" {
|
|
# type master;
|
|
# file "berkeley.edu";
|
|
# };
|
|
|
|
# zone "32.128.IN-ADDR.ARPA" {
|
|
# type master;
|
|
# file "128.32";
|
|
# };
|