|
|
This chapter explains how to configure DNS zones using both the Network Registrar CLI and the GUI. Before you proceed with the tasks in this chapter, we suggest you read "Configuring the First Zone as a Primary Name Server" section of this guide, which explains how to add a zone's primary name server, import zone data, and view a primary zone name server's configuration.
Table 5-1 describes the topics related to delegating or configuring DNS zones.
| If you want to... | Go to this section... |
|---|---|
Set properties for a DNS zone, such as specifying the properties in the Start of Authority (SOA) record | |
Specify the authoritative servers for the zone | |
Adding, editing, or removing hosts from a zone | |
Enabling, disabling, or restricting zone transfers | |
Enabling dynamic DNS updates for DHCP servers | |
Know about subzones and delegate, remove, hide, or edit a subzone's Resource Records | |
Edit individual Resource Records |
After adding a zone, you must first set the Start of Authority (SOA) record. Once created, you can edit all fields in the SOA except for the Name and Serial Number fields. These read-only fields are used by the CNR server. The serial number is automatically increased each time the server is reloaded, or when a Dynamic DNS update is added.
Step 1 Highlight the zone where you want to edit the SOA record.
Step 2 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1).
Step 3 Make appropriate changes to editable fields.
Step 4 Click OK.
Step 5 Reload the server.
Step 1 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1).
The Name field displays the name of the zone you specified when you created the zone.
nrcmd> zone example.com create primary ns andy
Setting the time to live (TTL) changes the TTL for al records in the zone.
Step 1 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1).
Step 2 Use the TTL field to specify the Time To Live in seconds for this record. Enter the value that is appropriate for the zone. For more information about TTLs, see the Glossary in this guide.
Use the zone command to set the time to live in seconds.
nrcmd> zone example.com set minttl=86400
You can use an actual person's e-mail name or use an alias such as hostmaster. In either case, it must be a valid e-mail address for someone who can handle potential problems.
Step 1 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1).
Step 2 Use the Contact email address field to specify the e-mail address for the person responsible for the name server. Remember to use a period instead of an @ sign.
nrcmd> zone example.com set person=hostmaster
You can specify the relative name and Network Registrar will add the rest of the domain specification, or you can use the fully qualified domain name that ends with a period.
Step 1 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1).
Step 2 Use the Name of primary server field to specify the name of the server you are configuring. You can specify the relative name and Network Registrar will add the rest of the domain specification, or you can use the fully qualified domain name that ends with a period.
Use the zone set command to specify the domain name (such as ns.example.com) or just the prefix (such as ns) of the primary name server for this zone.
nrcmd> zone example.com set ns=ns
A primary server uses a serial number to indicate when its database has changed. Secondary servers check this serial number to determine whether they must update their zone data. You can only enter a serial number the first time you configure a zone. Thereafter, Network Registrar increments the serial number every time it makes a change to the database. You cannot edit a serial number after you have configured a zone.
The Secondary refresh time is how often a secondary name server checks the primary server for an update. A good value is from one hour to one day, depending on how often you expect to change zone data, and how quickly the secondary servers must notice.
If you are using NOTIFY, you can set the refresh time to a larger value without causing long delays between transfers, because NOTIFY forces the secondary servers to notice when the primary data changes. For more information about NOTIFY, see the "Enabling NOTIFY" section.
Step 1 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1)
Step 2 Use the Secondary refresh time field to specify the amount of time in seconds.
Use the zone command to specify the secondary refresh time. The default is 10800 seconds.
nrcmd> zone example.com set refresh=3600
The Network Registrar DNS server uses the Secondary retry time between successive failures to check for an update. If the refresh interval expires and an attempt to poll for an update fails, the server will continue to attempt to retry until it succeeds. A good value is one-third to one-tenth of the refresh time.
Step 1 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1).
Step 2 Use the Secondary retry time field to specify the amount of time in seconds in.
Use the zone command to specify the secondary retry time. The default is 3600 seconds.
nrcmd> zone example.com set retry=4800
The Secondary expire time is the longest amount of time that a secondary name server can claim authority for zone data when responding to queries when it has failed to update a zone. Set this to a large number that provides enough time to survive extended failure of the primary server, such as a week or more.
The default is 604800 seconds.
Step 1 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1).
Step 2 Use the Secondary expire time field to specify the amount of time in seconds.
Use the zone command to specify the expire interval.
nrcmd> zone example.com set expire=500000
You can specify a minimum TTL value to be used in all query operations that retrieve Resource Records from this zone. Whenever a Resource Record is sent in a response to a query (for which this server is authoritative), the TTL field is set to the maximum of the TTL field from the Resource Record and the minimum field specified here. Thus, the minimum value is a lower bound on the TTL field for all Resource Records in this zone. This value is also the zone default TTL for all records that you have configured with a TTL of "-".
Step 1 In the DNS Zone Properties dialog box, select the SOA tab (Figure 5-1).
Step 2 Use the Minimum TTL field to specify the minimum TTL value to be used in all query operations that retrieve Resource Records from this zone.
nrcmd> zone example.com set minttl=3600
A zone must have at least one name server. The name servers that you enter must match those specified in the parent domain's delegation for this zone. You can configure the servers to be authoritative for the zone as either primary or secondary servers.
The name servers you list here should be the name servers that you want people outside your organization to query when requesting resolution of names within your zone.
Follow these procedures to add an authoritative name server for a zone:
Step 1 In the DNS Zone Properties dialog box, click the Name Servers tab (Figure 5-2).
Step 2 Click Add. The Add dialog box appears (Figure 5-3).
Step 3 Enter the name you want to add.
Step 4 Click OK.
The zone addRR command adds a Resource Record of the type you specify. Note that for the addition to take effect, you need to reload the server.
Use the zone addRR command to specify an additional authoritative server for this zone. You can optionally specify the TTL.
nrcmd> zone example.com addRR @ 86400 ns ns1.example.com
You also need to an an A record matching this NS record.
nrcmd> zone example.com addRR ns1 A 1.2.3.4
The TTL is the shortest Time To Live for all the Name Server (NS) records in the authoritative server list. If you change it, you change the TTL value for all the NS records in the authoritative server list.
The default is 86400 seconds.
Step 1 In the DNS Zone Properties dialog box, click the Name Servers tab (Figure 5-2).
Step 2 In the TTL field, enter the TTL value.
There is no equivalent command in the CLI. If you want to specify a different TTL for NS records, you must modify each NS record in the zone.
nrcmd> zone example.com removeRR ns.example.com ns 1.2.3.4 nrcmd> zone example.com addRR ns.example.com 86400 ns 1.2.3.4
Perform these procedures to remove authoritative name servers:
Step 1 In the DNS Zone Properties dialog box, click the Name Servers tab (Figure 5-2).
Step 2 Select the name you want to remove.
Step 3 Click Remove.
The zone removeRR command removes all specified static resource records. You can specify resource records by name, name and type, or name, type, and datea (in which the specified data is in BIND-style format).
nrcmd> zone example.com removeRR @ ns ns1.example.com
Using Network Registrar, you can add, edit, or remove hosts from a specific zone on a DNS server. It allows you to establish or change the permanent name-to-IP-address associations for the zone. You can add hosts to reverse zones, and keep the host information up-to-date as you add and remove hosts.
For more information about reverse zones, see the "Inverse Name Servers" section.
Step 1 From the Server Manager window (Figure 2-10), select the zone to which you want to add a host.
Step 2 Click the Show Properties toolbar button.
Step 3 In the DNS Zone Properties dialog box, click the Hosts tab (Figure 5-4).
Step 4 Click Add.
Step 5 In the Add Host dialog box, enter the required host name and addresses, optional aliases, MX records, and whether you want to have Network Registrar automatically generate reverse mapping records.
Step 6 Click OK to add this host, or click Apply to continue adding hosts.
After you click OK, Network Registrar returns to the Hosts tab of the DNS Zone Properties dialog box and displays the new host or hosts.
Use the zone addHost command to add hosts to a zone. Specify the hostname and address, and optionally, any aliases.
nrcmd> zone example.com addHost bethpc 192.169.1.15
Removing a host removes all records associated with the host; these include aliases (CNAME), MX records, and if selected, the reverse (PTR) records are removed from the in-addr.arpa zone.
Step 1 From the Server Manager window (Figure 2-10), select the zone that contains the host you want to remove.
Step 2 Click the Show Properties toolbar button.
Step 3 In the DNS Zone Properties dialog box, click the Hosts tab (Figure 5-4).
Step 4 Select the host name you want to remove.
Step 5 Click Remove.
Network Registrar updates the host list to show the current hosts.
Use the zone removeHost command to remove a host from a zone.
nrcmd> zone example.com removeHost bethpc
Using the GUI:
Step 1 From the Server Manager (Figure 2-10), select the zone that contains the host you want to edit.
Step 2 Click the Show Properties toolbar button.
Step 3 In the DNS Zone Properties dialog box, click the Hosts tab (Figure 5-4).
Step 4 Select the host name you want to edit.
Step 5 Click Edit.
Step 6 In the Edit Hosts dialog box, make the necessary changes to the host name, address, alias, or MX record.
Step 7 Click OK to make the changes effective and return to the Hosts tab of the DNS Zone Properties dialog box.
When you edit a host, the Generate reverse mapping records check box is selected if there is a reverse zone for any of the addresses associated with that host. In other words, if some addresses have corresponding reverse zones and others do not, the check box is selected.
If you click OK, Network Registrar displays a warning dialog box for each of the addresses that do not have a corresponding reverse zone. This is a normal result. Clicking OK to close these warning dialog boxes is not harmful and results in Network Registrar generating reverse mapping records only for those addresses for which corresponding reverse zones exist.
Using the CLI:
To change host information, remove the host and add a new one.
Step 1 Use the zone removeHost command to delete the host.
nrcmd> zone example.com removeHost bethpc
Step 2 Use the zone addHost command to add the new host information.
nrcmd> zone example.com addHost bethpc 192.169.1.20
There are two types of DNS servers: primary name servers and secondary servers.
Use the options on the Zone Transfers tab (Figure 5-6) to allow zone transfers to any server that requests zone data, restrict the servers you will allow to perform zone transfers, or prevent all zone transfers.
Use the zone command to enable and disable zone transfers.
nrcmd> zone example.com enable restrict-xfer
Use the restrict zone transfers feature either for security reasons or to reduce the load on the primary name server by restricting the servers you will allow to request a copy of the zone data.
Step 1 In the DNS Zone Properties dialog box, click the Zone Transfers tab (Figure 5-6).
Step 2 Click Restrict zone transfers to the following addresses.
Step 3 Type the addresses of the servers that you have allowed to perform zone transfers.
You can use network numbers, such as 192.168.1.0, or host addresses, such as 192.168.1.100.
Step 4 Click OK.
Use the zone restrict-xfer feature to restrict zone transfers to a specific set of hosts. The restrict-xfer is disabled by default.
nrcmd> zone example.com enable restrict-xfer
Use the zone restricted-set property to specify the zones that may request zone transfers.
nrcmd> zone example.com set
restricted-set=198.162.1.30,192.168.1.20
Use the disable zone transfers feature either for security reasons or to reduce the load on your primary name server by preventing servers from requesting a copy of your zone data.
Step 1 In the Zone Properties dialog box, click the Zone Transfers tab.
Step 2 Click Restrict zone transfers to the following addresses.
Step 3 Leave the address list blank.
Use the zone enable restrict-xfer command to disable zone transfers, then use the zone set restricted-set command, setting it to a blank value.
nrcmd> zone example.com enable restrict-xfer nrcmd> zone example.com set restricted-set=
Using DHCP and dynamic DNS update, a host is automatically configured for network access whenever it attaches to the IP network. The host can be located and accessed using its permanent, unique DNS host name. Mobile hosts, for example, can move freely around on a network without end-user or administrator intervention.
Step 1 In the DNS Zone Properties dialog box, click the DHCP tab (Figure 5-7).
Step 2 Select the Enable dynamic DNS updates check box.
Step 3 Specify the address of the DHCP servers from which DNS allows updates to this zone.
If you do not list a DHCP server, the update does not occur. You must do this for both the forward and reverse zones.
Step 4 Click OK.
Using the CLI:
Use the zone enable dynamic command to enable dynamic updates to the zone. The dynamic property is enabled by default.
nrcmd> zone example.com enable dynamic
Use the zone dynupdate-set command to specify the list of IP addresses from which dynamic updates will be accepted.
nrcmd> zone example.com set
dynupdate-set=192.168.1.1,127.0.0.1
After you have decided to divide the zone into subzones, you must create names for them. You should involve the people responsible for the subzone in the naming, and you should try to maintain a consistent naming scheme that makes sense to people outside your organization.
The following are some suggestions for how to avoid naming problems:
In choosing a name, keep in mind how often people must remember the name, and how often they will use it. Select a name that is easy to remember and easy to spell.
After you have chosen a name for the subzone, you must specify the hosts that will serve as the subzone's name servers. The information you specify here is what the parent domain's name servers will use when they are queried about the subzone. If you want to ensure that the subzone is always reachable, you should specify two name servers.
The addresses that are required are ones that could not be learned without knowing the address, for example, any subzone's name servers whose names are in or below the subzone.
Whenever a name server for a subzone changes its name or IP address, its administrator must inform its parent domain so that the parent can change the name server and glue records for the subzone. If the subzone's administrator neglects to inform its parent, the glue records will be invalid.
The common symptom of an invalid glue record is the inability of a host to access a host in a different domain by its domain name while being able to access that host by its IP address.
Step 1 From the Server Manager window (Figure 2-10), select the zone that you want to subdelegate and click Show Properties.
Step 2 From the DNS Zone Properties dialog box, click the Subzones tab (Figure 5-8).
Step 3 Click Add. The Add Subzones dialog box appears.
Step 4 In the Add Subzones dialog box, enter the name of the subzone, for example, enter north.example.com if the zone name is example.com.
Step 5 Click Add Name Server.
Step 6 From the Add Name Server dialog box, enter the fully qualified domain name (FQDN) of the name servers for this subzone.
Step 7 Click OK.
Step 8 If the name server is with the subzone, click Add glue record.
Step 9 From the Edit Glue Record dialog box, enter the IP address for the selected name server listed in step 6.
If you have specified several name servers that require glue records, select each one individually and then specify its corresponding glue record.
Step 10 Click OK.
Step 11 Click OK.
To see the delegation records for the subzone you have created, go to the Resource Records tab and look for the NS record for the subzone and the A record for the glue record.
Use the zone addRR command to delegate a subzone and add NS and A records.
nrcmd> zone example.com addRR eng NS ns.eng.example.com nrcmd> zone example.com addRR ns.eng A 192.168.1.5
After you have removed a subzone, remember to remove any glue records you have added.
Step 1 From the Server Manager window (Figure 2-10), select the zone that contains the delegation you want to delete and choose Properties.
Step 2 From the DNS Zone Properties dialog box, click the Subzones tab (Figure 5-8).
Step 3 Select the delegation you want to delete.
Step 4 Click Remove.
Step 5 Click OK to return to the Server Manager window.
Step 1 Use the zone removeRR command to remove the subzone's NS record.
nrcmd> zone example.com removeRR eng NS
Step 2 Use the zone removeRR command to remove the subzone's A record.
nrcmd> zone example.com removeRR ns.eng A
You can edit the subzone's resource records to change the subzone's information.
Step 1 From the Server Manager window (Figure 2-10), select the zone that contains the delegation you want to edit and choose Properties.
Step 2 From the DNS Zone Properties dialog box, click the Subzones tab (Figure 5-8).
Step 3 From the Subzones list, select the delegation you want to edit.
Step 4 Click Edit.
Step 5 In the Edit Name Server dialog box, click any name server or glue record button and make the necessary changes.
Step 6 Click OK.
Step 7 Click OK.
To see the changes you have made, click the Resource Records tab (Figure 5-10).
Step 1 Use the zone removeRR command to delete the subzone.
nrcmd> zone example.com removeRR eng NS nrcmd> zone example.com removeRR ns.eng A
Step 2 Use the zone addRR command to add the new subzone information.
nrcmd> zone example.com addRR ns.cs-eng ns
cs-eng.example.com. nrcmd> zone example.com addRR ns.cs-eng A
5.6.7.8
For more information about the different types of Resource Records, see the "Resource Records" appendix in this guide.
The remainder of this section describes how to add, remove, edit, and filter Resource Records.
Unlike the Hosts tab (Figure 5-4), edits that you make through the Resource Records tab (Figure 5-10) affect only the Resource Record you are modifying and not any associated records. For example, If you delete an A record, Network Registrar will not delete any of the corresponding CNAME, MX, or PTR records.
Step 1 From the Server Manager window (Figure 2-10), select the zone to which you want to add records.
Step 2 Click the Show Properties toolbar button.
Step 3 From the DNS Zone Properties dialog box, click the Resource Records tab (Figure 5-10).
Step 4 Click Add.
Step 5 Click the appropriate Resource Record tab: Generic, A, MX, CNAME, NS, or PTR.
Step 6 Enter the appropriate information.
Step 7 Click Apply to continue to add Resource Records, or click OK to finish.
nrcmd> zone example.com addRR ftp CNAME green.example.com. nrcmd> zone example.com addRR @ NS ns.example.com.
Step 1 From the Server Manager window (Figure 2-10), select the zone whose records you want to remove.
Step 2 Click the Show Properties toolbar button.
Step 3 From the DNS Zone Properties dialog box, click the Resource Records tab (Figure 5-10).
Step 4 Click in the Name field to select the zone record you want to remove.
Step 5 Click Remove.
Use the zone removeRR command to remove all specified static Resource Records. You can specify Resource Records by name, name and type, or name, type, and data (in which the specified data is in BIND-style format). Use the zone removeRR command to clear the list of servers so that you can specify new servers.
nrcmd> zone example.com removeRR @ ns
Use the zone RemoveDynRR command to remove all specified static Resource Records. You can specify Resource Records by name, name and type.
nrcmd> zone example.com removeDynRR bob A
You can also use the following switches to filter records. This helps you determine whether dynamic DNS is working and what dynamic entries are in the system.
The following example displays only dynamic records.
nrcmd> zone example.com removeDynRR bob A dynamic
You can display all of the Resource Records, or just the static or the dynamic Resource Records.
The zone listRR command displays Resource records in the named zone.
nrcmd>zone QuickExample.com listRR
You may want to filter records to display only one type of record, such as an A record or a PTR record. Perform this procedure:
Step 1 From the Server Manager window (Figure 2-10), select the zone whose records you want to display.
Step 2 Click the Show Properties toolbar button.
Step 3 From the DNS Zone Properties dialog box, click the Resource Record tab (Figure 5-10).
Step 4 Select the record type you want to display from the Display Only list box.
Step 5 Click Filter.
You can delete zone records that are leftover after you have deleted a zone. Using the CLI:
nrcmd> zone example.com cleanRR
The cleanRR command does not print out a list of records to be deleted or prompt you for confirmation. You can safely run it at any time.
Posted: Thu Nov 18 13:38:03 PST 1999
Copyright 1989-1999©Cisco Systems Inc.