build.me

早期freebsd实现

.\" ++Copyright++ 1986, 1988
.\" -
.\" Copyright (c) 1986, 1988
.\"    The Regents of the University of California.  All rights reserved.
.\" 
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\" 	This product includes software developed by the University of
.\" 	California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\" 
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\" -
.\" Portions Copyright (c) 1993 by Digital Equipment Corporation.
.\" 
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies, and that
.\" the name of Digital Equipment Corporation not be used in advertising or
.\" publicity pertaining to distribution of the document or software without
.\" specific, written prior permission.
.\" 
.\" THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
.\" WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
.\" CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
.\" SOFTWARE.
.\" -
.\" --Copyright--
.\"
.\"	@(#)build.me	6.3 (Berkeley) 9/19/89
.\"
.sh 1 "Building A System with a Name Server"
.pp
BIND is composed of two parts.  One is the user interface called the 
\fIresolver\fP
which consists of a group of routines that reside in the C library 
\fI/lib/libc.a\fP.
Second is the actual server called \fInamed\fP.
This is a daemon that runs in the background and services queries on a 
given network port. The standard port for UDP and TCP is specified in 
\fI/\|etc/\|services\fP.
.sh 2 "Resolver Routines in libc"
.pp
When building your 4.3BSD system you may either
build the C library to use the name server resolver routines 
or use the host table lookup routines to do host name and address resolution.
The default resolver for 4.3BSD uses the name server.  Newer BSD systems
include both name server and host table functionality with preference given
to the name server if there is one or if there is a \fI/etc/resolv.conf\fP
file.
.pp
Building the C library to use the name server changes the way
\fIgethostbyname\fP\|(3N), \fIgethostbyaddr\fP\|(3N), and
\fIsethostent\fP\|(3N) do their functions.  The name server renders
\fIgethostent\fP\|(3N) obsolete, since it has no concept of a next line in
the database.  These library calls are built with the resolver routines
needed to query the name server.
.pp
The \fIresolver\fP contains functions that build query
packets and exchange them with name servers.
.pp
Before building the 4.3BSD C library, set the variable \fIHOSTLOOKUP\fP
equal to \fInamed\fP in \fI/\|usr/\|src/\|lib/\|libc/\|Makefile\fP.  You
then make and install the C library and compiler and then compile the rest
of the 4.3BSD system.  For more information see section 6.6 of ``Installing
and Operating 4.3BSD on the VAX\(dd''.
.(f
\(ddVAX is a Trademark of Digital Equipment Corporation
.)f
.pp
If your operating system isn't VAX\(dd 4.3BSD, it is probably the case that
your vendor has included \fIresolver\fP support in the supplied C Library.
You should consult your vendor's documentation to find out what has to be
done to enable \fIresolver\fP support.  Note that your vendor's \fIresolver\fP
may be out of date with respect to the one shipped with \s-1BIND\s+1, and that
you might want to build \s-1BIND\s+1's resolver library and install it, and
its include files, into your system's compile/link path so that your own
network applications will be able to use the newer features.

.sh 2 "The Name Service"
.pp
The basic function of the name server is to provide information about network
objects by answering queries.  The specifications for this name server are
defined in RFC1034, RFC1035 and RFC974.  These documents can be found in
\fI/usr/src/etc/named/doc\fP in 4.3BSD or \fIftp\fPed from 
\fBftp.rs.internic.net\fP.
It is also recommended that you read the related manual pages,
\fInamed\fP\|(8),
\fIresolver\fP\|(3),
and \fIresolver\fP\|(5).
.pp
The advantage of using a name server over the host table lookup for host
name resolution is to avoid the need for a single centralized clearinghouse
for all names.  The authority for this information can be delegated to the
different organizations on the network responsible for it.
.pp
The host table lookup routines require that the master file for the entire
network be maintained at a central location by a few people.  This works
fine for small networks where there are only a few machines and the
different organizations responsible for them cooperate.  But this does not
work well for large networks where machines cross organizational boundaries.
.pp
With the name server, the network can be broken into a hierarchy of domains. 
The name space is organized as a tree according to organizational or
administrative boundaries. 
Each node, called a \fIdomain\fP, is given a label, and the name of the
domain is the concatenation of all the labels of the domains from
the root to the current domain, listed from right to left separated by dots.
A label need only be unique within its domain.
The whole space is partitioned into several areas called \fIzones\fP,
each starting at a domain and extending down to the leaf domains or to
domains where other zones start.  
Zones usually represent administrative boundaries.
An example of a host address for a host at the University of California,
Berkeley would look as follows:
.(b
\fImonet\fP\|\fB.\fP\|\fIBerkeley\fP\|\fB.\fP\|\fIEDU\fP
.)b
The top level domain for educational organizations is EDU;
Berkeley is a subdomain of EDU and monet is the name of the host.

.sh 2 "About Hesiod, and HS-class Resource Records
.pp
Hesiod, developed by \s-1MIT\s+1 Project Athena, is an information service
built upon \s-1BIND\s+1.  Its intent is similar to that of Sun's
\s-1NIS\s+1: to furnish information about users, groups, network-accessible
file systems, printcaps, and mail service throughout an installation.  Aside
from its use of \s-1BIND\s+1 rather than separate server code another
important difference between Hesiod and \s-1NIS\s+1 is that Hesiod is not
intended to deal with passwords and authentication, but only with data that
are not security sensitive.  Hesiod servers can be implemented by adding
resource records to \s-1BIND\s+1 servers; or they can be implemented as
separate servers separately administered.
.pp
To learn about and obtain Hesiod make an anonymous \s-1FTP\s+1 connection to
host \s-1ATHENA-DIST.MIT.EDU\s+1 and retrieve the compressed tar file
\fBpub/hesiod.tar.Z\fP.  You will not need the named and resolver library
portions of the distribution because their functionality has already been
integrated into \s-1BIND 4.9\s+1.  To learn how Hesiod functions as part of
the Athena computing environment obtain the paper
\fBpub/usenix/athena-changes.PS\fP from the above \s-1FTP\s+1 server host.
There is also a tar file of sample Hesiod resource files.
.pp
Whether one should use Hesiod class is open to question, since the same
services can probably be provided with class IN, type TXT and type
CNAME records.  In either case, the code and documents for Hesiod will
suggest how to set up and use the service.
.pp
Note that while \s-1BIND\s+1 includes support for \fIHS\fP-class queries,
the zone transfer logic for non-\fIIN\fP-class zones is still experimental.

.sh 2 "About ``secure zones''
.pp
Secure zones implement named security on a zone by zone basis.  It is
designed to use a permission list of networks or hosts which may obtain
particular information from the zone.
.pp
In order to use zone security, named must be compiled with SECURE_ZONES
defined and you must have at least one secure_zone TXT RR.  Unless a
secure_zone record exists for a given zone, no restrictions will be applied
to the data in that zone.  The format of the secure_zone TXT RR is:
.lp
secure_zone\h'0.5i'addr-class\h'0.5i'TXT\h'0.5i'string
.pp
The addr-class may be either HS or IN.  The syntax for the TXT string is
either "network address:netmask" or "host IP address:H".
.pp
"network address:netmask" allows queries from an entire network.  If the
netmask is omitted, named will use the default netmask for the network
address specified.
.pp
"host IP address:H" allows queries from a host.  The "H" after the ":"  is
required to differentiate the host address from a network address.  Multiple
secure_zone TXT RRs are allowed in the same zone file.
.pp
For example, you can set up a zone to only answer hesiod requests from the
masked class B network 130.215.0.0 and from host 128.23.10.56 by adding the
following two TXT RR's:
.lp
secure_zone\h'0.5i'HS\h'0.5i'TXT\h'0.5i'"130.215.0.0:255.255.0.0"
secure_zone\h'0.5i'HS\h'0.5i'TXT\h'0.5i'"128.23.10.56:H"
.pp
This feature can be used to restrict access to a Hesiod password map or to
seperate internal and external internet address resolution on a firewall
machine without needing to run a seperate named for internal and external
address resolution.