[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

System Management Guide: Communications and Networks

TCP/IP Name Resolution

Although 32-bit Internet addresses provide machines an efficient means of identifying the source and destination of datagrams sent across an internetwork, users prefer meaningful, easily remembered names. Transmission Control Protocol/Internet Protocol (TCP/IP) provides a naming system that supports both flat and hierarchical network organizations.

The topics discussed in this section are:


Naming in flat networks is very simple. Host names consist of a single set of characters and generally are administered locally. In flat TCP/IP networks, each machine on the network has a file (/etc/hosts) containing the name-to-Internet-address mapping information for every host on the network. The administrative burden of keeping each machine naming file current grows as the TCP/IP network grows. When TCP/IP networks become very large, as on the Internet, naming is divided hierarchically. Typically, the divisions follow the network organization. In TCP/IP, hierarchical naming is known as the domain name system (DNS) and uses the DOMAIN protocol. The DOMAIN protocol is implemented by the named daemon in TCP/IP.

As in naming for flat networks, the domain name hierarchy provides for the assignment of symbolic names to networks and hosts that are meaningful and easy for users to remember. However, instead of each machine on the network keeping a file containing the name-to-address mapping for all other hosts on the network, one or more hosts are selected to function as name servers. Name servers translate (resolve) symbolic names assigned to networks and hosts into the efficient Internet addresses used by machines. A name server has complete information about some part of the domain, referred to as a zone, and it has authority for its zone.

Naming Authority

In a flat network, all hosts in the network are administered by one central authority. This form of network requires that all hosts in the network have unique host names. In a large network, this requirement creates a large administrative burden on the central authority.

In a domain network, groups of hosts are administered separately within a tree-structured hierarchy of domains and subdomains. In this case, host names need to be unique only within the local domain, and only the root domain is administered by a central authority. This structure allows subdomains to be administered locally and reduces the burden on the central authority. For example, the root domain of the Internet consists of such domains as com (commercial organizations), edu (educational organizations), gov (governmental organizations), and mil (military groups). New top-level domains can only be added by the central authority. Naming at the second level is delegated to designated agents within the respective domains. For example, in the following figure, com has naming authority for all commercial organization subdomains beneath it. Likewise, naming at the third level (and so on) is delegated to agents within that level. For example, in the Domain Structure of the Internet figure, Century has naming authority for its subdomains Austin, Hopkins, and Charlotte.

Figure 23. Domain Structure of the Internet. This figure illustrates the hierarchical structure of the internet. It begins at the top with the root and branches to the next level containing the mil, com, and edu domains. Below the com domain is another level containing Charlotte, Austin, and Hopkins. Below Austin is Dev and Graphics.
Artwork for comma20

Century's Austin subdomain might also be divided into zones, for example, Dev and Graphics. In this case, the zone austin.century.com has all the data contained in the domain austin.century.com, except that which was delegated to Dev and Graphics. The zone dev.century.com would contain only the data delegated to Dev; it would know nothing about Graphics, for example. The zone austin.century.com (as opposed to the domain of the same name) would contain only that data not delegated to other zones.

Naming Conventions

In the hierarchical domain name system, names consist of a sequence of case-insensitive subnames separated by periods with no embedded blanks. The DOMAIN protocol specifies that a local domain name must be fewer than 64 characters and that a host name must be fewer than 32 characters in length. The host name is given first, followed by a period (.), a series of local domain names separated by periods, and finally the root domain. A fully specified domain name for a host, including periods, must be fewer than 255 characters in length and in the following form:

host.subdomain1.[subdomain2 . . . subdomain].rootdomain

Since host names must be unique within a domain, you can use an abbreviated name when sending messages to a host within the same domain. For example, instead of sending a message to smith.eng.lsu.edu, a host in the eng domain could send a message to smith. Additionally, each host can have several aliases that other hosts can use when sending messages.

Choosing Names for the Hosts on Your Network

The purpose of using names for hosts is to provide a quick, easy, and unambiguous way to refer to the computers in your network. Internet system administrators have discovered that there are good, as well as poor, choices for host names. These suggestions are intended to help you avoid common pitfalls in choosing host names.

The following are some suggestions for choosing unambiguous, easy to remember host names:

The following are some examples of poor choices. In general, these are poor choices because they are difficult to remember or are confusing (either to humans or computers):

Name Servers

In a flat name space, all names must be kept in the /etc/hosts file on each host on the network. If the network is very large, this can become a burden on the resources of each machine.

In a hierarchical network, certain hosts designated as name servers resolve names into Internet addresses for other hosts. This has two advantages over the flat name space. It keeps the resources of each host on the network from being tied up in resolving names, and it keeps the person who manages the system from having to maintain name resolution files on each machine on the network. The set of names managed by a single name server is known as its zone of authority.

Note: Although the host machine that performs the name resolution function for a zone of authority is commonly referred to as a name server host, the process controlling the function, the named daemon, is the actual name server process.

To further reduce unnecessary network activity, all name servers cache (store for a period of time) name-to-address mappings. When a client asks a server to resolve a name, the server checks its cache first to see if the name has been resolved recently. Because domain and host names do change, each item remains in the cache for a limited length of time specified by the TTL of the record. In this way, authorities can specify how long they expect the name resolution to be accurate.

Within any autonomous system there can be multiple name servers. Typically, name servers are organized hierarchically and correspond to the network organization. Referring to the "Domain Structure of the Internet" figure, each domain might have a name server responsible for all subdomains within the domain. Each subdomain name server communicates with the name server of the domain above it (called the parent name server), as well as with the name servers of other subdomains.

Figure 24. Domain Structure of the Internet. This figure illustrates the hierarchical structure of the internet. It begins at the top with the root and branches to the next level containing the mil, com, and edu domains. Below the com domain is another level containing Charlotte, Austin, and Hopkins. Below Austin is Dev and Graphics.
Artwork for comma20

For example, in the "Domain Structure of the Internet" figure, Austin, Hopkins, and Charlotte are all subdomains of the domain Century. If the tree hierarchy is followed in the network design, the Austin name server communicates with the name servers of Charlotte and Hopkins as well as with the parent Century name server. The Austin name server also communicates with the name servers responsible for its subdomains.

There are several types of name servers:

Master Name Server Loads its data from a file or disk and can delegate authority to other servers in its domain.
Slave Name Server Receives its information at system startup time for the given zone of authority from a master name server, and then periodically asks the master server to update its information. On expiration of the refresh value in the start of authority (SOA) Resource Record on a slave name server, or on receipt of a Notify message from the master name server, the slave reloads the database from the master if the serial number of the database on the master is greater than the serial number in the current database on the slave. If it becomes necessary to force a new zone transfer from the master, simply remove the existing slave databases and refresh the named daemon on the slave name server.
Stub Name Server Although its method of database replication is similar to that of the slave name server, the stub name server only replicates the name server records of the master database rather than the whole database.
Hint Server Indicates a name server that relies only on the hints that it has built from previous queries to other name servers. The hint name server responds to queries by asking other servers that have the authority to provide the information needed if a hint name server does not have a name-to-address mapping in its cache.
Forwarder or Client Server Forwards queries it cannot satisfy locally to a fixed list of forwarding servers. Forwarding-only servers (a forwarder that obtains information and passes it on to other clients, but that is not actually a server) does not interact with the master name servers for the root domain and other domains. The queries to the forwarding servers are recursive. There can be one or more forwarding servers, which are tried in turn until the list is exhausted. A client and forwarder configuration is typically used when you do not want all the servers at a given site to interact with the rest of the Internet servers, or when you want to build a large cache on a select number of name servers.
Remote Server Runs all the network programs that use the name server without the name server process running on the local host. All queries are serviced by a name server that is running on another machine on the network.

One name server host can perform in different capacities for different zones of authority. For example, a single name server host can be a master name server for one zone and a slave name server for another zone.

Name Resolution

The process of obtaining an Internet address from a host name is known as name resolution and is done by the gethostbyname subroutine. The process of translating an Internet address into a host name is known as reverse name resolution and is done by the gethostbyaddr subroutine. These routines are essentially accessors into a library of name translation routines known as resolvers.

Resolver routines on hosts running TCP/IP normally attempt to resolve names using the following sources:

  1. BIND/DNS (named)
  2. Network Information Service (NIS)
  3. Local /etc/hosts file

When NIS+ is installed, lookup preferences are set using the irs.conf file. For more information, see AIX 5L Version 5.2 Network Information Services (NIS and NIS+) Guide.

To resolve a name in a domain network, the resolver routine first queries the domain name server database, which might be local if the host is a domain name server or on a foreign host. Name servers translate domain names into Internet addresses. The group of names for which a name server is responsible is its zone of authority. If the resolver routine is using a remote name server, the routine uses the domain name protocol (DOMAIN) to query for the mapping. To resolve a name in a flat network, the resolver routine checks for an entry in the local /etc/hosts file. When NIS or NIS+ is used, the /etc/hosts file on the master server is checked.

By default, resolver routines attempt to resolve names using the above resources. BIND/DNS is tried first. If the /etc/resolv.conf file does not exist or if BIND/DNS could not find the name, NIS is queried if it is running. NIS is authoritative over the local /etc/hosts, so the search ends here if it is running. If NIS is not running, then the local /etc/hosts file is searched. If none of these services can find the name, then the resolver routines return with HOST_NOT_FOUND. If all of the services are unavailable, then the resolver routines return with SERVICE_UNAVAILABLE.

The default order described above can be overwritten by creating the /etc/irs.conf configuration file and specifying the desired order. Also, both the default and /etc/irs.conf orderings can be overwritten with the environment variable, NSORDER. If either the /etc/irs.conf file or NSORDER environment variable are defined, then at least one value must be specified along with the option.

To specify host ordering with the /etc/irs.conf file:

hosts value [ continue ] 

The order is specified with each method indicated on a line by itself. The value is one of the listed methods and the continue keyword indicates that another resolver method follows on the next line.

To specify host ordering with the NSORDER environment variable:


The order is specified on one line with values separated by commas. White spaces are permitted between the commas and the equal sign.

For example, if the local network is organized as a flat network, then only the /etc/hosts file is needed. Given this example, the /etc/irs.conf file contains the following line:

hosts local

Alternatively, the NSORDER environment variable can be set as:


If the local network is a domain network using a name server for name resolution and an /etc/hosts file for backup, then both services should be specified. Given this example, the /etc/irs.conf file contains the following lines:

hosts dns continue
hosts local

The NSORDER environment variable is set as:


Note: The values listed must be in lowercase.

When following any defined or default resolver ordering, the search algorithm continues from one resolver to the next only if:

If the /etc/resolv.conf file does not exist, then BIND/DNS is considered not set up or running, and therefore it is not available. If the getdomainname and yp_bind subroutines fail, then the NIS service is considered not set up or running, and therefore it is not available. If the /etc/hosts file could not be opened, then a local search is impossible, and therefore the file and service are unavailable.

When a service is listed as authoritative, it means that this service is the expert of its successors and has all pertinent names and addresses. Resolver routines do not try successor services, because successors might contain only a subset of the information in the authoritative service. Name resolution ends at service listed as authoritative, even if it does not find the name (in which case, the resolver routine returns HOST_NOT_FOUND). If an authoritative service is not available, then the next service specified is queried.

An authoritative source is specified with the string =auth directly behind a value. The entire word, authoritative can be typed in, but only the auth string is used. For example, if the NSORDER environment variable contains the following:

hosts = nis=auth,dns,local

The search ends after the NIS query (if NIS is running), regardless of whether the name was found. If NIS is not running, then the next source is queried, which is DNS.

TCP/IP name servers use caching to reduce the cost of searching for names of hosts on remote networks. Instead of searching for a host name each time a request is made, a name server first looks at its cache to see if the host name has been resolved recently. Since domain and host names do change, each item remains in the cache for a limited length of time specified by the time-to-live (TTL) value of the record. In this way, name servers can specify how long they expect their responses to be considered authoritative.

Potential Host Name Conflict Between name server and sendmail

In a DNS environment, a host name that is set using the hostname command from the command line or in the rc.net file format must be the official name of the host as returned by the name server. Generally, this name is the full domain name of the host in the form:


Note: Resolver routines require the default domain to be set. If the default domain is not set in the hostname command, then it must be set in the /etc/resolv.conf file.

If the host name is not set up as a fully qualified domain name, and if the system is set up to use a domain name server in conjunction with the sendmail program, the sendmail configuration file (/etc/sendmail.cf) must be edited to reflect this official host name. In addition, the domain name macros in this configuration file must be set for the sendmail program to operate correctly.

Note: The domain specified in the /etc/sendmail.cf file takes precedence over the domain set by the hostname command for all sendmail functions.
Potential Domain Name Conflict Between name server and sendmail

For a host that is in a DOMAIN network but is not a name server, the local domain name and domain name server are specified in the /etc/resolv.conf file. In a DOMAIN name server host, the local domain and other name servers are defined in files read by the named daemon when it starts.

Reverse Address Resolution Protocol

The Reverse Address Resolution Protocol (RARP) translates unique hardware addresses into Internet addresses on the Ethernet local area network (LAN) adapter (Ethernet protocol only). Standard Ethernet protocol is supported with the following restrictions:

The system administrator must manually build and maintain a table of permanent ARP entries using the arp command. A specific ARP table entry must be added on the server for each host that requires RARP replies from an authoritative source.

Performing Local Name Resolution (/etc/hosts)

Configure the /etc/hosts file if your network is small, and you are using a flat naming scheme. Even if you are using a hierarchical (or domain) naming scheme with name servers, you might want to configure the /etc/hosts file to identify hosts that are not known by the name servers.

Configure your system for local host resolution using the Web-based System Manager, the System Management Interface Tool (SMIT), or commands. If you choose the command method, be sure to preserve the format of the /etc/hosts file, as described in Hosts File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference.

Local name resolution tasks
Task SMIT fast path Command or file Web-based System Manager Management Environment
List All the Hosts smit lshostent view /etc/hosts Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> Hosts File --> Contents of /etc/hosts file.
Add a Host smit mkhostent edit /etc/hosts Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> Hosts File. In Add/Change host entry, complete the following fields: IP Addresses, Host name, Alias(es), and Comment. Click Add/Change Entry --> OK.
Change/Show Characteristics of a Host smit chhostent edit /etc/hosts Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> Hosts File. Select a host in Contents of /etc/hosts/file, and change data in Add/Change host entry. Click Add/Change Entry --> OK.
Remove a Host smit rmhostent edit /etc/hosts Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> Hosts File. Select a host in Contents of /etc/hosts/file, and click Delete Entry --> OK.

Planning for DOMAIN Name Resolution

If you are part of a larger internetwork, coordinate setting up your domain and name servers with the central authority.

The following suggestions can help you plan your own DOMAIN name resolution system:

objectclass container
objectclass hosts

Configuring Name Servers

In a hierarchical network, certain hosts are designated as name servers. These hosts resolve names into IP addresses for other hosts. The named daemon controls the name server function and, therefore, must be run on a name server host.

Before you configure a name server, decide which type or types best fit the network it will serve. There are several types of name servers.

A master name server actually stores the database containing name-to-address mapping information. It loads its data from a file or disk and can delegate authority to other servers in its domain. A slave name server or stub name server receives its information at system startup time for a given zone of authority from a master name server, and then periodically asks the master server to update its information. A hint name server responds to requests to resolve names by querying other servers that have the authority to provide the information needed.

Note: Previous generations of the named name server specified the master name server as the primary name server, the slave name server as the secondary name server, and the hint name server as the caching-only name server. Any reference to the named.conf file in this documentation is specific to AIX 4.3.2 and later versions.

Keep in mind that a name server can function in different capacities for different zones of authority. For example, one name server host can be a master name server for one zone and a slave name server for another zone. If your system has NIS or NIS+ installed, these services can also provide name resolution. For more information, see AIX 5L Version 5.2 Network Information Services (NIS and NIS+) Guide.

There are several files involved in configuring name servers.

conf This file is read when the named daemon starts. The records in the conf file tell the named daemon which type of server it is, which domains it has authority over (its zones of authority), and where to get the data for initially setting up its database. The default name of this file is /etc/named.conf. However, you can change the name of this file by specifying the name and path of the file on the command line when the named daemon is started. If you intend to use the /etc/named.conf as the conf file and it does not exist, a message is generated in syslog file and named terminates. However, if an alternative conf file is specified, and the alternative file does not exist, an error message is not generated and named continues.
cache Contains information about the local cache. The local cache file contains the names and addresses of the highest authority name servers in the network. The cache file uses the Standard Resource Record Format. The name of the cache file is set in the conf file.
domain data There are three typical domain data files, also referred to as the named data files. The named local file contains the address resolution information for local loopback. The named data file contains the address resolution data for all machines in the name server zone of authority. The named reverse data file contains the reverse address resolution information for all machines in the name server zone of authority. The domain data files use the Standard Resource Record Format. Their file names are user definable and are set in the conf file. By convention, the names of these files generally include the name of the daemon (named), and the type of file and name of the domain is given in the extension. For example, the name server for the domain abc might have the following files:


When modifying the named data files the serial number in the SOA Resource Record must be incremented for slave name servers to properly realize the new zone changes.

resolv.conf The presence of this file indicates to a host to go to a name server to resolve a name first. If the resolv.conf file does not exist, the host looks in the /etc/hosts file for name resolution. On a name server, the resolv.conf file must exist and can contain the local host address, the loopback address (, or be empty.

Note: The resolver routines require the default domain be set. If the default domain is not set in the /etc/resolv.conf file, then it must be set in the hostname.

Time-to-live (TTL) is specified in resource records. If TTL is not specified in a record, the length of this time period defaults to the minimum field as defined in the start of authority (SOA) record for that zone. TTL is used when data is stored outside a zone (in a cache) to ensure that the data is not retained indefinitely.

Configuring a Master Name Server

To configure a master name server, use the Web-based System Manager, wsm, or use the following procedure, which edits a series of files and then uses the System Management Interface Tool (SMIT) or the command line to start the named daemon.

The /etc/named.conf file is the configuration file for the named daemon. This file included clauses that tell the named daemon what type of name server it is and references data files that are necessary to be able to fulfill requests. In the examples given below, the data files reside in the /usr/local/domain directory, as specified in the options clause.

For a sample /etc/named.conf file, see /usr/samples/tcpip/named.conf. See named.conf File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a configuration file.

  1. Edit the /etc/named.conf file according to the instructions given below. If there is no /etc/named.conf file in the /etc directory, create one by entering the following command:
    touch /etc/named.conf

    This file is read each time the named daemon starts. It tells the server which type of server it is, the zone or zones for which it is responsible, and where to get its initial information.

    1. If you want the named data files to use paths relative to a specified directory (optional), use the options configuration clause to specify the directory in which the named data files can be located. For example:

      options {
          directory "/usr/local/domain";
      If the options configuration clause already exists, just add directory as an entry in that clause. If you choose not to specify a directory here, the /etc directory will be searched for the necessary data files mentioned below.
    2. If you want to allow record data to be cached outside of the defined zones (optional), specify the name of the hint zone file. For example:

      zone "." IN {
          type hint;
          file "named.ca";
    3. Specify each zone, the type of name server it is, and its domain data file. For example, a master server for both forward and reverse zones might resemble:

      zone "abc.aus.century.com" in {
          type master;
          file "named.abc.data";
      zone "201.9.192.in-addr.arpa" in {
          type master;
          file "named.abc.rev";
    4. Define the name of the named local file. For example:

      zone "0.0.127.in-addr.arpa" in {
          type master;
          file "named.abc.local";
  2. Edit the /usr/local/domain/named.ca file. See the DOMAIN Cache File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a cache file.

    This file contains the addresses of the servers that are authoritative, which are the root name servers for the domain. For example:

    ; root name servers.
    .          IN    NS    relay.century.com.
    relay.century.com.   3600000    IN    A

    Note: All lines in this file must be in Standard Resource Record Format.
  3. Edit the /usr/local/domain/named.abc.local file. See the DOMAIN Local Data File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a local data file.
    1. Specify the start of authority (SOA) of the zone and the default time-to-live information. For example:

      $TTL 3h    ;3 hour
      @ IN SOA venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                                 1       ;serial
                                 3600    ;refresh
                                 600     ;retry
                                 3600000 ;expire
                                 86400   ;negative caching TTL
    2. Specify the name server (NS) record. Insert a tab space at the beginning of the line; the named daemon will replace the tab space with the zone name. For example:

      <tab>	IN    NS     venus.abc.aus.century.com.
    3. Specify the pointer (PTR) record.

      1      IN    PTR    localhost.

      Note: All lines in this file must be in Standard Resource Record Format.
  4. Edit the /usr/local/domain/named.abc.data file. Use the /usr/samples/tcpip/named.data sample file as an example when creating the /usr/local/domain/named.abc.data file. See the DOMAIN Data File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and an example of a hosts data file.
    1. Specify the start of authority of the zone and the default time-to-live information for the zone. This record designates the start of a zone. Only one start of authority record per zone is allowed. For example:

      $TTL 3h    ;3 hour
      @ IN    SOA     venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                      1       ;serial
                      3600    ;refresh
                      600     ;retry
                      3600000 ;expire
                      86400   ;negative caching TTL
    2. Include name server records for all master name servers in the zone. Insert a tab space at the beginning of the line; the named daemon will replace the tab space with the zone name. For example:

      <tab>	IN    NS       venus.abc.aus.century.com.
    3. Include name-to-address resolution information on all hosts in the name server zone of authority. For example:

      venus        IN    A
      earth        IN    A
      mars         IN    A
    4. Include other types of entries, such as canonical name records and mail exchanger records as needed.

      Note: All lines in this file must be in Standard Resource Record Format.
  5. Edit the /usr/local/domain/named.abc.rev file. See the DOMAIN Reverse Data File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a reverse hosts data file.
    1. Specify the start of authority of the zone and the default time-to-live information. This record designates the start of a zone. Only one start of authority record per zone is allowed. For example:

      $TTL 3h    ;3 hour
      @  IN  SOA  venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                                 1       ;serial
                                 3600    ;refresh
                                 600     ;retry
                                 3600000 ;expire
                                 86400   ;negative caching TTL
    2. Include other types of entries, such as name server records. If you are including these records, insert a tab space at the beginning of the line; the named daemon will replace the tab space with the zone name. Canonical name records are optional.
      <tab>	IN      NS      venus.abc.aus.century.com.

      Note: All lines in this file must be in Standard Resource Record Format.
    3. Include address-to-name resolution information on all hosts to be in the name server's zone of authority.

      1                      IN    PTR    venus.abc.aus.century.com.
      5                      IN    PTR    earth.abc.aus.century.com.
      3                      IN    PTR    mars.abc.aus.century.com.
  6. Create an /etc/resolv.conf file by typing the following command:

    touch /etc/resolv.conf

    The presence of this file indicates that the host should use a name server, not the /etc/hosts file, for name resolution. This file must exist on a name server host and can contain the local host address, contain the loopback address (, or be empty.

    Alternatively, the /etc/resolv.conf file can contain the following entry:


    The address is the loopback address, which causes the host to access itself as the name server. The /etc/resolv.conf file can also contain an entry similar to the following:

    domain domainname

    In the previous example, the value for domainname is abc.aus.century.com.

  7. Perform one of the following steps to initialize the named daemon with each system startup:
  8. If you chose not to initialize the named daemon through SMIT, start the daemon for each session by running the following command:

    startsrc -s named

For information on troubleshooting, see Name Resolution Problems.

Configuring a Slave Name Server

To configure a slave name server, use the Web-based System Manager, wsm, or use the following procedure which edits a series of files and then uses SMIT or the command line to start the named daemon.

  1. Edit the /etc/named.conf file. If there is no named.conf file in the /etc directory, copy the /usr/samples/tcpip/named.conf sample file into the /etc directory and edit it. See the named.conf File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a conf file.

    The conf file is read each time the named daemon starts. It tells the server which type of server it is, the zone for which it is responsible, and where to get its initial information.

    1. If you want the named data files to use paths relative to this directory (optional), use the options configuration clause to specify the directory where the named data files can be located. For example:

      options {
          directory "/usr/local/domain";
    2. If you want to allow record data to be cached outside the defined zones (optional), specify the name of the hint zone file for the name server. For example:

      zone "." IN {
          type hint;
          file "named.ca";
    3. Specify the slave zone clauses. Each stanza includes the zone type, an optional file name to which the name server can back up its data, and the list of master server Internet addresses. This list of addresses defines the hosts from which the zone is replicated. Following are examples of slave zone clauses, both forward and reverse:
      zone "abc.aus.century.com" IN {
          type slave;
          file "named.abc.data.bak";
          masters {; };
      zone "201.9.192.in-addr.arpa" IN {
          type slave;
          file "named.abc.rev.bak";
          masters {; };
    4. To support resolving the loopback network address, specify a zone of type master with a source of named.abc.local as well as the domain for which the name server is responsible.
      zone "0.0.127.in-addr.arpa" in {
          type master;
          file "named.abc.local";
  2. Edit the /usr/local/domain/named.ca file. See the DOMAIN Cache File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a cache file.

    This file contains the addresses of the servers that are authoritative name servers (NS) for the root domain of the network. For example:

    ; root name servers.
    .          IN    NS    relay.century.com.
    relay.century.com.   3600000    IN    A

    Note: All lines in this file must be in Standard Resource Record Format.
  3. Edit the /usr/local/domain/named.abc.local file. See the DOMAIN Local Data File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a local data file.
    1. Specify the start of authority (SOA) of the zone and the default time-to-live information. For example:

      $TTL 3h    ;3 hour
      @ IN SOA venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                                 1       ;serial
                                 3600    ;refresh
                                 600     ;retry
                                 3600000 ;expire
                                 86400   ;negative caching TTL
    2. Specify the name server (NS) record. Insert a tab space at the beginning of the line; the named daemon will replace the tab space with the zone name. For example:

      <tab>	IN    NS     venus.abc.aus.century.com.
    3. Specify the pointer (PTR) record.

      1      IN    PTR    localhost.

      Note: All lines in this file must be in Standard Resource Record Format.
  4. Create an /etc/resolv.conf file by issuing the following command:

    touch /etc/resolv.conf

    The presence of this file indicates that the host should use a name server, not the /etc/hosts file, for name resolution. Optionally, you can want to enter records to specify the name, domain, and address of the name server.

  5. Perform one of the following steps:
  6. If you chose not to initialize the named daemon through SMIT, start the daemon for this session by running the following command:

    startsrc -s named

For information on troubleshooting, see Name Resolution Problems.

Configuring a Hint Name Server

To configure a hint, or cache-only, name server, use the Web-based System Manager, wsm, or use the following procedure, which edits a series of files and then uses SMIT or the command line to start the named daemon.


Configure a hint name server according to the following steps:

  1. Edit the /etc/named.conf file. If there is no named.conf file in the /etc directory, copy the /usr/samples/tcpip/named.conf sample file into the /etc directory and edit it. Refer to the named.conf File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a conf file.
  2. Edit the /usr/local/domain/named.ca file. See the DOMAIN Cache File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a cache file.

    This file contains the addresses of the servers that are authoritative name servers for the root domain of the network. For example:

    ; root name servers.
    .          IN    NS    relay.century.com.
    relay.century.com.   3600000    IN    A

    Note: All lines in this file must be in Standard Resource Record Format.
  3. Edit the /usr/local/domain/named.local file. See the "DOMAIN Local Data File Format for TCP/IP" in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a local data file.
    1. Specify the start of authority (SOA) of the zone and the default time-to-live information. For example:

      $TTL 3h    ;3 hour
      @ IN SOA venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                                 1       ;serial
                                 3600    ;refresh
                                 600     ;retry
                                 3600000 ;expire
                                 86400   ;negative caching TTL
    2. Specify the name server (NS) record. Insert a tab space at the beginning of the line; the named daemon will replace the tab space with the zone name. For example:

      <tab>	IN    NS     venus.abc.aus.century.com.
    3. Specify the pointer (PTR) record.

      1      IN    PTR    localhost.

      Note: All lines in this file must be in Standard Resource Record Format.
  4. Create an /etc/resolv.conf file by issuing the following command:

    touch /etc/resolv.conf

    The presence of this file indicates that the host should use a name server, not the /etc/hosts file, for name resolution. You might want to enter records to specify the name, domain, and address of the name server.

  5. Perform one of the following steps:
  6. If you chose not to initialize the named daemon through SMIT, start the daemon for this session by typing the following command:

    startsrc -s named

For information on troubleshooting, see Name Resolution Problems.

Configuring a Domain Mail Server

Configuring a domain mail server provides users external to your organization a simple method for addressing mail to your users. That is, without a domain mail server, the mail address must specify a particular host in your organization. For example sam@orange.widget.com, where widget.com is your organization's domain name, and orange is the host that sam uses. But with a domain mail server, users outside your organization can simply specify the user name and domain name, without having to know which host the user uses, for example, sam@widget.com.

To configure a domain mail server, use the Web-based System Manager, wsm, or use one of the following procedures.

To Configure a Domain Mail Server
  1. Create a mail exchanger (MX) record and an address (A) record for the mail server black.widget.com:

    widget.com           IN    MX     10 black.widget.com
    widget.com           IN     A
    black.widget.com     IN     A
  2. Edit sendmail.cf on the mail server (black.widget.com) to add the domain alias (the w class):

    Cw $w $?D$w.$D$. widget.com
  3. Mail clients must know where to send their non-local mail, so edit sendmail.cf on each client to point to the mail server (the S macro):

  4. Use the NameServOpt option to configure the sendmail daemon so everyone can use the MX records defined in the name server brown.widget.com.
  5. Add aliases for users in the domain that do not have accounts on the mail server using the aliases file, for example:


    Note: Mailbox (MB) records can serve the same function.
  6. The serial number in the SOA Resource Record must be incremented because the database has been modified.
  7. Refresh the name server database by issuing the refresh -s named command.
  8. Perform the following steps:
    1. Type the command sendmail -bi to recompile the aliases database on the mail server.
    2. Type the refresh -s sendmail command to make the changes take effect.
  9. On the clients, recompile sendmail and run the refresh -s sendmail command to make the changes take effect.

There are other methods to configure a domain mail server. The following procedures use mailbox (MB), mail rename (MR), and mail group (MG) records.

To Configure a Domain Mail Server Using mailbox (MB) Records
  1. Define a mailbox (MB) record for each user in the domain. Add entries such as:

    sam IN MB orange.widget.com.

    to the /usr/local/domain/named.abc.data file on host brown.widget.com. These entries identify to the mail server black.widget.com where to send mail for each user in the domain.

  2. Configure the sendmail daemon on the mail server black.widget.com to use the MB records defined in the name server brown.widget.com. Use the NameServOpt option.
  3. Increment the serial number in the SOA Resource Record, because the database has been modified.
  4. Refresh the name server database by running the refresh -s named command.
  5. Type the refresh -s sendmail command to make the changes take effect.
Defining a Mail Rename (MR) Record for a User
  1. Edit the /usr/local/domain/named.abc.data file on your domain name server.
  2. Add a Mail Rename record for each alias. For example, if a user sam has an alias sammy, the Mail Rename record is:

    sammy IN MR sam

    This record causes all mail addressed to sammy to be delivered to sam. Each MR record should be entered on a line by itself.

  3. The serial number in the SOA Resource Record must be incremented, because the database has been modified.
  4. Refresh the name server database by typing the refresh -s named command.
  5. Type the refresh -s sendmail command to make the changes take effect.
Defining Mail Group (MG) Member Records
  1. Edit the /usr/local/domain/named.abc.data file on your domain name server.
  2. Add MG records for each mail group. MG records function like the /etc/aliases file, with the aliases maintained on the name server. For example:

    users IN HINFO users-request widget.com
    users IN MG sam
    users IN MG david
    users IN MG judy

    This example causes all mail addressed to users@widget.com to be delivered to sam, david, and judy. Enter each MG record on a line by itself.

    Note: Users sam, david, and judy must have MB records defined.
  3. The serial number in the SOA Resource Record must be incremented, because the database has been modified.
  4. Refresh the name server database by typing the refresh -s named command.
  5. Type the refresh -s sendmail command to make the changes take effect.
Defining Mail Exchanger (MX) Records
  1. Edit the /usr/local/domain/named.abc.data file on your domain name server.
  2. Add MX records for each machine not directly connected to your network to which you wish to forward mail. For example, if mail addressed to users on purple.widget.com should be forwarded to post.office.widget, the MX record looks similar to the following:

    purple.widget.com IN MX 0 post.office.widget.

    You must specify both host and machine names when using MX records. Enter each MG record on a line by itself. You can use wildcards, for example:

    *.widget.com IN MX 0 post.office.widget. 

    This example causes mail to an unknown host (a host without an explicit MX record) in the widget.com domain to be forwarded to post.office.widget.

    Note: Wildcard MX records are not appropriate for use on the Internet.
  3. The serial number in the SOA Resource Record must be incremented because the database has been modified.
  4. Refresh the name server database by typing the refresh -s named command.
  5. Type the refresh -s sendmail command to make the changes take effect.

Configuring a Forwarder

To configure a forwarder server, use the Web-based System Manager, wsm, or use the following procedure, which edits a series of files and then uses SMIT or the command line to start the named daemon.

  1. Edit the /etc/named.conf file. If there is no named.conf file in the /etc directory, copy the /usr/samples/tcpip/named.conf sample file into the /etc directory and edit it. See the "named.conf File Format for TCP/IP" in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a conf file.
  2. Edit the /usr/local/domain/named.ca file. See the "DOMAIN Cache File Format for TCP/IP" in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a cache file.

    This file contains the addresses of the servers that are authoritative name servers for the root domain of the network. For example:

    ; root name servers.
    .          IN    NS    relay.century.com.
    relay.century.com.   3600000    IN    A

    Note: All lines in this file must be in Standard Resource Record Format.
  3. Edit the /usr/local/domain/named.abc.local file. See the DOMAIN Local Data File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a local data file.
    1. Specify the start of authority (SOA) of the zone and the default time-to-live information. For example:

      $TTL 3h    ;3 hour
      @ IN SOA venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                                 1       ;serial
                                 3600    ;refresh
                                 600     ;retry
                                 3600000 ;expire
                                 86400   ;negative caching TTL
    2. Specify the name server (NS) record. For example:

      <tab>	IN    NS     venus.abc.aus.century.com.
    3. Specify the pointer (PTR) record.

      1      IN    PTR    localhost.

      Note: All lines in this file must be in Standard Resource Record Format.
  4. Create an /etc/resolv.conf file by typing the following command:

    touch /etc/resolv.conf

    The presence of this file indicates that the host should use a name server, not the /etc/hosts file, for name resolution.

    Alternatively, the /etc/resolv.conf file might contain the following entry:


    The address is the loopback address, which causes the host to access itself as the name server. The /etc/resolv.conf file may also contain an entry like the following:

    domain domainname

    In the previous example, the domainname value is austin.century.com.

  5. Perform one of the following steps:
  6. If you chose not to initialize the named daemon through SMIT, start the daemon for this session by typing the following command:

    startsrc -s named

Configuring a Forward Only Name Server

To configure a forward only name server, use the Web-based System Manager, wsm, or use the following procedure, which edits a series of files and then uses SMIT or the command line to start the named daemon.

Note: You can achieve a similar configuration without running a forward only name server. Instead, create an /etc/resolv.conf file that contains name server lines that point to the forwarders you wish to use.
  1. Edit the /etc/named.conf file. If there is no named.conf file in the /etc directory, copy the /usr/samples/tcpip/named.conf sample file into the /etc directory and edit it. See the named.conf File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a conf file.
  2. Edit the /usr/local/domain/named.ca file. See the DOMAIN Cache File Format for TCP/IP in AIX 5L Version 5.2 Files Reference for more information and a detailed example of a cache file. This file contains the addresses of the servers that are authoritative name servers for the root domain of the network. For example:

    ; root name servers.
    .          IN    NS    relay.century.com.
    relay.century.com.   3600000    IN    A

    Note: All lines in this file must be in Standard Resource Record Format.
  3. Edit the /usr/local/domain/named.abc.local file. See the DOMAIN Local Data File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a local data file.
    1. Specify the start of authority (SOA) of the zone and the default time-to-live information. For example:

      $TTL 3h    ;3 hour
      @ IN SOA venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                                 1       ;serial
                                 3600    ;refresh
                                 600     ;retry
                                 3600000 ;expire
                                 86400   ;negative caching TTL
    2. Specify the name server (NS) record. For example:

      <tab>	IN    NS     venus.abc.aus.century.com.
    3. Specify the pointer (PTR) record.

      1      IN    PTR    localhost.

      Note: All lines in this file must be in Standard Resource Record Format.
  4. Create an /etc/resolv.conf file by typing the following command:

    touch /etc/resolv.conf

    The presence of this file indicates that the host should use a name server, not the /etc/hosts file, for name resolution.

    Alternatively, the /etc/resolv.conf file might contain the following entry:


    The address is the loopback address, which causes the host to access itself as the name server. The /etc/resolv.conf file can also contain an entry such as:

    domain domainname

    In the previous example, the domainname value is austin.century.com.

  5. Perform one of the following steps:
  6. If you chose not to initialize the named daemon through SMIT, start the daemon for this session by typing the following command:

    startsrc -s named

Configuring a Host to Use a Name Server

To configure a host to use a name server, use the Web-based System Manager, wsm, or use the following procedure.

  1. Create an /etc/resolv.conf file by running the following command:
    touch /etc/resolv.conf
  2. On the first line of the /etc/resolv.conf file, type the word domain followed by the full name of the domain that this host is in. For example:

    domain abc.aus.century.com
  3. On any blank line below the domain line, type the word nameserver, followed by at least one space, followed by the dotted decimal Internet address of the name server that this host is to use (the name server must serve the domain indicated by the domain statement). You can have up to 16 name server entries. For example, your /etc/resolv.conf file might contain the entries:


    The system queries the name servers in the order listed.

    search domainname_list

    Alternatively, the search keyword could be used to specify the order in which the resolver will query the domain list. In this case, domainname_list values are abc.aus.century.com and aus.century.com. The domainname_list could contain a maximum of six domain names, each separated by a space.

  4. Assuming the name server is operational, you can test the communication between the host and the name server by typing the following command:

    host hostname

    Use the name of a host that should be resolved by the name server to see if the process is working. The output you receive should appear similar to the following:

    brown.abc.aus.century.com is

Other configuration tasks are shown in the following table.

Configuring a host to use name server tasks
Task SMIT fast path Command or file Web-based System Manager Management Environment
Create an /etc/resolv.conf File smit stnamerslv2 create and edit /etc/resolv.conf1
List All the Name Servers Used by a Host smit lsnamerslv view /etc/resolv.conf Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> Hosts File --> Contents of /etc/hosts file.
Add a Name Server smit mknamerslv edit /etc/resolv.conf2 Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> DNS. In the Name Server IP Address field, type the IP Address. Click Add --> OK.
Remove a Name Server smit rmnamerslv edit /etc/resolv.conf Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> DNS. Select a name server in Name server to search. Click Delete --> OK.
Start/Restart Using Domain Name Resolution smit stnamerslv
Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> DNS. Select the Enable domain name resolution using Domain Name Service (DNS) check box. Click OK.
Stop Using Domain Name Resolution smit spnamerslv
Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> DNS. Clear the Enable domain name resolution using Domain Name Service (DNS) check box. Click OK.
Change/Show the Domain smit mkdomain edit /etc/resolv.conf Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> DNS. --> Domain name to search. Click Add --> OK.
Remove the Domain smit rmdomain edit /etc/resolv.conf Software --> Network --> TCPIP (IPv4 and IPv6) --> TCPIP Protocol Configuration --> TCP/IP --> Configure TCP/IP --> Advanced Methods --> DNS. Select a domain in the Domain search list. Click Delete --> OK.

Configuring Dynamic Zones on the DNS Name Server

The named command allows for dynamic updates. The named database and configuration files need to be configured to allow for client machines to issue updates. A zone can be set to dynamic or static. The default zone is static.

To make a zone dynamic, you must add the keyword allow-update to that zone's stanza in the /etc/named.conf file. The allow-update keyword specifies an Internet address match list that defines hosts allowed to submit updates. See the named.conf File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a conf file. In the following example, all hosts are allowed to update the dynamic zone:

zone "abc.aus.century.com" IN {
    type master;
    file "named.abc.data";
    allow-update { any; };

After a zone is marked dynamic, three modes of security can be initiated:

Unsecured Allows anyone at anytime to update any information in the zone.

Attention: Use of this mode is not recommended. It can lead to data loss, data interception, and user frustration. At the least, an unsecured zone should be limited to updates only from specific Internet addresses.
Controlled Allows for the creation of new information and the replacement of existing information. This is probably the easiest mode to use for a secure transition environment. This mode also requires that all incoming updates be timestamped and have keyed signatures.
Presecured Requires all updates to existing information be replaced with similar information. Does not allow for the creation of new information. This mode also requires that all incoming updates be timestamped and have keyed signatures.

A dynamic zone defaults to unsecured mode. To use one of the other modes, type controlled or presecured after the keyword update-security in the zone stanza of the /etc/named.conf file. This tells the named server the level of security to use with that zone. For example:

zone "abc.aus.century.com" IN {
    type master;
    file "named.abc.data";
    allow-update { any; };
    update-security controlled;

After a mode is selected, the actual data files must be modified for your level of security. In unsecured mode, the data files are used "as is." For controlled or presecured mode, you must generate a set of master server/hostname key pairs for each name in the zone. This is done with the nsupdate command using the -g option. This command generates the key pair (a private and a public key). These keys are needed to authentically sign for updates. After generating all the keys for your list of zone names, you need to add them to the data file. The KEY format is as follows:

Index    ttl    Class     Type     KeyFlags     Protocol     Algorithm     KeyData


Index Specifies the name used to reference the data in the zone.
ttl Specifies the time-to-live (TTL) for this data. This is an optional field.
Class Specifies the class of the data. This is dependent on the zone, but usually it is IN.
Type Indicates the type of the record. In this case, it is KEY.
KeyFlags Gives named information about the key. 0x0000 defines the typical key record used for a host. 0x0100 defines the key record associated with the zone name.
Protocol Specifies the protocol to use. Currently, there is only one, 0.
Algorithm Specifies the algorithm of the key. Currently, there is only one, 1. This is the MD5 Private/Public authentication method.
KeyData Indicates the key in base64 representation. The nsupdate command generates both the public and private keys in base64 representation. The public key is listed last in the output file.


To ensure security over a host name in a dynamic zone, a line similar to the following needs to be added to the zone file for the zone containing the hostname.

bears    4660    IN    KEY    0x0000    0    1    AQOtg......

The above example indicates that bears has a KEY record defined. Someone wanting to update bears would have to sign his update with the private key matching the public key in the database. For the nsupdate command to succeed, the private key needs to be placed on the client in a keyfile (defaults to /etc/keyfile). It should follow the format:

 hostname          mastername           base64          key

A similar KEY entry is required in the zone definition section. A zone key is required for both presecured and controlled modes or the mode is considered to be unsecured. This can be done as shown in the previous bears example, but the private key is left for the administrator to use with the nsupdate command's administrative mode.

  1. To generate a key pair using the nsupdate command, type the following:
    nsupdate -g -h ZoneName -p ServerName -k AdminKeyFile

    This generates a key for the zone. In this example, nsupdate is linked to nsupdate4, which can be done by typing the following:

    ln -fs /usr/sbin/nsupdate4 /usr/sbin/nsupdate
  2. Place the last key of the pair in the beginning section for the zone as follows:
    IN     KEY     0x0100  0  1  Key

    The entry for the named.abc.data file is as follows:

    $TTL 3h    ;3 hour
    @ IN    SOA     venus.abc.aus.century.com. gail.zeus.abc.aus.century.com. (
                    1       ;serial
                    3600    ;refresh
                    600     ;retry
                    3600000 ;expire
                    86400   ;negative caching TTL
            IN      NS      venus.abc.aus.century.com.
            IN      KEY     0x0100  0 1 AQPlwHmIQeZzRk6Q/nQYhs3xwnhfTgF/8YlBVzKSoKxVKPNLINnYW0mB7attTcfhHaZZcZr4u/vDNikKnhnZwgn/
    venus   IN      A
    earth   IN      A
    mars    IN      A
  3. The zone is now ready to be loaded by refreshing the name server. Place the AdminKeyFile on the client or DHCP server that is updating the zone. The zone key contained in the AdminKeyFile can be used to apply updates and maintenance operations to the name server.


BIND 9 offers the following two security measures for named:

The name server with BIND 9, by default, does not allow dynamic updates to authoritative zones, similarly to that of BIND 8.

Transaction Signatures (TSIG)

BIND 9 primarily supports TSIG for server-to-server communication. This includes zone transfer, notify, and recursive query messages. TSIG is also useful for dynamic updates. A primary server for a dynamic zone should use access control to control updates, but IP-based access control is insufficient.

By using key base encryption rather than the current method of access control lists, TSIG can be used to restrict who can update to the dynamic zones. Unlike the Access Control List (ACL) method of dynamic updates, the TSIG key can be distributed to other updaters without having to modify the configuration files on the name server, which means there is no need for the name server to reread the configuration files.

It is important to note that BIND 9 does not have all the keywords implemented in BIND 8. In this example, we use the simple master configuration from BIND 8.

To use named 9, you must relink the symbolic link to the named daemon to named9, and nsupdate to nsupdate9 by running the following commands:

  1. ln -fs /usr/sbin/named9 /usr/sbin/named
  2. ln -fs /usr/sbin/nsupdate9 /usr/sbin/nsupdate
  1. Generate the key using the dnssec-keygen command:
    dnssec-keygen -a HMAC-MD5 -b 128 -n HOST keyname

    The command

    dnssec-keygen -a HMAC-MD5 -b 128 -n HOST venus-batman.abc.aus.century.com

    would produce two key files, as follows:

  2. Add the entry to named.conf on the master name server:
    // TSIG Key
    key venus-batman.abc.aus.century.com. {
            algorithm hmac-md5;
            secret "+UWSvbpxHWFdNwEAdy1Ktw==";

    Assuming HMAC-MD5 is being used, both keyfiles contain the shared key, which are stored as the last entry in the files. Find a secure way to copy the shared secret key to the client. You do not need to copy the keyfile, just the shared secret key.

    Following is the entry for file Kvenus-batman.abc.aus.century.com.+157+35215.private:

    Private-key-format: v1.2
    Algorithm: 157 (HMAC_MD5)
    Key: +UWSvbpxHWFdNwEAdy1Ktw==

    Below is an example of the named.conf file for the master name server. The zone abc.aus.century.com allows zone transfer and dynamic updates only to servers with the key venus-batman.abc.aus.century.com. Do the same to the reverse zone, which requires updaters to have the shared key.

    // TSIG Key
    key venus-batman.abc.aus.century.com. {
            algorithm hmac-md5;
            secret "+UWSvbpxHWFdNwEAdy1Ktw==";
    options {
            directory "/usr/local/domain";
    zone "abc.aus.century.com" in {
            type master;
            file "named.abc.data";
            allow-transfer { key venus-batman.abc.aus.century.com.;};
            allow-update{ key venus-batman.abc.aus.century.com.; };

    Because zones transfers are now restricted to those that have a key, the slave name server's named.conf file must also be edited. All requests to are signed by a key. Note the name of the key (venus-batman.abc.aus.century.com.) must match those on the servers who use them.

    Below is an example of the named.conf file on the slave name server:

    // TSIG Key
    key venus-batman.abc.aus.century.com. {
            algorithm hmac-md5;
            secret "+UWSvbpxHWFdNwEAdy1Ktw==";
            keys { venus-batman.abc.aus.century.com.;};
    options {
            directory "/usr/local/domain";
    zone "abc.aus.century.com" IN {
        type slave;
        file "named.abc.data.bak";
        masters {; };

Signature (SIG)

BIND 9 partially supports DNSSEC SIG transaction signatures as specified in RFC 2535. SIG uses public and private keys to authenticate messages.

SIG records allow administers to sign their zone data, thereby stating that it is authentic.

Securing the root zone

Assume that other name servers on the internet are not using BIND 9, and you want to secure your zone data and allow other servers to verify your zone data. You want to state that your zone (in our case aus.century.com) is a secure root, and will validate any secure zone data below it.

  1. Generate the keys using the dnssec-keygen command:
    dnssec-keygen -a RSA -b 512 -r /usr/sbin/named -n ZONE aus.century.com.
    RSA encryption can be used as the algorithm to generate the key if OpenSSL is installed, although you must first relink the DNS library to a secured DNS library by running the following command:
    ln -fs /usr/lib/libdns_secure.a /usr/lib/libdns.a
  2. Add the public key entry similar to the named.conf file. The entry used in our case follows. Below are the contents of key file Kaus.century.com.+001+03254.key.
    abc.aus.century.com. IN KEY 256 3 1 AQOnfGEAg0xpzSdNRe7KePq3Dl4NqQiq7HkwKl6TygUfaw6vz6ldmauB4UQFcGKOyL68/Zv5ZnEvyB1fMTAaDLYz

    The public key is contained in the file Kzonename.+algor.+fingerprint.key, or in our case Kaus.century.com.+001+03254.key. You have to remove the class IN and type KEY as well as quote the key. Once you add this entry to the /etc/named.conf file and refresh the name server, the zone aus.century.com is a secure root.

    trusted-keys {
            aus.century.com. 256 3 1 "AQOnfGEAg0xpzSdNRe7KePq3Dl4NqQiq7HkwKl6Tyg
    Ufaw6vz6ldmauB 4UQFcGKOyL68/Zv5ZnEvyB1fMTAaDLYz";
    options {
            directory "/usr/local/domain";
    zone "abc.aus.century.com" in {
            type master;
            file "named.abc.data.signed";
Applying the Chain of Trust

Now that you have a secured root, you can secure the rest of your child zones. In this case, we are working to secure the zone abc.aus.century.com. Follow these steps to secure your remaining child zones:

  1. Generate the key pairs using the dnssec-keygen command:
    dnssec-keygen -a RSA -b 512 -r /usr/sbin/named -n ZONE abc.aus.century.com.
  2. Make a keyset by running the dnssec-makekeyset command:
    dnssec-makekeyset -t 172800 Kabc.aus.century.com.+001+11515.key
    where Kabc.aus.century.com.+001+03254.key is your own public key.

    This creates a keyset file called keyset-abc.aus.century.com.

  3. Send this keyset file to the parent zone to get it signed. In this case, our parent zone is the secure root zone aus.century.com.
  4. The parent must sign the key using its private key.
    dnssec-signkey keyset-abc.aus.century.com. Kaus.century.com.+001+03254.private

    This will generate a file called signedkey-abc.aus.century.com, and the parent will need to send this file back to the child zone.

  5. On the child name server for zone abc.aus.century.com, add $INCLUDE $INCLUDE Kabc.aus.century.com.+001+11515.key to the plain zone file named.abc.data. Remember to place the signedkey-abc.aus.century.com file in the same location as the zone file named.abc.data. When the zone is signed in the following step, the program will know to include signedkey-abc.aus.century.com, which was received from the parent.
    $TTL 3h    ;3 hour
    @ IN    SOA     venus.abc.aus.century.com. gail.zeus.abc.aus.century.com.  (
                    1       ;serial
                    3600    ;refresh
                    600     ;retry
                    3600000 ;expire
                    86400   ;negative caching TTL
    $INCLUDE Kabc.aus.century.com.+001+03254.key
  6. Sign the zone using the dnssec-signzone command:
    dnssec-signzone -o abc.aus.century.com. named.abc.data
  7. Modify the named.conf file on the child zone abc.aus.century.com to use the new signed zone file (named.abc.data.signed). For example:
    options {
            directory "/usr/local/domain";
    zone "abc.aus.century.com" in {
            type master;
            file "named.abc.data.signed";
  8. Refresh the name server.

For information on troubleshooting, see Name Resolution Problems.

Planning and Configuration for LDAP Name Resolution (IBM SecureWay Directory Schema)

The Lightweight Directory Access Protocol (LDAP) is an open industry standard that defines a method for accessing and updating information in a directory. An LDAP schema defines the rules for ordering data. The ibm-HostTable object class, part of the IBM SecureWay Directory schema, can be used to store the name-to-Internet-address mapping information for every host on the network.

The ibm-HostTable object class is defined as follows:

Object Class name:     ibm-HostTable
Description:           Host Table entry which has a collection of hostname to
                       IP address mappings.
OID:                   TBD
RDN:                   ipAddress
Superior object class: top
Required Attributes:   host, ipAddress
Optional Attributes:   ibm-hostAlias, ipAddressType, description

The attribute definitions follow:

Attribute Name: ipAddress
Description:    IP Address of the hostname in the Host Table
OID:            TBD
Syntax:         caseIgnoreString
Length:         256
Single Valued:  Yes
Attribute Name: ibm-hostAlias
Description:    Alias of the hostname in the Host Table
OID:            TBD
Syntax:         caseIgnoreString
Length:         256
Single Valued:  Multi-valued
Attribute Name: ipAddressType
Description:    Address Family of the IP Address (1=IPv4, 2=IPv6)
OID:            TBD
Syntax:         Integer
Length:         11
Single Valued:  Yes
Attribute Name: host
Description:    The hostname of a computer system.
Syntax:         caseIgnoreString
Length:         256
Single Valued:  Multi-valued
Attribute Name: description
Description:    Comments that provide a description of a directory object entry.
Syntax:         caseIgnoreString
Length:         1024
Single Valued:  Multi-valued

Use the following procedure to configure the LDAP server compliant with the IBM SecureWay Directory schema, for storing the name-to-Internet-address mapping host information.

  1. Add a suffix on the LDAP server. The suffix is the starting point of the hosts database. For example, "cn=hosts". This can done using the web-based IBM SecureWay Directory Server Administration tool.
  2. Create an LDAP Data Interchange Format (LDIF) file. This can be done manually or with the hosts2ldif command, which creates a LDIF file from the /etc/hosts file. See the hosts2ldif Command in the AIX 5L Version 5.2 Commands Reference for more information. The following is a sample LDIF file:

    dn: cn=hosts
    objectclass: top
    objectclass: container
    cn: hosts
    dn: ipAddress=, cn=hosts
    host: test
    objectclass: ibm-HostTable
    ipAddressType: 1
    ibm-hostAlias: e-test
    ibm-hostAlias: test.austin.ibm.com
    description: first ethernet interface
    dn: ipAddress=fe80::dead, cn=hosts
    host: test
    ipAddress: fe80::dead
    objectclass: ibm-HostTable
    ipAddressType: 2
    ibm-hostAlias: test-ll
    ibm-hostAlias: test-ll.austin.ibm.com
    description: v6 link level interface
  3. Import the hosts directory data from the LDIF file on the LDAP server. This can be done with the ldif2db command or through the web-based IBM SecureWay Directory Server Administration tool.

To configure the client to access the hosts database on the LDAP server, using the LDAP mechanism, follow the steps below:

  1. Create the /etc/resolv.ldap file. See the resolv.ldap File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information and a detailed example of a resolv.ldap file.
  2. Change the default name resolution through the NSORDER environment variable, the /etc/netsvc.conf file, or the /etc/irs.conf file. See the netsvc.conf File Format for TCP/IP or the irs.conf File Format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information.

Although still supported, the use of ldap mechanism is deprecated. This existing ldap mechanism works with IBM SecureWay Directory Schema. AIX 5.2 offers the new naming mechanism, nis_ldap (NIS_LDAP), which works with the RFC 2307 schema. Use of the nis_ldap mechanism instead of the ldap mechanism is recommended. For information on nis_ldap name resolution, see Planning and Configuring NIS_LDAP Name Resolution (RFC 2307 schema).

Planning and Configuring NIS_LDAP Name Resolution (RFC 2307 schema)

AIX 5.2 offers a new naming mechanism called NIS_LDAP. The difference between the existing LDAP mechanism and the new NIS_LDAP mechanism is in the LDAP schema (the set of attributes and objectclasses that determine how attributes are grouped together for describing an entity). The existing LDAP mechanism works with the IBM SecureWay Directory schema compliant LDAP server and it supports only the host naming service. The NIS_LDAP mechanism works with the RFC 2307 schema compliant LDAP server, and it supports all the NIS services: users and groups, hosts, services, protocols, networks, and netgroup. RFC 2307 defines a set of attributes and objectclasses that can be used to describe network information services, including users and groups.

To configure the LDAP server, you will need to setup the LDAP server and migrate the required data to the server.

  1. Use the mksecldap command to set up a server. The nis_ldap mechanism works only with the RFC 2307 schema. While setting up the LDAP server, the mksecldap command should be invoked with either the -S rfc2307 or -S rfc2307aix option (not the -S aix option, which specifies the IBM SecureWay Directory schema). By default, the mksecldap command migrates users and groups defined on the local system to the LDAP server. If you want to disable this migration, use the -u NONE option.
    mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix 

    This sets up an LDAP server with administrator DN being cn=admin and password being adminpwd. The default suffix, cn=aixdata, is also added to the /etc/slapd32.conf file, the LDAP server configuration file.

    By default, the mksecldap command migrates users and groups defined on the local system to the LDAP server. If you want to disable this migration, use the -u NONE option, which prevents the migration of local users and groups to the LDAP server, so that you can only add NIS users and groups later.

    mksecldap -s -a cn=admin -p adminpwd -u NONE

    For more information on the mksecldap command, see the command description in AIX 5L Version 5.2 Commands Reference.

  2. Migrate the NIS data. Use the nistoldif command from the NIS server to migrate the NIS maps to the LDAP server. The nistoldif command can also be used to migrate data from flat files.

    Run the nistoldif command on a system that contains NIS data that needs to be migrated to the LDAP server.

    nistoldif -h server1.ibm.com -a cn=admin -p adminpwd -d cn=aixdata

    This migrates the NIS maps from the local system to the LDAP server, server1.ibm.com. The NIS data is placed under the cn=aixdata DN. You can also run the nistoldif command to migrate data from flat files on any system to the LDAP server. The flat files will be used for any maps missing from the NIS server.

    For more information on the nistoldif command, see the command description in AIX 5L Version 5.2 Commands Reference.

    Names are represented by the cn attribute of the LDAP server. The cn attribute defined by RFC 2307 is not case-sensitive. Names that differ only by case will be merged on the server. Matches are also not case-sensitive. Searching for TCP, tcp, or Tcp would all return the protocol entry for TCP.

To configure the LDAP client to access names from the LDAP server, run the mksecldap command with client setup options.

  1. The mksecldap command saves the LDAP servername, port, admindn, password, and basedn to the /etc/security/ldap/ldap.cfg file, which is read by the secldapclntd daemon at its startup time. The mksecldap command starts the secldapclntd daemon automatically, if the setup is successful.

    See the /etc/security/ldap/ldap.cfg file in the AIX 5L Version 5.2 Files Reference and the secldapclntd daemon in the AIX 5L Version 5.2 Commands Reference for more information.

  2. The mksecldap command adds nis_ldap mechanism to the /etc/netsvc.conf file and the /etc/irs.conf file so that name resolution can be directed to LDAP. You can also manually set the NSORDER environment variable to nis_ldap to use the NIS_LDAP name resolution.
    mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com

    This sets up the local system to use the server1.ibm.com LDAP server. The LDAP server administrator DN and password must be supplied for this client to authenticate to the server. The /etc/netsvc.conf and the /etc/irs.conf files are updated so that the naming resolution is resolved through NIS_LDAP.

    See the /etc/netsvc.conf file format for TCP/IP or the /etc/irs.conf file format for TCP/IP in the AIX 5L Version 5.2 Files Reference for more information.

  3. Naming resolution for users and groups is not controlled by the /etc/netsvc.conf or /etc/irs.conf files. Rather it is through the /etc/security/user file. To enable a LDAP user to login to an AIX system, set the user's SYSTEM and registry variables to LDAP in the /etc/security/user file of that client system. You can run the chuser command to do this.
    chuser -R LDAP SYSTEM=LDAP registry=LDAP foo

    You can configure your system to allow all LDAP users to login to a system. To do so, edit the /etc/security/user file. Add registry = files to the root stanza. Then add SYSTEM = LDAP and registry = LDAP to the default stanza.

    For more information on user authentication, refer to LDAP Exploitation of the Security Subsystem of the AIX 5L Version 5.2 Security Guide.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]