3. Configurations and Zone Files 3. 配置和区域文件

转载来源：https://bind9.readthedocs.io/en/latest/chapter3.html#configurations-and-zone-files

3.1. Introduction 3.1.介绍

BIND 9 uses a single configuration file called named.conf. which is typically located in either /etc/namedb or /usr/local/etc/namedb. BIND 9 使用一个名为 named.conf 的配置文件。它通常位于 /etc/namedb 或 /usr/local/etc/namedb 中。

Note

If rndc is being used locally (on the same host as BIND 9) then an additional file rndc.conf may be present, though rndc operates without this file. If rndc is being run from a remote host then an rndc.conf file must be present as it defines the link characteristics and properties. 如果 rndc 正在本地使用（与 BIND 9 在同一主机上），则可能存在附加文件 rndc.conf ，尽管 rndc 在没有此文件的情况下运行。如果 rndc 正在从远程主机运行，则必须存在 rndc.conf 文件，因为它定义了链接特征和属性。

Depending on the functionality of the system, one or more zone files is required. 根据系统的功能，需要一个或多个区域文件。

The samples given throughout this and subsequent chapters use a standard base format for both the named.conf and the zone files for example.com. The intent is for the reader to see the evolution from a common base as features are added or removed. 本章和后续章节中给出的示例对 named.conf 和 example.com 的区域文件都使用标准的基本格式。目的是让读者看到随着功能的添加或删除从一个共同基础的演变。

3.1.1. named.conf Base File 3.1.1. named.conf 基础文件 

This file illustrates the typical format and layout style used for named.conf and provides a basic logging service, which may be extended as required by the user. 该文件说明了用于 named.conf 的典型格式和布局样式，并提供了一个基本的日志记录服务，可以根据用户的需要进行扩展。

// base named.conf file
// Recommended that you always maintain a change log in this file as shown here
// options clause defining the server-wide properties
options {
  // all relative paths use this directory as a base
  directory "/var";
  // version statement for security to avoid hacking known weaknesses
  // if the real version number is revealed
  version "not currently available";
};

// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
  channel example_log {
    // uses a relative path name and the directory statement to
    // expand to /var/log/named/example.log
    file "log/named/example.log" versions 3 size 250k;
    // only log info and up messages - all others discarded
    severity info;
  };
  category default {
    example_log;
  };
};

The logging and options blocks and category, channel, directory, file, and severity statements are all described further in the appropriate sections of this ARM. logging 和 options 块以及 category 、 channel 、 directory 、 file 和 severity 语句都在该 ARM 的相应部分中进行了进一步描述。

3.1.2. example.com base zone file 3.1.2. example.com 基区文件 

The following is a complete zone file for the domain example.com, which illustrates a number of common features. Comments in the file explain these features where appropriate. Zone files consist of Resource Records (RR), which describe the zone’s characteristics or properties. 以下是域 example.com 的完整区域文件，其中说明了许多常见功能。文件中的注释在适当的地方解释了这些特性。区域文件由描述区域特征或属性的资源记录 (RR) 组成。

 1; base zone file for example.com
 2$TTL 2d    ; default TTL for zone
 3$ORIGIN example.com. ; base domain-name
 4; Start of Authority RR defining the key characteristics of the zone (domain)
 5@         IN      SOA   ns1.example.com. hostmaster.example.com. (
 6                                2003080800 ; serial number
 7                                12h        ; refresh
 8                                15m        ; update retry
 9                                3w         ; expiry
10                                2h         ; minimum
11                                )
12; name server RR for the domain
13           IN      NS      ns1.example.com.
14; the second name server is external to this zone (domain)
15           IN      NS      ns2.example.net.
16; mail server RRs for the zone (domain)
17        3w IN      MX  10  mail.example.com.
18; the second  mail servers is  external to the zone (domain)
19           IN      MX  20  mail.example.net.
20; domain hosts includes NS and MX records defined above
21; plus any others required
22; for instance a user query for the A RR of joe.example.com will
23; return the IPv4 address 192.168.254.6 from this zone file
24ns1        IN      A       192.168.254.2
25mail       IN      A       192.168.254.4
26joe        IN      A       192.168.254.6
27www        IN      A       192.168.254.7
28; aliases ftp (ftp server) to an external domain
29ftp        IN      CNAME   ftp.example.net.

This type of zone file is frequently referred to as a forward-mapped zone file, since it maps domain names to some other value, while a reverse-mapped zone file maps an IP address to a domain name. The zone file is called example.com for no good reason except that it is the domain name of the zone it describes; as always, users are free to use whatever file-naming convention is appropriate to their needs. 这种类型的区域文件通常称为正向映射区域文件，因为它将域名映射到某个其他值，而反向映射区域文件将 IP 地址映射到域名。区域文件被称为 example.com 没有任何理由，只是它是它所描述的区域的域名；与往常一样，用户可以自由使用适合他们需要的任何文件命名约定。

3.1.3. Other Zone Files 3.1.3.其他区域文件 

Depending on the configuration additional zone files may or should be present. Their format and functionality are briefly described here. 根据配置，附加区域文件可能或应该存在。此处简要描述了它们的格式和功能。

3.1.4. localhost Zone File 3.1.4.本地主机区域文件 

All end-user systems are shipped with a hosts file (usually located in /etc). This file is normally configured to map the name localhost (the name used by applications when they run locally) to the loopback address. It is argued, reasonably, that a forward-mapped zone file for localhost is therefore not strictly required. This manual does use the BIND 9 distribution file localhost-forward.db (normally in /etc/namedb/master or /usr/local/etc/namedb/master) in all configuration samples for the following reasons: 所有最终用户系统都附带一个 hosts 文件（通常位于/etc 中）。此文件通常配置为将名称 localhost（应用程序在本地运行时使用的名称）映射到环回地址。因此，有理由认为，本地主机的前向映射区域文件不是严格要求的。由于以下原因，本手册在所有配置示例中都使用了 BIND 9 分发文件 localhost-forward.db （通常在 /etc/namedb/master 或 /usr/local/etc/namedb/master 中）：

1. Many users elect to delete the hosts file for security reasons (it is a potential target of serious domain name redirection/poisoning attacks). 许多用户出于安全原因选择删除 hosts 文件（它是严重域名重定向/中毒攻击的潜在目标）。
2. Systems normally lookup any name (including domain names) using the hosts file first (if present), followed by DNS. However, the nsswitch.conf file (typically in /etc) controls this order (normally hosts: file dns), allowing the order to be changed or the file value to be deleted entirely depending on local needs. Unless the BIND administrator controls this file and knows its values, it is unsafe to assume that localhost is forward-mapped correctly. 系统通常首先使用 hosts 文件（如果存在）查找任何名称（包括域名），然后使用 DNS。但是， nsswitch.conf 文件（通常在 /etc 中）控制此顺序（通常为 hosts: file dns），允许根据本地需要更改顺序或完全删除文件值。除非 BIND 管理员控制这个文件并且知道它的值，否则假设 localhost 是正确的正向映射是不安全的。
3. As a reminder to users that unnecessary queries for localhost form a non-trivial volume of DNS queries on the public network, which affects DNS performance for all users. 提醒用户，对 localhost 的不必要查询会在公共网络上形成大量的 DNS 查询，这会影响所有用户的 DNS 性能。

Users may, however, elect at their discretion not to implement this file since, depending on the operational environment, it may not be essential. 但是，用户可以自行决定不执行此文件，因为根据操作环境，它可能不是必需的。

The BIND 9 distribution file localhost-forward.db format is shown for completeness and provides for both IPv4 and IPv6 localhost resolution. The zone (domain) name is localhost. 显示 BIND 9 分发文件 localhost-forward.db 格式是为了完整性，并提供 IPv4 和 IPv6 本地主机解析。区域（域名）名称是 localhost。

$TTL 3h
localhost.  SOA      localhost.  nobody.localhost. 42  1d  12h  1w  3h
            NS       localhost.
            A        127.0.0.1
            AAAA     ::1

Note

Readers of a certain age or disposition may note the reference in this file to the late, lamented Douglas Noel Adams. 特定年龄或性格的读者可能会注意到此文件中提到的已故的、悲痛欲绝的道格拉斯·诺埃尔·亚当斯。

3.1.5. localhost Reverse-Mapped Zone File 3.1.5.本地主机反向映射区域文件 

This zone file allows any query requesting the name associated with the loopback IP (127.0.0.1). This file is required to prevent unnecessary queries from reaching the public DNS hierarchy. The BIND 9 distribution file localhost.rev is shown for completeness: 该区域文件允许任何请求与环回 IP (127.0.0.1) 关联的名称的查询。需要此文件以防止不必要的查询到达公共 DNS 层次结构。为了完整起见，显示了 BIND 9 分发文件 localhost.rev ：

$TTL 1D
@        IN        SOA  localhost. root.localhost. (
                        2007091701 ; serial
                        30800      ; refresh
                        7200       ; retry
                        604800     ; expire
                        300 )      ; minimum
         IN        NS    localhost.
1        IN        PTR   localhost.

3.2. Authoritative Name Servers 3.2.权威名称服务器 

These provide authoritative answers to user queries for the zones they support: for instance, the zone data describing the domain name example.com. An authoritative name server may support one or many zones. 这些为用户查询他们支持的区域提供了权威的答案：例如，描述域名 example.com 的区域数据。权威名称服务器可能支持一个或多个区域。

Each zone may be defined as either a primary or a secondary. A primary zone reads its zone data directly from a file system. A secondary zone obtains its zone data from the primary zone using a process called zone transfer. Both the primary and the secondary zones provide authoritative data for their zone; there is no difference in the answer to a query from a primary or a secondary zone. An authoritative name server may support any combination of primary and secondary zones. 每个区域都可以定义为主要区域或次要区域。主要区域直接从文件系统读取其区域数据。次要区域使用称为区域传输的过程从主要区域获取其区域数据。一级区和二级区都提供各自区域的权威数据；对来自主要或次要区域的查询的回答没有区别。权威名称服务器可以支持主要区域和次要区域的任意组合。

Note

The terms primary and secondary do not imply any access priority. Resolvers (name servers that provide the complete answers to user queries) are not aware of (and cannot find out) whether an authoritative answer comes from the primary or secondary name server. 术语主要和次要并不意味着任何访问优先级。解析器（为用户查询提供完整答案的名称服务器）不知道（也无法找出）权威答案是来自主名称服务器还是辅助名称服务器。 Instead, the resolver uses the list of authoritative servers for the zone (there must be at least two) and maintains a Round Trip Time (RTT) – the time taken to respond to the query – for each server in the list. 相反，解析器使用区域的权威服务器列表（必须至少有两个）并为列表中的每个服务器维护往返时间 (RTT) – 响应查询所花费的时间。 The resolver uses the lowest-value server (the fastest) as its preferred server for the zone and continues to do so until its RTT becomes higher than the next slowest in its list, at which time that one becomes the preferred server. 解析器使用最低值的服务器（最快的）作为该区域的首选服务器，并继续这样做，直到其 RTT 高于其列表中的下一个最慢的服务器，此时该服务器成为首选服务器。

For reasons of backward compatibility BIND 9 treats “primary” and “master” as synonyms, as well as “secondary” and “slave.” 出于向后兼容的原因，BIND 9 将“primary”和“master”以及“secondary”和“slave”视为同义词。

The following diagram shows the relationship between the primary and secondary name servers. The text below explains the process in detail. 下图显示了主要名称服务器和次要名称服务器之间的关系。下面的文字详细解释了这个过程。

Authoritative Primary and Secondary Name Servers 权威的主要和次要名称服务器 

The numbers in parentheses in the following text refer to the numbered items in the diagram above. 以下文本中括号中的数字指的是上图中的编号项目。

1. The authoritative primary name server always loads (or reloads) its zone files from (1) a local or networked filestore. 权威主名称服务器始终从 (1) 本地或网络文件存储加载（或重新加载）其区域文件。
2. The authoritative secondary name server always loads its zone data from a primary via a zone transfer operation. Zone transfer may use AXFR (complete zone transfer) or IXFR (incremental zone transfer), but only if both primary and secondary name servers support the service. The zone transfer process (either AXFR or IXFR) works as follows: 权威二级名称服务器总是通过区域传输操作从主服务器加载其区域数据。区域传输可以使用 AXFR（完全区域传输）或 IXFR（增量区域传输），但前提是主要和次要名称服务器都支持该服务。区域传输过程（AXFR 或 IXFR）的工作方式如下：
   1. The secondary name server for the zone reads (3 and 4) the SOA RR periodically. The interval is defined by the refresh parameter of the Start of Authority (SOA) RR. 该区域的辅助名称服务器定期读取（3 和 4）SOA RR。该间隔由授权开始 (SOA) RR 的刷新参数定义。
   2. The secondary compares the serial number parameter of the SOA RR received from the primary with the serial number in the SOA RR of its current zone data. Secondary将从primary接收到的SOA RR的序列号参数与其当前区域数据的SOA RR中的序列号进行比较。
   3. If the received serial number is arithmetically greater (higher) than the current one, the secondary initiates a zone transfer (5) using AXFR or IXFR (depending on the primary and secondary configuration), using TCP over port 53 (6). 如果接收到的序列号在算术上大于（高于）当前序列号，则辅助节点使用 AXFR 或 IXFR（取决于主要和辅助配置）在端口 53 (6) 上使用 TCP 启动区域传输 (5)。
3. The typically recommended zone refresh times for the SOA RR (the time interval when the secondary reads or polls the primary for the zone SOA RR) are multiples of hours to reduce traffic loads. Worst-case zone change propagation can therefore take extended periods. 通常建议的 SOA RR 区域刷新时间（辅助读取或轮询区域 SOA RR 的主要区域的时间间隔）是小时数的倍数，以减少流量负载。因此，最坏情况下的区域变化传播可能需要很长时间。
4. The optional NOTIFY (RFC 1996) feature (2) is automatically configured; use the notify statement to turn off the feature. Whenever the primary loads or reloads a zone, it sends a NOTIFY message to the configured secondary (or secondaries) and may optionally be configured to send the NOTIFY message to other hosts using the also-notify statement. 可选的 NOTIFY (RFC 1996) 特性 (2) 是自动配置的；使用 notify 语句关闭该功能。每当主要加载或重新加载区域时，它都会向配置的辅助（或辅助）发送 NOTIFY 消息，并且可以选择配置为使用 also-notify 语句将 NOTIFY 消息发送到其他主机。 The NOTIFY message simply indicates to the secondary that the primary has loaded or reloaded the zone. On receipt of the NOTIFY message, the secondary respons to indicate it has received the NOTIFY and immediately reads the SOA RR from the primary (as described in section 2 a. NOTIFY 消息只是向次要表明主要已经加载或重新加载区域。收到 NOTIFY 消息后，次要响应表明它已收到 NOTIFY 并立即从主要读取 SOA RR（如第 2a.1 节所述）。 above). If the zone file has changed, propagation is practically immediate. 多于）。如果区域文件已更改，传播实际上是立即的。

The authoritative samples all use NOTIFY but identify the statements used, so that they can be removed if not required. 权威样本都使用 NOTIFY 但标识使用的语句，以便在不需要时可以将其删除。

3.2.1. Primary Authoritative Name Server 3.2.1.主要权威名称服务器 

The zone files are unmodified from the base samples but the named.conf file has been modified as shown: 区域文件未从基础示例中修改，但 named.conf 文件已被修改，如下所示：

// authoritative primary named.conf file
// options clause defining the server-wide properties
options {
  // all relative paths use this directory as a base
  directory "/var";
  // version statement for security to avoid hacking known weaknesses
  // if the real version number is revealed
  version "not currently available";
  // This is the default - allows user queries from any IP
  allow-query { any; };
  // normal server operations may place items in the cache
  // this prevents any user query from accessing these items
  // only authoritative zone data will be returned
  allow-query-cache { none; };
  // Do not provide recursive service to user queries
  recursion no;
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
  channel example_log {
    // uses a relative path name and the directory statement to
    // expand to /var/log/named/example.log
    file "log/named/example.log" versions 3 size 250k;
    // only log info and up messages - all others discarded
    severity info;
  };
  category default {
    example_log;
  };
};
// Provide forward mapping zone for localhost
// (optional)
zone "localhost" {
  type primary;
  file "master/localhost-forward.db";
  notify no;
};
// Provide reverse mapping zone for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
  type primary;
  file "localhost.rev";
  notify no;
};
// We are the primary server for example.com
zone "example.com" {
  // this is the primary name server for the zone
  type primary;
  file "example.com";
  // this is the default
  notify yes;
  // IP addresses of secondary servers allowed to
  // transfer example.com from this server
  allow-transfer {
    192.168.4.14;
    192.168.5.53;
  };
};

The added statements and blocks are commented in the above file. 添加的语句和块在上面的文件中有注释。

The zone block, and allow-query, allow-query-cache, allow-transfer, file, notify, recursion, and type statements are described in detail in the appropriate sections. zone 块和 allow-query 、 allow-query-cache 、 allow-transfer 、 file 、 notify 、 recursion 和 type 语句在相应部分中有详细描述。

3.2.2. Secondary Authoritative Name Server 3.2.2.二级权威名称服务器 

The zone files local-host-forward.db and localhost.rev are unmodified from the base samples. The example.com zone file is not required (the zone file is obtained from the primary via zone transfer). The named.conf file has been modified as shown: 区域文件 local-host-forward.db 和 localhost.rev 未从基础样本中修改。 example.com 区域文件不是必需的（区域文件是通过区域传输从主服务器获得的）。 named.conf文件修改如下：

// authoritative secondary named.conf file
// options clause defining the server-wide properties
options {
  // all relative paths use this directory as a base
  directory "/var";
  // version statement for security to avoid hacking known weaknesses
  // if the real version number is revealed
  version "not currently available";
  // This is the default - allows user queries from any IP
  allow-query { any; };
  // normal server operations may place items in the cache
  // this prevents any user query from accessing these items
  // only authoritative zone data will be returned
  allow-query-cache { none; };
  // Do not provide recursive service to user queries
  recursion no;
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
  channel example_log {
    // uses a relative path name and the directory statement to
    // expand to /var/log/named/example.log
    file "log/named/example.log" versions 3 size 250k;
    // only log info and up messages - all others discarded
    severity info;
   };
   category default {
     example_log;
  };
};
// Provide forward mapping zone for localhost
// (optional)
zone "localhost" {
  type primary;
  file "master/localhost-forward.db";
  notify no;
};
// Provide reverse mapping zone for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
  type primary;
  file "localhost.rev";
  notify no;
};
// We are the secondary server for example.com
zone "example.com" {
  // this is a secondary server for the zone
  type secondary;
  // the file statement here allows the secondary to save
  // each zone transfer so that in the event of a program restart
  // the zone can be loaded immediately and the server can start
  // to respond to queries without waiting for a zone transfer
  file "example.com.saved";
  // IP address of example.com primary server
  primaries { 192.168.254.2; };
};

The statements and blocks added are all commented in the above file. 添加的语句和块都在上面的文件中进行了注释。

The zone block, and allow-query, allow-query-cache, allow-transfer, file, primaries, recursion, and type statements are described in detail in the appropriate sections. zone 块和 allow-query 、 allow-query-cache 、 allow-transfer 、 file 、 primaries 、 recursion 和 type 语句在相应部分中有详细描述。

If NOTIFY is not being used, no changes are required in this named.conf file, since it is the primary that initiates the NOTIFY message. 如果未使用 NOTIFY，则无需更改此 named.conf 文件，因为它是启动 NOTIFY 消息的主要文件。

Note

Just when the reader thought they understood primary and secondary, things can get more complicated. A secondary zone can also be a primary to other secondaries: named, by default, sends NOTIFY messages for every zone it loads. Specifying notify primary-only; in the zone block for the secondary causes named to only send NOTIFY messages for primary zones that it loads. 就在读者认为他们了解主要和次要时，事情会变得更加复杂。辅助区域也可以是其他辅助区域的主要区域： named ，默认情况下，为它加载的每个区域发送 NOTIFY 消息。指定 notify primary-only；在 zone 块中，次要区域导致 named 只为其加载的主要区域发送 NOTIFY 消息。

3.3. Resolver (Caching Name Servers) 3.3.解析器（缓存名称服务器）

Resolvers handle recursive user queries and provide complete answers; that is, they issue one or more iterative queries to the DNS hierarchy. Having obtained a complete answer (or an error), a resolver passes the answer to the user and places it in its cache. Subsequent user requests for the same query will be answered from the resolver’s cache until the TTL of the cached answer has expired, when it will be flushed from the cache; the next user query that requests the same information results in a new series of queries to the DNS hierarchy. 解析器处理递归的用户查询并提供完整的答案；也就是说，它们向 DNS 层次结构发出一个或多个迭代查询。获得完整的答案（或错误）后，解析器将答案传递给用户并将其放入缓存中。后续用户对同一查询的请求将从解析器的缓存中得到答复，直到缓存答案的 TTL 到期，届时将从缓存中清除；下一个请求相同信息的用户查询会导致对 DNS 层次结构的一系列新查询。

Resolvers are frequently referred to by a bewildering variety of names, including caching name servers, recursive name servers, forwarding resolvers, area resolvers, and full-service resolvers. 解析器经常被各种令人眼花缭乱的名称所引用，包括缓存名称服务器、递归名称服务器、转发解析器、区域解析器和全服务解析器。

The following diagram shows how resolvers can function in a typical networked environment: 下图显示了解析器如何在典型的网络环境中运行：

Resolver and Forwarding Resolver 解析器和转发解析器

1. End-user systems are all distributed with a local stub resolver as a standard feature. Today, the majority of stub resolvers also provide a local cache service to speed up user response times. 最终用户系统都以本地存根解析器作为标准功能进行分发。今天，大多数存根解析器还提供本地缓存服务以加快用户响应时间。
2. A stub resolver has limited functionality; specifically, it cannot follow referrals. When a stub resolver receives a request for a name from a local program, such as a browser, and the answer is not in its local cache, it sends a recursive user query (1) to a locally configured resolver (5), which may have the answer available in its cache. If it does not, it issues iterative queries (2) to the DNS hierarchy to obtain the answer. The resolver to which the local system sends the user query is configured, for Linux and Unix hosts, in /etc/resolv.conf; for Windows users it is configured or changed via the Control Panel or Settings interface. 存根解析器的功能有限；具体来说，它不能遵循推荐。当存根解析器收到来自本地程序（例如浏览器）的名称请求，并且答案不在其本地缓存中时，它会向本地配置的解析器（5）发送递归用户查询（1），这可能在其缓存中提供可用的答案。如果没有，它会向 DNS 层次结构发出迭代查询 (2) 以获得答案。对于 Linux 和 Unix 主机，在 /etc/resolv.conf 中配置了本地系统向其发送用户查询的解析器；对于 Windows 用户，它可以通过控制面板或设置界面进行配置或更改。
3. Alternatively, the user query can be sent to a forwarding resolver (4). Forwarding resolvers on first glance look fairly pointless, since they appear to be acting as a simple pass-though and, like the stub resolver, require a full-service resolver (5). 或者，可以将用户查询发送到转发解析器 (4)。转发解析器乍一看似乎毫无意义，因为它们似乎充当简单的传递，并且与存根解析器一样，需要一个全服务解析器 (5)。 However, forwarding resolvers can be very powerful additions to a network for the following reasons: 但是，由于以下原因，转发解析器可以成为网络中非常强大的补充：
   1. Cost and Performance. Each recursive user query (1) at the forwarding resolver (4) results in two messages – the query and its answer. The resolver (5) may have to issue three, four, or more query pairs (2) to get the required answer. 成本和性能。转发解析器 (4) 中的每个递归用户查询 (1) 都会产生两条消息 – 查询及其答案。解析器 (5) 可能必须发出三个、四个或更多查询对 (2) 才能获得所需的答案。 Traffic is reduced dramatically, increasing performance or reducing cost (if the link is tariffed). Additionally, since the forwarding resolver is typically shared across multiple hosts, its cache is more likely to contain answers, again improving user performance. 流量显着减少，从而提高性能或降低成本（如果链路收费）。此外，由于转发解析器通常在多个主机之间共享，因此其缓存更有可能包含答案，从而再次提高用户性能。
   2. Network Maintenance. Forwarding resolvers (4) can be used to ease the burden of local administration by providing a single point at which changes to remote name servers can be managed, rather than having to update all hosts. 网络维护。转发解析器 (4) 可用于减轻本地管理的负担，方法是提供一个可以管理对远程名称服务器的更改的单点，而不必更新所有主机。 Thus, all hosts in a particular network section or area can be configured to point to a forwarding resolver, which can be configured to stream DNS traffic as desired and changed over time with minimal effort. 因此，特定网络部分或区域中的所有主机都可以配置为指向一个转发解析器，该解析器可以配置为根据需要流式传输 DNS 流量，并随着时间的推移以最小的努力进行更改。
   3. Sanitizing Traffic. Especially in larger private networks it may be sensible to stream DNS traffic using a forwarding resolver structure. 净化交通。特别是在较大的专用网络中，使用转发解析器结构来传输 DNS 流量可能是明智的。 The forwarding resolver (4) may be configured, for example, to handle all in-domain traffic (relatively safe) and forward all external traffic to a hardened resolver (5). 例如，转发解析器 (4) 可以配置为处理所有域内流量（相对安全）并将所有外部流量转发到强化解析器 (5)。
   4. Stealth Networks. Forwarding resolvers are extensively used in stealth or split networks. 隐形网络。转发解析器广泛用于隐形或分裂网络。
4. Forwarding resolvers (4) can be configured to forward all traffic to a resolver (5), or to only forward selective traffic (5) while directly resolving other traffic (3). 转发解析器 (4) 可以配置为将所有流量转发到解析器 (5)，或者仅转发选择性流量 (5)，同时直接解析其他流量 (3)。

Attention

While the diagram above shows recursive user queries arriving via interface (1), there is nothing to stop them from arriving via interface (2) via the public network. If no limits are placed on the source IPs that can send such queries, the resolver is termed an open resolver. Indeed, when the world was young this was the way things worked on the Internet. Much has changed and what seems to be a friendly, generous action can be used by rogue actors to cause all kinds of problems including Denial of Service (DoS) attacks. Resolvers should always be configured to limit the IP addresses that can use their services. BIND 9 provides a number of statements and blocks to simplify defining these IP limits and configuring a closed resolver. The resolver samples given here all configure closed resolvers using a variety of techniques. 虽然上图显示了通过接口 (1) 到达的递归用户查询，但没有什么可以阻止它们通过公共网络通过接口 (2) 到达。如果对可以发送此类查询的源 IP 没有限制，则解析器称为开放解析器。事实上，在这个世界还很年轻的时候，互联网就是这样运作的。很多事情都发生了变化，流氓行为者可以使用看似友好、慷慨的行为来引起各种问题，包括拒绝服务 (DoS) 攻击。应始终将解析器配置为限制可以使用其服务的 IP 地址。 BIND 9 提供了许多语句和块来简化定义这些 IP 限制和配置封闭的解析器。此处给出的解析器示例都使用各种技术配置封闭的解析器。

3.3.1. Additional Zone Files 3.3.1.附加区域文件 

3.3.1.1. Root Servers (Hint) Zone File 3.3.1.1.根服务器（提示）区域文件 

Resolvers (although not necessarily forwarding resolvers) need to access the DNS hierarchy. To do this, they need to know the addresses (IPv4 and/or IPv6) of the 13 root servers. This is done by the provision of a root server zone file, which is contained in the standard BIND 9 distribution as the file named.root (normally found in /etc/namedb or /usr/local/namedb). This file may also be obtained from the IANA website (https://www.iana.org/domains/root/files). 解析器（尽管不一定是转发解析器）需要访问 DNS 层次结构。为此，他们需要知道 13 个根服务器的地址（IPv4 和/或 IPv6）。这是通过提供根服务器区域文件来完成的，该文件包含在标准 BIND 9 分发版中作为文件 named.root （通常位于 /etc/namedb 或 /usr/local/namedb 中）。该文件也可以从 IANA 网站 (https://www.iana.org/domains/root/files) 获得。

Note

Many distributions rename this file for historical reasons. Consult the appropriate distribution documentation for the actual file name. 由于历史原因，许多发行版都重命名了这个文件。请查阅相应的分发文档以获取实际文件名。

The hint zone file is referenced using the [type hint](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-type hint) statement and a zone (domain) name of “.” (the generally silent dot). 使用 type hint 语句和“.”的区域（域名）引用提示区域文件。 （通常是沉默的点）。

Note

The root server IP addresses have been stable for a number of years and are likely to remain stable for the near future. BIND 9 has a root-server list in its executable such that even if this file is omitted, out-of-date, or corrupt BIND 9 can still function. 根服务器 IP 地址多年来一直保持稳定，并且在不久的将来可能会保持稳定。 BIND 9 在其可执行文件中有一个根服务器列表，因此即使该文件被省略、过时或损坏，BIND 9 仍然可以运行。 For this reason, many sample configurations omit the hints file. All the samples given here include the hints file primarily as a reminder of the functionality of the configuration, rather than as an absolute necessity. 出于这个原因，许多示例配置都省略了提示文件。此处给出的所有示例都包含提示文件，主要是为了提醒配置的功能，而不是绝对必要。

3.3.1.2. Private IP Reverse Map Zone Files 3.3.1.2.私有 IP 反向映射区域文件 

Resolvers are configured to send iterative queries to the public DNS hierarchy when the information requested is not in their cache or not defined in any local zone file. Many networks make extensive use of private IP addresses (defined by RFC 1918, RFC 2193, RFC 5737, and RFC 6598). By their nature these IP addresses are forward-mapped in various user zone files. However, certain applications may issue reverse map queries (mapping an IP address to a name). If the private IP addresses are not defined in one or more reverse-mapped zone file(s), the resolver sends them to the DNS hierarchy where they are simply useless traffic, slowing down DNS responses for all users. 解析器配置为在请求的信息不在其缓存中或未在任何本地区域文件中定义时向公共 DNS 层次结构发送迭代查询。许多网络广泛使用私有 IP 地址（由 RFC 1918、RFC 2193、RFC 5737 和 RFC 6598 定义）。就其性质而言，这些 IP 地址被正向映射到各种用户区域文件中。但是，某些应用程序可能会发出反向映射查询（将 IP 地址映射到名称）。如果私有 IP 地址未在一个或多个反向映射区域文件中定义，解析器会将它们发送到 DNS 层次结构，在那里它们只是无用的流量，从而减慢所有用户的 DNS 响应。

Private IP addresses may be defined using standard reverse-mapping techniques or using the empty-zones-enable statement. By default this statement is set to empty-zones-enable yes; and thus automatically prevents unnecessary DNS traffic by sending an NXDOMAIN error response (indicating the name does not exist) to any request. 私有 IP 地址可以使用标准的反向映射技术或使用 empty-zones-enable 语句来定义。默认情况下，此语句设置为 empty-zones-enable yes; ，因此通过向任何请求发送 NXDOMAIN 错误响应（指示名称不存在）来自动防止不必要的 DNS 流量。 However, some applications may require a genuine answer to such reverse-mapped requests or they will fail to function. Mail systems in particular perform reverse DNS queries as a first-line spam check; in this case a reverse-mapped zone file is essential. 但是，某些应用程序可能需要对此类反向映射请求的真实答复，否则它们将无法运行。邮件系统特别执行反向 DNS 查询作为第一线垃圾邮件检查；在这种情况下，反向映射区域文件是必不可少的。 The sample configuration files given here for both the resolver and the forwarding resolver provide a reverse-mapping zone file for the private IP address 192.168.254.4, which is the mail server address in the base zone file, as an illustration of the reverse-map technique. The file is named 192.168.254.rev and has a zone name of 254.168.192.in-addr.arpa. 此处为解析器和转发解析器提供的示例配置文件为私有 IP 地址 192.168.254.4 提供了反向映射区域文件，该地址是基本区域文件中的邮件服务器地址，作为反向映射的说明技术。该文件名为 192.168.254.rev ，区域名称为 254.168.192.in-addr.arpa。

; reverse map zone file for 192.168.254.4 only
$TTL 2d  ; 172800 seconds
$ORIGIN 254.168.192.IN-ADDR.ARPA.
@     IN      SOA   ns1.example.com. hostmaster.example.com. (
                                        2003080800 ; serial number
                                        3h         ; refresh
                                        15m        ; update retry
                                        3w         ; expiry
                                        3h         ; nx = nxdomain ttl
                                        )
; only one NS is required for this local file
; and is an out of zone name
      IN      NS      ns1.example.com.
; other IP addresses can be added as required
; this maps 192.168.254.4 as shown
4     IN      PTR     mail.example.com. ; fully qualified domain name (FQDN)

3.3.2. Resolver Configuration 3.3.2.解析器配置 

The resolver provides recursive query support to a defined set of IP addresses. It is therefore a closed resolver and cannot be used in wider network attacks. 解析器为一组定义的 IP 地址提供递归查询支持。因此它是一个封闭的解析器，不能用于更广泛的网络攻击。

// resolver named.conf file
// Two corporate subnets we wish to allow queries from
// defined in an acl clause
acl corpnets {
  192.168.4.0/24;
  192.168.7.0/24;
};

// options clause defining the server-wide properties
options {
  // all relative paths use this directory as a base
  directory "/var";
  // version statement for security to avoid hacking known weaknesses
  // if the real version number is revealed
  version "not currently available";
  // this is the default
  recursion yes;
  // recursive queries only allowed from these ips
  // and references the acl clause
  allow-query { corpnets; };
  // this ensures that any reverse map for private IPs
  // not defined in a zone file will *not* be passed to the public network
  // it is the default value
  empty-zones-enable yes;
};

// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
  channel example_log {
    // uses a relative path name and the directory statement to
    // expand to /var/log/named/example.log
    file "log/named/example.log" versions 3 size 250k;
    // only log info and up messages - all others discarded
    severity info;
   };
   category default {
     example_log;
  };
};

// zone file for the root servers
// discretionary zone (see root server discussion above)
zone "." {
  type hint;
  file "named.root";
};

// zone file for the localhost forward map
// discretionary zone depending on hosts file (see discussion)
zone "localhost" {
  type primary;
  file "masters/localhost-forward.db";
  notify no;
};

// zone file for the loopback address
// necessary zone
zone "0.0.127.in-addr.arpa" {
  type primary;
  file "localhost.rev";
  notify no;
};

// zone file for local IP reverse map
// discretionary file depending on requirements
zone "254.168.192.in-addr.arpa" {
  type primary;
  file "192.168.254.rev";
  notify no;
};

The zone and acl blocks, and the allow-query, empty-zones-enable, file, notify, recursion, and type statements are described in detail in the appropriate sections. zone 和 acl 块以及 allow-query 、 empty-zones-enable 、 file 、 notify 、 recursion 和 type 语句在相应部分中有详细描述。

As a reminder, the configuration of this resolver does not access the DNS hierarchy (does not use the public network) for any recursive query for which: 提醒一下，此解析器的配置不会访问 DNS 层次结构（不使用公共网络）以进行任何递归查询：

1. The answer is already in the cache. 答案已经在缓存中。
2. The domain name is localhost (zone localhost). 域名是localhost（zone localhost）。
3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa). 是 127.0.0.1（区域 0.0.127.in-addr.arpa）的反向映射查询。
4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa). 是 192.168.254/24（区域 254.168.192.in-addr.arpa）的反向映射查询。
5. Is a reverse-map query for any local IP (empty-zones-enable statement). 是对任何本地 IP 的反向映射查询（ empty-zones-enable 语句）。

All other recursive queries will result in access to the DNS hierarchy to resolve the query. 所有其他递归查询将导致访问 DNS 层次结构以解析查询。

3.3.3. Forwarding Resolver Configuration 3.3.3.转发解析器配置

This forwarding resolver configuration forwards all recursive queries, other than those for the defined zones and those for which the answer is already in its cache, to a full-service resolver at the IP address 192.168.250.3, with an alternative at 192.168.230.27. The forwarding resolver will cache all responses from these servers. 此转发解析器配置将所有递归查询（针对已定义区域的查询和答案已在其缓存中的查询除外）转发到 IP 地址为 192.168.250.3 的全服务解析器，备选地址为 192.168.230.27。转发解析器将缓存来自这些服务器的所有响应。 The configuration is closed, in that it defines those IPs from which it will accept recursive queries. 配置是封闭的，因为它定义了将从中接受递归查询的那些 IP。

A second configuration in which selective forwarding occurs is also provided. 还提供了发生选择性转发的第二种配置。

// forwarding named.conf file
// Two corporate subnets we wish to allow queries from
// defined in an acl clause
acl corpnets {
  192.168.4.0/24;
  192.168.7.0/24;
};

// options clause defining the server-wide properties
options {
  // all relative paths use this directory as a base
  directory "/var";
  // version statement for security to avoid hacking known weaknesses
  // if the real version number is revealed
  version "not currently available";
  // this is the default
  recursion yes;
  // recursive queries only allowed from these ips
  // and references the acl clause
  allow-query { corpnets; };
  // this ensures that any reverse map for private IPs
  // not defined in a zone file will *not* be passed to the public network
  // it is the default value
  empty-zones-enable yes;
  // this defines the addresses of the resolvers to which queries will be forwarded
  forwarders {
    192.168.250.3;
    192.168.230.27;
  };
  // indicates all queries will be forwarded other than for defined zones
  forward only;
};

// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
  channel example_log {
    // uses a relative path name and the directory statement to
    // expand to /var/log/named/example.log
    file "log/named/example.log" versions 3 size 250k;
    // only log info and up messages - all others discarded
    severity info;
  };
  category default {
    example_log;
  };
};

// hints zone file is not required

// zone file for the localhost forward map
// discretionary zone depending on hosts file (see discussion)
zone "localhost" {
  type primary;
  file "masters/localhost-forward.db";
  notify no;
};

// zone file for the loopback address
// necessary zone
zone "0.0.127.in-addr.arpa" {
  type primary;
  file "localhost.rev";
  notify no;
};

// zone file for local IP reverse map
// discretionary file depending on requirements
zone "254.168.192.in-addr.arpa" {
  type primary;
  file "192.168.254.rev";
  notify no;
};

The zone and acl blocks, and the allow-query, empty-zones-enable, file, forward, forwarders, notify, recursion, and type statements are described in detail in the appropriate sections. zone 和 acl 块以及 allow-query 、 empty-zones-enable 、 file 、 forward 、 forwarders 、 notify 、 recursion 和 type 语句在适当的部分。

As a reminder, the configuration of this forwarding resolver does not forward any recursive query for which: 提醒一下，此转发解析器的配置不会转发任何递归查询：

1. The answer is already in the cache. 答案已经在缓存中。
2. The domain name is localhost (zone localhost). 域名是localhost（zone localhost）。
3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa). 是 127.0.0.1（区域 0.0.127.in-addr.arpa）的反向映射查询。
4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa). 是 192.168.254/24（区域 254.168.192.in-addr.arpa）的反向映射查询。
5. Is a reverse-map query for any local IP (empty-zones-enable statement). 是对任何本地 IP 的反向映射查询（ empty-zones-enable 语句）。

All other recursive queries will be forwarded to resolve the query. 将转发所有其他递归查询以解析查询。

3.3.4. Selective Forwarding Resolver Configuration 3.3.4.选择性转发解析器配置

This forwarding resolver configuration only forwards recursive queries for the zone example.com to the resolvers at 192.168.250.3 and 192.168.230.27. All other recursive queries, other than those for the defined zones and those for which the answer is already in its cache, are handled by this resolver. 此转发解析器配置仅将区域 example.com 的递归查询转发到位于 192.168.250.3 和 192.168.230.27 的解析器。所有其他递归查询，除了那些针对已定义区域的查询和那些答案已经在其缓存中的查询，都由这个解析器处理。 The forwarding resolver will cache all responses from both the public network and from the forwarded resolvers. The configuration is closed, in that it defines those IPs from which it will accept recursive queries. 转发解析器将缓存来自公共网络和转发解析器的所有响应。配置是封闭的，因为它定义了将从中接受递归查询的那些 IP。

// selective forwarding named.conf file
// Two corporate subnets we wish to allow queries from
// defined in an acl clause
acl corpnets {
  192.168.4.0/24;
  192.168.7.0/24;
};

// options clause defining the server-wide properties
options {
  // all relative paths use this directory as a base
  directory "/var";
  // version statement for security to avoid hacking known weaknesses
  // if the real version number is revealed
  version "not currently available";
  // this is the default
  recursion yes;
  // recursive queries only allowed from these ips
  // and references the acl clause
  allow-query { corpnets; };
  // this ensures that any reverse map for private IPs
  // not defined in a zone file will *not* be passed to the public network
  // it is the default value
  empty-zones-enable yes;

  // forwarding is not global but selective by zone in this configuration
};

// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
  channel example_log {
    // uses a relative path name and the directory statement to
    // expand to /var/log/named/example.log
    file "log/named/example.log" versions 3 size 250k;
    // only log info and up messages - all others discarded
    severity info;
   };
   category default {
     example_log;
  };
};

// zone file for the root servers
// discretionary zone (see root server discussion above)
zone "." {
  type hint;
  file "named.root";
};

// zone file for the localhost forward map
// discretionary zone depending on hosts file (see discussion)
zone "localhost" {
  type primary;
  file "masters/localhost-forward.db";
  notify no;
};

// zone file for the loopback address
// necessary zone
zone "0.0.127.in-addr.arpa" {
  type primary;
  file "localhost.rev";
  notify no;
};

// zone file for local IP reverse map
// discretionary file depending on requirements
zone "254.168.192.in-addr.arpa" {
  type primary;
  file "192.168.254.rev";
  notify no;
};
// zone file forwarded example.com
zone "example.com" {
  type forward;
  // this defines the addresses of the resolvers to
  // which queries for this zone will be forwarded
  forwarders {
    192.168.250.3;
    192.168.230.27;
  };
  // indicates all queries for this zone will be forwarded
  forward only;
};

The zone and acl blocks, and the allow-query, empty-zones-enable, file, forward, forwarders, notify, recursion, and type statements are described in detail in the appropriate sections. zone 和 acl 块以及 allow-query 、 empty-zones-enable 、 file 、 forward 、 forwarders 、 notify 、 recursion 和 type 语句在适当的部分。

As a reminder, the configuration of this resolver does not access the DNS hierarchy (does not use the public network) for any recursive query for which: 提醒一下，此解析器的配置不会访问 DNS 层次结构（不使用公共网络）以进行任何递归查询：

1. The answer is already in the cache. 答案已经在缓存中。
2. The domain name is localhost (zone localhost). 域名是localhost（zone localhost）。
3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa). 是 127.0.0.1（区域 0.0.127.in-addr.arpa）的反向映射查询。
4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa). 是 192.168.254/24（区域 254.168.192.in-addr.arpa）的反向映射查询。
5. Is a reverse-map query for any local IP (empty-zones-enable statement). 是对任何本地 IP 的反向映射查询（empty-zones-enable 语句）。
6. Is a query for the domain name example.com, in which case it will be forwarded to either 192.168.250.3 or 192.168.230.27 (zone example.com). 是对域名 example.com 的查询，在这种情况下，它将被转发到 192.168.250.3 或 192.168.230.27（区域 example.com）。

All other recursive queries will result in access to the DNS hierarchy to resolve the query. 所有其他递归查询将导致访问 DNS 层次结构以解析查询。

3.4. Load Balancing 3.4.负载均衡

A primitive form of load balancing can be achieved in the DNS by using multiple resource records (RRs) in a zone file (such as multiple A records) for one name. 通过为一个名称使用区域文件中的多个资源记录 (RR)（例如多个 A 记录），可以在 DNS 中实现一种原始形式的负载平衡。

For example, assuming three HTTP servers with network addresses of 10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following means that clients will connect to each machine one-third of the time: 例如，假设三个 HTTP 服务器的网络地址分别为 10.0.0.1、10.0.0.2 和 10.0.0.3，如下所示的一组记录意味着客户端将在三分之一的时间内连接到每台机器：

Name	TTL	CLASS	TYPE	Resource Record (RR) Data 资源记录 (RR) 数据
www	600	IN	A	10.0.0.1
	600	IN	A	10.0.0.2
	600	IN	A	10.0.0.3

When a resolver queries for these records, BIND rotates them and responds to the query with the records in a random order. In the example above, clients randomly receive records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned and discard the rest. 当解析器查询这些记录时，BIND 会轮换它们并以随机顺序使用记录响应查询。在上面的例子中，客户端随机接收顺序为1、2、3的记录； 2, 3, 1;和 3、1、2。大多数客户端使用返回的第一条记录并丢弃其余记录。

For more detail on ordering responses, refer to the rrset-order statement in the options block. 有关排序响应的更多详细信息，请参阅 options 块中的 rrset-order 语句。

3.5. Zone File 3.5.区域文件 

This section, largely borrowed from RFC 1034, describes the concept of a Resource Record (RR) and explains how to use them. 本节主要借鉴自 RFC 1034，描述了资源记录 (RR) 的概念并解释了如何使用它们。

3.5.1. Resource Records 3.5.1.资源记录 

A domain name identifies a node in the DNS tree namespace. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate RRs. 域名标识 DNS 树名称空间中的一个节点。每个节点都有一组资源信息，可能为空。与特定名称关联的资源信息集由单独的 RR 组成。 The order of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes: for example, to specify that a particular nearby server be tried first. See sortlist and RRset Ordering. 一组 RR 的顺序并不重要，不需要由名称服务器、解析器或 DNS 的其他部分保留。但是，出于优化目的，允许对多个 RR 进行排序：例如，指定首先尝试附近的特定服务器。请参阅 sortlist 和 RRset 排序。

The components of a Resource Record are: 资源记录的组成部分是：

• owner name 业主姓名

  The domain name where the RR is found. RR所在的域名。

• RR type RR型

  An encoded 16-bit value that specifies the type of the resource record. For a list of types of valid RRs, including those that have been obsoleted, please refer to https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4. 指定资源记录类型的编码 16 位值。有关有效 RR 类型的列表，包括那些已被废弃的 RR，请参阅 https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4。

• TTL TTL 

  The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. RR 的生存时间。该字段是一个以秒为单位的 32 位整数，主要由解析器在缓存 RR 时使用。 TTL 描述了 RR 在应该被丢弃之前可以缓存多长时间。

• class 类

  An encoded 16-bit value that identifies a protocol family or an instance of a protocol. 标识协议系列或协议实例的编码 16 位值。

• RDATA RDATA 

  The resource data. The format of the data is type- and sometimes class-specific. 资源数据。数据格式是特定于类型的，有时是特定于类的。

The following classes of resource records are currently valid in the DNS: 以下类别的资源记录当前在 DNS 中有效：

• IN 输入

  The Internet. The only widely class used today. 互联网。今天唯一广泛使用的类。

• CH CH

  Chaosnet, a LAN protocol created at MIT in the mid-1970s. It was rarely used for its historical purpose, but was reused for BIND’s built-in server information zones, e.g., version.bind. Chaosnet，麻省理工学院于 20 世纪 70 年代中期创建的 LAN 协议。它很少用于其历史用途，但被重新用于 BIND 的内置服务器信息区域，例如 version.bind。

• HS HS

  Hesiod, an information service developed by MIT’s Project Athena. It was used to share information about various systems databases, such as users, groups, printers, etc. Hesiod，麻省理工学院雅典娜项目开发的信息服务。它用于共享有关各种系统数据库的信息，例如用户、组、打印机等。

The owner name is often implicit, rather than forming an integral part of the RR. For example, many name servers internally form tree or hash structures for the name space, and chain RRs off nodes. 所有者名称通常是隐含的，而不是构成 RR 的组成部分。例如，许多名称服务器在内部为名称空间形成树或散列结构，并将 RR 链接到节点。 The remaining RR parts are the fixed header (type, class, TTL), which is consistent for all RRs, and a variable part (RDATA) that fits the needs of the resource being described. 剩余的 RR 部分是固定标头（类型、类、TTL），它对所有 RR 都是一致的，以及适合被描述资源需要的可变部分（RDATA）。

The TTL field is a time limit on how long an RR can be kept in a cache. This limit does not apply to authoritative data in zones; that also times out, but follows the refreshing policies for the zone. The TTL is assigned by the administrator for the zone where the data originates. TTL 字段是 RR 可以在缓存中保存多长时间的时间限制。此限制不适用于区域中的权威数据；这也会超时，但遵循区域的刷新策略。 TTL 由管理员为数据来源区域分配。 While short TTLs can be used to minimize caching, and a zero TTL prohibits caching, the realities of Internet performance suggest that these times should be on the order of days for the typical host. 虽然短 TTL 可用于最小化缓存，零 TTL 禁止缓存，但 Internet 性能的现实表明这些时间对于典型主机来说应该是天的数量级。 If a change is anticipated, the TTL can be reduced prior to the change to minimize inconsistency, and then increased back to its former value following the change. 如果预期会发生更改，则可以在更改之前降低 TTL 以最大程度地减少不一致性，然后在更改后增加回原来的值。

The data in the RDATA section of RRs is carried as a combination of binary strings and domain names. The domain names are frequently used as “pointers” to other data in the DNS. RR 的 RDATA 部分中的数据以二进制字符串和域名的组合形式携带。域名经常用作指向 DNS 中其他数据的“指针”。

3.5.1.1. Textual Expression of RRs 3.5.1.1。 RR 的文本表达 

RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when stored in a name server or resolver. In the examples provided in RFC 1034, a style similar to that used in primary files was employed in order to show the contents of RRs. In this format, most RRs are shown on a single line, although continuation lines are possible using parentheses. RR 在 DNS 协议的数据包中以二进制形式表示，存储在名称服务器或解析器中时通常以高度编码的形式表示。在 RFC 1034 中提供的示例中，采用了类似于主文件中使用的样式来显示 RR 的内容。在这种格式中，大多数 RR 都显示在一行中，尽管可以使用括号续行。

The start of the line gives the owner of the RR. If a line begins with a blank, then the owner is assumed to be the same as that of the previous RR. Blank lines are often included for readability. 该行的开头给出了 RR 的所有者。如果一行以空白开头，则所有者被假定为与前一个 RR 的所有者相同。通常包含空行以提高可读性。

Following the owner are listed the TTL, type, and class of the RR. Class and type use the mnemonics defined above, and TTL is an integer before the type field. 在所有者之后列出了 RR 的 TTL、类型和类别。 Class和type使用上面定义的助记符，TTL是type字段前的一个整数。 To avoid ambiguity in parsing, type and class mnemonics are disjoint, TTLs are integers, and the type mnemonic is always last. The IN class and TTL values are often omitted from examples in the interest of clarity. 为了避免解析中的歧义，类型和类助记符是不相交的，TTL 是整数，类型助记符总是在最后。为清楚起见，示例中经常省略 IN 类和 TTL 值。

The resource data or RDATA section of the RR is given using knowledge of the typical representation for the data. RR 的资源数据或 RDATA 部分是使用数据典型表示的知识给出的。

For example, the RRs carried in a message might be shown as: 例如，消息中携带的 RR 可能显示为：

ISI.EDU.	MX	10 VENERA.ISI.EDU. 10 VENERA.ISI.EDU.
	MX	10 VAXA.ISI.EDU
VENERA.ISI.EDU	A	128.9.0.32
	A	10.1.0.52
VAXA.ISI.EDU	A	10.2.0.27
	A	128.9.0.33

The MX RRs have an RDATA section which consists of a 16-bit number followed by a domain name. The address RRs use a standard IP address format to contain a 32-bit Internet address. MX RR 有一个 RDATA 部分，它由一个 16 位数字和一个域名组成。地址 RR 使用标准 IP 地址格式来包含 32 位互联网地址。

The above example shows six RRs, with two RRs at each of three domain names. 上面的示例显示了六个 RR，三个域名中的每一个都有两个 RR。

Here is another possible example: 这是另一个可能的例子：

XX.LCS.MIT.EDU.	IN A	10.0.0.44
	CH A	MIT.EDU. 2420

This shows two addresses for XX.LCS.MIT.EDU, each of a different class. 这显示了 XX.LCS.MIT.EDU 的两个地址，每个地址都属于不同的类别。

3.5.2. Discussion of MX Records 3.5.2. MX 记录的讨论

As described above, domain servers store information as a series of resource records, each of which contains a particular piece of information about a given domain name (which is usually, but not always, a host). 如上所述，域服务器将信息存储为一系列资源记录，每个资源记录都包含关于给定域名（通常但不总是主机）的特定信息。 The simplest way to think of an RR is as a typed pair of data, a domain name matched with a relevant datum and stored with some additional type information, to help systems determine when the RR is relevant. 将 RR 视为类型化数据对的最简单方法是，域名与相关数据匹配并存储一些额外的类型信息，以帮助系统确定 RR 何时相关。

MX records are used to control delivery of email. The data specified in the record is a priority and a domain name. The priority controls the order in which email delivery is attempted, with the lowest number first. If two priorities are the same, a server is chosen randomly. MX 记录用于控制电子邮件的发送。记录中指定的数据是优先级和域名。优先级控制尝试发送电子邮件的顺序，数字最小的优先。如果两个优先级相同，则随机选择一个服务器。 If no servers at a given priority are responding, the mail transport agent falls back to the next largest priority. Priority numbers do not have any absolute meaning; they are relevant only respective to other MX records for that domain name. 如果给定优先级的服务器没有响应，邮件传输代理将回退到下一个最大优先级。优先级数字没有任何绝对意义；它们仅与该域名的其他 MX 记录相关。 The domain name given is the machine to which the mail is delivered. It must have an associated address record (A or AAAA); CNAME is not sufficient. 给定的域名是邮件投递到的机器。它必须有关联的地址记录（A 或 AAAA）； CNAME 是不够的。

For a given domain, if there is both a CNAME record and an MX record, the MX record is in error and is ignored. Instead, the mail is delivered to the server specified in the MX record pointed to by the CNAME. For example: 对于给定的域，如果同时存在 CNAME 记录和 MX 记录，则 MX 记录出错并被忽略。相反，邮件会传送到 CNAME 指向的 MX 记录中指定的服务器。例如：

example.com.	IN	MX	10	mail.example.com.
	IN	MX	10	mail2.example.com. mail2.example.com。
	IN	MX	20	mail.backup.org.
mail.example.com.	IN	A	10.0.0.1
mail2.example.com. mail2.example.com.	IN	A	10.0.0.2

Mail delivery is attempted to mail.example.com and mail2.example.com (in any order); if neither of those succeeds, delivery to mail.backup.org is attempted. 试图将邮件投递到 mail.example.com 和 mail2.example.com（以任何顺序）；如果这些都不成功，则尝试发送到 mail.backup.org。

3.5.3. Setting TTLs 3.5.3.设置 TTL 

The time-to-live (TTL) of the RR field is a 32-bit integer represented in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long an RR can be cached before it should be discarded. RR 字段的生存时间 (TTL) 是一个以秒为单位表示的 32 位整数，主要由解析器在缓存 RR 时使用。 TTL 描述了 RR 在应该被丢弃之前可以缓存多长时间。 The following three types of TTLs are currently used in a zone file. 区域文件中当前使用以下三种类型的 TTL。

• SOA minimum 最低 SOA 

  The last field in the SOA is the negative caching TTL. This controls how long other servers cache no-such-domain (NXDOMAIN) responses from this server. Further details can be found in RFC 2308. SOA 中的最后一个字段是负缓存 TTL。这控制其他服务器缓存来自该服务器的无此类域（NXDOMAIN）响应的时间。可以在 RFC 2308 中找到更多详细信息。The maximum time for negative caching is 3 hours (3h). 负缓存的最长时间为 3 小时 (3h)。

• $TTL $TTL 

  The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set. 区域文件顶部的 $TTL 指令（在 SOA 之前）为每个没有特定 TTL 集的 RR 提供默认 TTL。

• RR TTLs RR TTL 

  Each RR can have a TTL as the second field in the RR, which controls how long other servers can cache it. 每个 RR 都可以有一个 TTL 作为 RR 中的第二个字段，它控制其他服务器可以将其缓存多长时间。

All of these TTLs default to units of seconds, though units can be explicitly specified: for example, 1h30m. 所有这些 TTL 都默认以秒为单位，但可以明确指定单位：例如，1h30m。

3.5.4. Inverse Mapping in IPv4 3.5.4. IPv4 中的逆向映射

Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain and PTR records. Entries in the in-addr.arpa domain are made in least-to-most significant order, read left to right. This is the opposite order to the way IP addresses are usually written. 反向名称解析（即从 IP 地址到名称的转换）是通过 in-addr.arpa 域和 PTR 记录来实现的。 in-addr.arpa 域中的条目按从左到右的顺序从低到高排列。这与 IP 地址通常的书写方式相反。 Thus, a machine with an IP address of 10.1.2.3 would have a corresponding in-addr.arpa name of 3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose data field is the name of the machine or, optionally, multiple PTR records if the machine has more than one name. 因此，IP 地址为 10.1.2.3 的机器将具有对应的 in-addr.arpa 名称 3.2.1.10.in-addr.arpa。这个名称应该有一个 PTR 资源记录，其数据字段是机器的名称，或者如果机器有多个名称，则可以选择多个 PTR 记录。

For example, in the example.com domain: 例如，在 example.com 域中：

$ORIGIN	2.1.10.in-addr.arpa 2.1.10.in-addr.arpa
3	IN PTR foo.example.com. 在 PTR foo.example.com 中。

Note

The $ORIGIN line in this example is only to provide context; it does not necessarily appear in the actual usage. It is only used here to indicate that the example is relative to the listed origin. 此示例中的 $ORIGIN 行仅用于提供上下文；它不一定出现在实际使用中。此处仅用于表示该示例是相对于列出的来源。

3.5.5. Other Zone File Directives 3.5.5.其他区域文件指令 

The DNS “master file” format was initially defined in RFC 1035 and has subsequently been extended. While the format itself is class-independent, all records in a zone file must be of the same class. DNS“主文件”格式最初在 RFC 1035 中定义，随后得到扩展。虽然格式本身是类无关的，但区域文件中的所有记录都必须属于同一类。

Master file directives include \(ORIGIN**, **\)INCLUDE, and $TTL. 主文件指令包括 \(ORIGIN、\)INCLUDE 和 $TTL。

3.5.5.1. The **@** (at-sign) 3.5.5.1。 @（at 符号）

When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. At the start of the zone file, it is the <zone_name>, followed by a trailing dot (.). 在标签（或名称）字段中使用时，asperand 或 at 符号 (@) 符号表示当前原点。在区域文件的开头，它是 ，后跟一个尾随点 (.)。

3.5.5.2. The $ORIGIN Directive 3.5.5.2。 $ORIGIN 指令 

Syntax: **\(ORIGIN** domain-name \[comment\] 语法：\)ORIGIN 域名 [注释]

**\(ORIGIN** sets the domain name that is appended to any unqualified records. When a zone is first read, there is an implicit `\)ORIGIN .; note the trailing dot. The current **$ORIGIN** is appended to the domain specified in the **$ORIGIN** argument if it is not absolute. $ORIGIN 设置附加到任何不合格记录的域名。当一个区域被第一次读取时，有一个隐含的$ORIGIN .` ；注意尾随点。如果当前 $ORIGIN 不是绝对的，则将其附加到 $ORIGIN 参数中指定的域。

$ORIGIN example.com.
WWW     CNAME   MAIN-SERVER

is equivalent to 相当于

WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

3.5.5.3. The $INCLUDE Directive 3.5.5.3。 $INCLUDE 指令 

Syntax: **\(INCLUDE** filename \[origin\] \[comment\] 语法：\)INCLUDE 文件名 [来源] [评论]

This reads and processes the file filename as if it were included in the file at this point. The filename can be an absolute path, or a relative path. In the latter case it is read from named’s working directory. If origin is specified, the file is processed with \(ORIGIN** set to that value; otherwise, the current **\)ORIGIN is used. 这将读取并处理文件 filename，就好像此时它已包含在文件中一样。文件名可以是绝对路径，也可以是相对路径。在后一种情况下，它是从 named 的工作目录中读取的。如果指定了 origin，则处理文件时将 $ORIGIN 设置为该值；否则，使用当前的 $ORIGIN。

The origin and the current domain name revert to the values they had prior to the $INCLUDE once the file has been read. 读取文件后，源和当前域名将恢复为它们在 $INCLUDE 之前的值。

Note

RFC 1035 specifies that the current origin should be restored after an $INCLUDE, but it is silent on whether the current domain name should also be restored. BIND 9 restores both of them. This could be construed as a deviation from RFC 1035, a feature, or both. RFC 1035 指定在 $INCLUDE 之后应恢复当前来源，但未提及是否也应恢复当前域名。 BIND 9 恢复它们。这可以解释为与 RFC 1035 的偏差、一个特性或两者兼而有之。

3.5.5.4. The $TTL Directive 3.5.5.4。 $TTL 指令 

Syntax: **\(TTL** default-ttl \[comment\] 语法：\)TTL default-ttl [注释]

This sets the default Time-To-Live (TTL) for subsequent records with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds. 这会为具有未定义 TTL 的后续记录设置默认的生存时间 (TTL)。有效的 TTL 范围为 0-2147483647 秒。

$TTL is defined in RFC 2308. $TTL 在 RFC 2308 中定义。

3.5.6. BIND Primary File Extension: the **\(GENERATE** Directive[](https://bind9.readthedocs.io/en/latest/chapter3.html#bind-primary-file-extension-the-generate-directive) 3.5.6. BIND 主文件扩展名：\)GENERATE 指令 

Syntax: **\(GENERATE** range owner \[ttl\] \[class\] type rdata \[comment\] 语法：\)GENERATE range owner [ttl] [class] type rdata [comment]

$GENERATE is used to create a series of resource records that only differ from each other by an iterator. $GENERATE 用于创建一系列资源记录，这些记录仅通过迭代器彼此不同。

• range

  This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. “start”, “stop”, and “step” must be positive integers between 0 and (2^31)-1. “start” must not be larger than “stop”. 这可以是以下两种形式之一：开始-停止或开始-停止/步进。如果使用第一种形式，则step设置为1。“start”、“stop”和“step”必须是0到(2^31)-1之间的正整数。 “start”不能大于“stop”。

• owner

  This describes the owner name of the resource records to be created. 这描述了要创建的资源记录的所有者名称。The owner string may include one or more **\(** (dollar sign) symbols, which will be replaced with the iterator value when generating records; see below for details. 所有者字符串可能包含一个或多个\)（美元符号）符号，在生成记录时将替换为迭代器值；详情见下文。

• ttl

  This specifies the time-to-live of the generated records. If not specified, this is inherited using the normal TTL inheritance rules. 这指定了生成记录的生存时间。如果未指定，则使用正常的 TTL 继承规则继承。class and ttl can be entered in either order. class 和 ttl 可以按任意顺序输入。

• class

  This specifies the class of the generated records. This must match the zone class if it is specified. 这指定生成的记录的类。如果指定，它必须与区域类相匹配。class and ttl can be entered in either order. class 和 ttl 可以按任意顺序输入。

• type

  This can be any valid type. 这可以是任何有效类型。

• rdata

  This is a string containing the RDATA of the resource record to be created. As with owner, the rdata string may include one or more $ symbols, which are replaced with the iterator value. rdata may be quoted if there are spaces in the string; the quotation marks do not appear in the generated record. 这是一个包含要创建的资源记录的 RDATA 的字符串。与 owner 一样，rdata 字符串可能包含一个或多个 $ 符号，这些符号将替换为迭代器值。如果字符串中有空格，则可以引用 rdata；引号不会出现在生成的记录中。Any single \(** (dollar sign) symbols within the **owner** or **rdata** strings are replaced by the iterator value. To get a **\) in the output, escape the \(** using a backslash \*\*\*\*, e.g., `\$`. (For compatibility with earlier versions, **\)\(** is also recognized as indicating a literal **\) in the output.) owner 或 rdata 字符串中的任何单个 $（美元符号）符号都将替换为迭代器值。要在输出中获得 $，请使用反斜杠 \ 对 $ 进行转义，例如 \$ 。 （为了与早期版本兼容，$$ 在输出中也被识别为指示文字 \(。）The **\)** may optionally be followed by modifiers which change the offset from the iterator, field width, and base. Modifiers are introduced by a { (left brace) immediately following the \(**, as in **\){offset[,width[,base]]}. For example, ${-20,3,d} subtracts 20 from the current value and prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (d), octal (o), hexadecimal (x or X for uppercase), and nibble (n or N for uppercase). The modfiier cannot contain whitespace or newlines. $ 后面可以选择性地跟修饰符，这些修饰符更改迭代器的偏移量、字段宽度和基数。修饰符由紧跟在 $ 之后的 {（左大括号）引入，如 \({offset\[,width\[,base\]\]}。例如，\){-20,3,d} 从当前值中减去 20，并将结果作为小数打印在宽度为 3 的零填充字段中。可用的输出形式有十进制 (d)、八进制 (o)、十六进制（x 或 X 表示大写）和半字节（n 或 N 表示大写）。修饰符不能包含空格或换行符。The default modifier is \({0,0,d}**. If the **owner** is not absolute, the current **\)ORIGIN is appended to the name. 默认修饰符是 ${0,0,d}。如果所有者不是绝对的，则将当前的 $ORIGIN 附加到名称。In nibble mode, the value is treated as if it were a reversed hexadecimal string, with each hexadecimal digit as a separate label. The width field includes the label separator. 在半字节模式下，该值被视为一个反转的十六进制字符串，每个十六进制数字作为一个单独的标签。宽度字段包括标签分隔符。

Examples:

$GENERATE can be used to easily generate the sets of records required to support sub-/24 reverse delegations described in RFC 2317: $GENERATE 可用于轻松生成支持 RFC 2317 中描述的 sub-/24 反向委托所需的记录集：

$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0

is equivalent to 相当于

0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
...
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.

This example creates a set of A and MX records. Note the MX’s rdata is a quoted string; the quotes are stripped when $GENERATE is processed: 此示例创建一组 A 和 MX 记录。注意 MX 的 rdata 是一个带引号的字符串；处理 $GENERATE 时，引号会被删除：

$ORIGIN EXAMPLE.
$GENERATE 1-127 HOST-$ A 1.2.3.$
$GENERATE 1-127 HOST-$ MX "0 ."

is equivalent to 相当于

HOST-1.EXAMPLE.   A  1.2.3.1
HOST-1.EXAMPLE.   MX 0 .
HOST-2.EXAMPLE.   A  1.2.3.2
HOST-2.EXAMPLE.   MX 0 .
HOST-3.EXAMPLE.   A  1.2.3.3
HOST-3.EXAMPLE.   MX 0 .
...
HOST-127.EXAMPLE. A  1.2.3.127
HOST-127.EXAMPLE. MX 0 .

This example generates A and AAAA records using modifiers; the AAAA owner names are generated using nibble mode: 此示例使用修饰符生成 A 和 AAAA 记录； AAAA 所有者名称是使用半字节模式生成的：

$ORIGIN EXAMPLE.
$GENERATE 0-2 HOST-${0,4,d} A 1.2.3.${1,0,d}
$GENERATE 1024-1026 ${0,3,n} AAAA 2001:db8::${0,4,x}

is equivalent to: 相当于：

HOST-0000.EXAMPLE.   A      1.2.3.1
HOST-0001.EXAMPLE.   A      1.2.3.2
HOST-0002.EXAMPLE.   A      1.2.3.3
0.0.4.EXAMPLE.       AAAA   2001:db8::400
1.0.4.EXAMPLE.       AAAA   2001:db8::401
2.0.4.EXAMPLE.       AAAA   2001:db8::402

The $GENERATE directive is a BIND extension and not part of the standard zone file format. $GENERATE 指令是 BIND 扩展，不是标准区域文件格式的一部分。

3.5.7. Additional File Formats 3.5.7.其他文件格式 

In addition to the standard text format, BIND 9 supports the ability to read or dump to zone files in other formats. 除了标准文本格式外，BIND 9 还支持读取或转储到其他格式的区域文件的能力。

The raw format is a binary representation of zone data in a manner similar to that used in zone transfers. Since it does not require parsing text, load time is significantly reduced. 原始格式是区域数据的二进制表示，其方式类似于区域传输中使用的方式。由于它不需要解析文本，因此加载时间显着减少。

For a primary server, a zone file in raw format is expected to be generated from a text zone file by the named-compilezone command. For a secondary server or a dynamic zone, the zone file is automatically generated when named dumps the zone contents after zone transfer or when applying prior updates, if one of these formats is specified by the masterfile-format option. 对于主服务器，原始格式的区域文件应通过 named-compilezone 命令从文本区域文件生成。对于辅助服务器或动态区域，当 named 在区域传输后或应用先前更新时转储区域内容时会自动生成区域文件，如果其中一种格式由 masterfile-format 选项指定。

If a zone file in raw format needs manual modification, it first must be converted to text format by the named-compilezone command, then converted back after editing. For example: 如果原始格式的区域文件需要手动修改，必须先通过 named-compilezone 命令将其转换为文本格式，编辑后再转换回来。例如：

named-compilezone -f raw -F text -o zonefile.text <origin> zonefile.raw
[edit zonefile.text]
named-compilezone -f text -F raw -o zonefile.raw <origin> zonefile.text