Reference: DNS Deployment Options - BlueCat Address Manager - 8.3.0

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.0

The following lists the DNS deployment options that can be configured in Address Manager.

For information about adding DNS Deployment options, refer to Managing DNS Deployment Options.
DNS Deployment Option Description Parameters
Allow Dynamic Updates This option takes an ACL or match list as an argument. Only addresses matched on the list are allowed to send updates to the server for that zone.

Use Update Policy for more control over update permissions. Allow Dynamic Updates and Update Policy are mutually exclusive and cannot be set at the same level in Address Manager.

Note: Dynamic DNS updates in an xHA cluster environment must be configured using the physical IP addresses (not a virtual IP address) of the active and passive nodes.
For DNS Servers:
  • IP Address or name—allows update based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—allows updates based on a TSIG key.
  • ACL—allows updates to configured ACLs.
For Windows servers:
  • Windows Dynamic Updates—select an option for Windows dynamic updates (None, Nonsecure and secure, or Secure only).
For mixed servers:
  • IP Address or name—allows update based on IPv4 or IPv6 blocs or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—allows updates based on a TSIG key.
  • ACL—allows updates to configured ACLs.
  • Windows Dynamic Updates—select an option for Windows dynamic updates (None, Nonsecure and secure, or Secure only).
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
Note: Allowing updates based on IP address is considerably less secure than using a TSIG key.
Note: If you select Key, the DHCP server must be configured with a zone declaration signed with the same key.
Allow Notify Limits the servers that are allowed to send notify messages to a slave zone. This option accepts a list of IPv4 and IPv6 addresses.
  • IP Address or name—allows to send notify messages based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—allows to send notify messages based on a TSIG key.
  • ACL—allows to send notify messages based on configured ACLs.
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
Allow Query BIND 9 servers are able to limit the IP addresses that can access a particular view by means of an ACL. Addresses in the list are allowed to query that view’s records.
  • IP Address or name—allows queries based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—allows queries based on a TSIG key.
  • ACL—allows queries based on configured ACLs.
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
Allow Query Cache Provides a list of hosts allowed to query the View’s cache.
  • IP Address or name—query the View’s cache based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—query the View’s cache based on a TSIG key.
  • ACL—query to the View’s cache based on configured ACLs.
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
Allow Recursion Lets users make recursive queries to the server. A list of clients that can perform recursive queries is associated with the server. For more information, refer to Recursive DNS.
  • IP Address or name—allows to perform recursive queries based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—allows to perform recursive queries based on a TSIG key.
  • ACL—allows to perform recursive queries based on configured ACLs.
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
Allow Update Forwarding Specifies which hosts are allowed to submit dynamic DNS updates to slave zones for forwarding to the master. The default is none, which means that no update forwarding is performed. Specifying values other than none or any is counterproductive unless required (as in Active Directory), as the responsibility for update access control must rest with the master server and not the slaves. Enabling this feature on a slave server could expose master servers to cache poisoning attacks due to reliance on the IP address based access control of the insecure slave server.
  • IP Address or name—allows to perform update forwarding based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—allows to perform update forwarding based on a TSIG key.
  • ACL—allows to perform update forwarding based configured ACLs.
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
Allow Zone Transfer Prevents zone transfers to IP addresses except those specified in the option.
  • IP Address or name—allows zone transfer based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—allows zone transfer based on a TSIG key.
  • ACL—allows zone transfer based on configured ACLs.
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
DNS64 Contact Used to specify the contact information for the reverse zones created by DNS64 reverse mapping. In the Email field, specify email for the contact.
DNS64 Server Used to specify the name of the server in which the synthesized IP6.ARPA zone is being created. In the FQDN field, specify the fully qualified domain name.
Deny Clients Defines ACL lists to match clients against. ACL match lists can be defined below the view level, but are a view-global option upon deployment. Clients matched against an ACL defined by this client are denied access to DNS resolution for the view to which the ACL is attached. This option should only be used for views and not zones.
  • IP Address or name—IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—TSIG key.
  • ACL—configured ACLs.
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
DNSSEC Accept Expired When enabled, the server accepts expired DNSSEC signatures. This option can bet set at the configuration, view, or server level. Enabling this option leaves the server vulnerable to replay attacks. Enabled check box.
DNSSEC Enable Enables the server to respond to DNS requests from DNSSEC-aware servers. This option can be set at the configuration, view, or server level. Enabled check box.
DNSSEC Must Be Secure A list of domains and if they must be signed or not for the server to accept answers. When the Secured check box is selected, the domains must be signed; when not selected, the domains do not need to be signed. This option can bet set at the configuration, view, or server level. List of fully qualified domain names. Secured check box indicates if the zone must be secure.
DNSSEC Trust Anchors Provides the public key for trusted zones. This option can be set at the server level. List of fully qualified domain names and their key signing keys. In the FQDN field, type the fully qualified domain name. In the Key field, paste the zone’s public key.
DNSSEC Validation Enables the server to validate answers from other DNNSEC-enabled servers. This option can be set at the configuration, view, or server level. Enabled check box. The DNSSEC Enable option the DNSSEC Trust Anchor must also be set for the server to function properly.
Forwarding Provides a list of server IP addresses that are designated as forwarders and also includes the option to disable forwarding for child zones. Off-site queries requiring recursive queries are sent to these forwarders, thereby managing network traffic efficiently. These addresses are listed in order of preference.

Using this option enables recursion on the server. To prevent the server from performing recursion, add the Forwarding Policy deployment option at the same level as the Forwarding option. Set the Forwarding Policy deployment option to Only.

Disable Forwarding for Child Zones checkbox.

List of IPv4 or IPv6 addresses.

Forwarding Policy Indicates whether requests are forwarded only to caching servers (forwarders) with precedence or are forwarded there first, and if requests are not answered by the caching server, then they are answered by this server. Select an option: first or only.
Lame TTL Specifies the duration that the server avoids requesting data from a remote server that listed as authoritative, but is not responding authoritatively. Specify the duration and unit of time.
Match Clients Defines ACL lists for matching clients. Match lists are defined below the view level, but become a global option upon deployment. Clients matched against an ACL defined by this client are allowed access to DNS resolution for the view to which the ACL is attached. Use this option only for views, not zones.
  • IP Address or name—defines ACL lists for matching clients based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
  • Key—defines ACL lists for matching clients based on a TSIG key.
  • ACL—defines ACL lists for matching clients based on configured ACLs.
Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
Maximum Cache TTL Defines the length of time that a positive response to a DNS query is held in cache. The default is seven days. Specify the duration and unit of time.
Maximum Cache size The maximum size for the DNS cache in bytes specified as an unsigned 16-bit integer value. Specify a value from 0 to 4,294,967,295.
Maximum Idle Time for Inbound Transfers For slave servers, the maximum time, in minutes, that an inbound zone transfer remains idle before timing out. Specify the duration and unit of time.
Maximum Idle Time for Outbound Transfers For master servers, the maximum time, in minutes, that an outbound zone transfer remains idle before timing out. Specify the duration and unit of time.
Maximum Negative Cache TTL Defines the length of time that a negative response to a DNS query is held in cache. The default is three hours with seven days being the maximum. Specify the duration and unit of time.
Maximum Number of Recursive Clients Restricts the maximum number of simultaneous recursive clients, specified as an unsigned 16-bit integer. Specify a value from 0 to 4,294,967,295.
Maximum Number of TCP Clients Restricts the number of concurrent TCP connections that the server processes. The default is 100 clients. Specify a value from 0 to 65,535.
Maximum Number of Transfers per Name Server For slave servers, limits the total number of inbound zone transfers from any single remote name server that this server requests at any time. The default is 10 transfers. Specify a value from 0 to 65,535.
Maximum Time for Inbound Transfers The maximum time (in minutes) allowed for a single inbound zone transfer connection to a slave server. It is specified using an unsigned 16-bit integer value. Specify the duration and unit of time.
Maximum Time for Outbound Transfers The maximum time (in minutes) allowed for a single outbound zone transfer connection to a slave server. It is specified using an unsigned 16-bit integer value. Specify the duration and unit of time.
Notify Used to notify slave servers of changes made to zones. Select a radio button for the following:
  • False—do not notify
  • True—notify name servers listed in NS records
  • Explicit—notify name servers listed in the Notify Additional Servers deployment option.
Note: If you select False, BDDS stops sending DDNS notifications to Address Manager but can still send DHCP notifications successfully.
Notify Additional Servers A master DNS server ensures that zone changes are rapidly propagated to slaves by notifying them of the changes. Use this option to add servers that should be notified of changes. This option is not required for slave servers managed by Address Manager as the deployment engine automatically sets up this notification for slave servers hosting that zone. List of IPv4 or IPv6 addresses.
Notify Source A DNS server will use the value of this option as the source IPv4 address when sending zone change notifications from a Master server to Slave servers.
Note: Available only at the view, zone, and IPv4 block/network levels.
Valid IPv4 address.
Notify Source v6 A DNS server will use the value of this option as the source IPv6 address when sending zone change notifications from a Master server to Slave servers.
Note: Available only at the view, zone, and IPv6 block/network levels.
Valid IPv6 address.
Reverse Zone Name Format Allows user to select a reverse zone name format for subclass C classless networks that will be created automatically by Address Manager. Select a reverse zone name format from the Format drop-down menu. Address Manager supports the following formats:
  • [start-ip]-[net-mask].[net].in-addr.arpa
  • [start-ip]-[end-ip].[net].in-addr.arpa
  • [start-ip]/[net-mask].[net].in-addr.arpa
  • [start-ip]/[end-ip].[net].in-addr.arpa
  • User-specific custom format. This can only be set at the Network level.
For more information on setting a reverse zone name format, refer to Setting reverse zone name format.
Root Hints This option is required to implement DNS recursion and defined at the view level for an entire view. When configuring this option, you have two options for Root Servers: Auto and Specify. If the Auto radio button is selected, the DNS server uses the Internet root servers when performing recursive queries. If the Specify radio button is selected, you can specify the names and IP addresses of one or more Custom Root Servers. These custom root servers are used to create a new root hints file for the DNS server to which this option is deployed. For more information, refer to Recursive DNS. Select an option: Auto or Specify
Slave Zone Notifications Enables notifications from a BDDS that is acting as a slave to a RFC compliant non-BlueCat DNS server. Select a server to be responsible for sending slave zone notifications to (BAM).
Note: Slave zone notifications can only be configured at the configuration level, view level, and zone level. At each level, only one Slave Zone Notification deployment option is permitted.
Transfer Format Controls whether the format of zone transfers from the master to the slaves is one-answer (which carries only one resource record in each DNS message) or many-answers (which carries as many resource records as possible). The default setting is many-answers. Select an option: many-answers or one-answer.
TSIG Key for Server Pair This option overrides the default behavior where TSIG is generated for each view. Instead, unique TSIG keys are generated for each server pair. For example, a master with two slaves will have two TSIG keys generated, one for each master slave relationship.
Note: All inter-communicating DNS servers enabled with this deployment option must all be at the same software level.
Click Auto Generate to create the Salt Key.
Transfer Source A slave DNS server will use the value of this option as the source IP address when sending a request for zone transfer to its master over IPv4.
Note: Available only at the view, zone, and IPv4 block/network levels.
Valid IPv4 address.
Transfer Source v6 A slave DNS server will use the value of this option as the source IP address when sending a request for zone transfer to its master over IPv6.
Note: Available only at the view, zone, and IPv6 block/network levels.
Valid IPv6 address.
Update Policy Allows clients matching detailed criteria to update specific records on the server. This option provides more control over updates than the Allow Dynamic Updates option. Allow Dynamic Updates and Update Policy are mutually exclusive and cannot be set at the same level in Address Manager. Specify Privilege, Identity, Nametype, Name, and Resource Record parameters. For more information on setting this option, refer to Update Policy DNS Deployment Option.
Version Information A custom text string that can provide a version response when the server version is queried. This can help protect against the profiling that tends to precede incidents of hacking. Text string.
Use WINS Reverse Lookup Resolves IP addresses in a Windows DNS server reverse zones to NetBIOS names. Specify the following parameters:
  • FQDN—enter the domain name that you want to be appended to the computer name returned by the WINS server.
  • Cache Timeout—tyep the cache timeout value to be applied to the record. The Cache Timeout value indicates how long the DNS server should cache any of the information returned in a WINS lookup. The default setting is 15 minutes.
  • Lookup Timeout—enter the lookup timeout value to be applied to the record. The Lookup Timeout value specifies how long the DNS server should wait before timing out and expiring a WINS lookup performed by the DNS Server service. The default setting is 2 seconds.
Zone Default TTL The default time to live value for the zone. Specify the duration and unit of time.
Zone Transfers In Limits the total number of inbound zone transfers from all remote servers that the local name server requests at any one time. The default setting is 10 transfers. Increasing this setting may speed up the convergence of slave zones, but it may also increase the load on the local system. Specify a value from 0 to 65,535.
Zone Transfers Out The maximum number of simultaneous outbound zone transfers. It is specified using an unsigned 16-bit integer. The default is 10. Specify a value from 0 to 65,535.