Skip to main content

IBM Systems  >   z Systems  >   z/VM  >  

Z/VM DNS (DOMAIN NAME SYSTEM) SUPPORT AND CONFIGURATION STATEMENT


 
 APAR Identifier ...... II14444      Last Changed ........ 08/10/16
 Z/VM DNS (DOMAIN NAME SYSTEM) SUPPORT AND CONFIGURATION STATEMENT
 
 Symptom ...... DD DOC               Status ........... INTRAN
 Severity ................... 4      Date Closed .........
 Component .......... INFOPALIB      Duplicate of ........
 Reported Release ......... 001      Fixed Release ............
 Component Name PA LIB INFO ITE      Special Notice
 Current Target Date ..              Flags
 SCP ...................
 Platform ............
 
 Status Detail: Not Available
 
 PE PTF List:
 
 PTF List:
 
 Parent APAR:
 Child APAR list:
 
 ERROR DESCRIPTION:
 IBM strongly recommends that the z/VM DNS server not be
 configured in an internet-facing configuration.  That is, do
 not directly connect the z/VM DNS server to an external network
 such as the public internet.  The following documentation
 presents the supporting data for this recommendation.
 .
 The z/VM DNS server is not a BIND (Berkeley Internet Name
 Domain) implementation and only supports the basic DNS RFC's
 1034 and 1035.  Based on the current usage and the commodity
 nature of DNS servers, the z/VM DNS server is non-strategic
 and IBM has no plans to provide BIND v9 and/or IPv6 support
 for this server.
 .
 IBM recommends that all deployments of the z/VM DNS server be
 caching-only mode, positioned behind a firewall within a trusted
 network pointing to a full-function, current DNS server that
 implements accepted security methods.  This configuration is
 less likely to create an exposure that a configuration to an
 external network would, while providing efficient caching of
 name resolution for the z/VM TCP/IP server suite.
 .
 Future configuration planning should account for the eventual
 removal of the native DNS server from the z/VM TCP/IP product.
 
 LOCAL FIX: