diff options
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM.ch03.html')
| -rw-r--r-- | contrib/bind9/doc/arm/Bv9ARM.ch03.html | 1057 |
1 files changed, 1057 insertions, 0 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch03.html b/contrib/bind9/doc/arm/Bv9ARM.ch03.html new file mode 100644 index 0000000..0b8819e --- /dev/null +++ b/contrib/bind9/doc/arm/Bv9ARM.ch03.html @@ -0,0 +1,1057 @@ +<!-- + - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $Id$ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Chapter 3. Name Server Configuration</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements"> +<link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="chapter" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567774">A Caching-only Name Server</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567995">An Authoritative-only Name Server</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568018">Load Balancing</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568372">Name Server Operations</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568377">Tools for Use With the Name Server Daemon</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570600">Signals</a></span></dt> +</dl></dd> +</dl> +</div> +<p> + In this chapter we provide some suggested configurations along + with guidelines for their use. We suggest reasonable values for + certain option settings. + </p> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2567774"></a>A Caching-only Name Server</h3></div></div></div> +<p> + The following sample configuration is appropriate for a caching-only + name server for use by clients internal to a corporation. All + queries + from outside clients are refused using the <span><strong class="command">allow-query</strong></span> + option. Alternatively, the same effect could be achieved using + suitable + firewall rules. + </p> +<pre class="programlisting"> +// Two corporate subnets we wish to allow queries from. +acl corpnets { 192.168.4.0/24; 192.168.7.0/24; }; +options { + // Working directory + directory "/etc/namedb"; + + allow-query { corpnets; }; +}; +// Provide a reverse mapping for the loopback +// address 127.0.0.1 +zone "0.0.127.in-addr.arpa" { + type master; + file "localhost.rev"; + notify no; +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2567995"></a>An Authoritative-only Name Server</h3></div></div></div> +<p> + This sample configuration is for an authoritative-only server + that is the master server for "<code class="filename">example.com</code>" + and a slave for the subdomain "<code class="filename">eng.example.com</code>". + </p> +<pre class="programlisting"> +options { + // Working directory + directory "/etc/namedb"; + // Do not allow access to cache + allow-query-cache { none; }; + // This is the default + allow-query { any; }; + // Do not provide recursive service + recursion no; +}; + +// Provide a reverse mapping for the loopback +// address 127.0.0.1 +zone "0.0.127.in-addr.arpa" { + type master; + file "localhost.rev"; + notify no; +}; +// We are the master server for example.com +zone "example.com" { + type master; + file "example.com.db"; + // IP addresses of slave servers allowed to + // transfer example.com + allow-transfer { + 192.168.4.14; + 192.168.5.53; + }; +}; +// We are a slave server for eng.example.com +zone "eng.example.com" { + type slave; + file "eng.example.com.bk"; + // IP address of eng.example.com master server + masters { 192.168.4.12; }; +}; +</pre> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2568018"></a>Load Balancing</h2></div></div></div> +<p> + A primitive form of load balancing can be achieved in + the <acronym class="acronym">DNS</acronym> by using multiple records + (such as multiple A records) for one name. + </p> +<p> + For example, if you have three WWW servers with network addresses + of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the + following means that clients will connect to each machine one third + of the time: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + Name + </p> + </td> +<td> + <p> + TTL + </p> + </td> +<td> + <p> + CLASS + </p> + </td> +<td> + <p> + TYPE + </p> + </td> +<td> + <p> + Resource Record (RR) Data + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="literal">www</code> + </p> + </td> +<td> + <p> + <code class="literal">600</code> + </p> + </td> +<td> + <p> + <code class="literal">IN</code> + </p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">10.0.0.1</code> + </p> + </td> +</tr> +<tr> +<td> + <p></p> + </td> +<td> + <p> + <code class="literal">600</code> + </p> + </td> +<td> + <p> + <code class="literal">IN</code> + </p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">10.0.0.2</code> + </p> + </td> +</tr> +<tr> +<td> + <p></p> + </td> +<td> + <p> + <code class="literal">600</code> + </p> + </td> +<td> + <p> + <code class="literal">IN</code> + </p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">10.0.0.3</code> + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate + them and respond to the query with the records in a different + order. In the example above, clients will randomly receive + records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients + will use the first record returned and discard the rest. + </p> +<p> + For more detail on ordering responses, check the + <span><strong class="command">rrset-order</strong></span> sub-statement in the + <span><strong class="command">options</strong></span> statement, see + <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>. + </p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2568372"></a>Name Server Operations</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2568377"></a>Tools for Use With the Name Server Daemon</h3></div></div></div> +<p> + This section describes several indispensable diagnostic, + administrative and monitoring tools available to the system + administrator for controlling and debugging the name server + daemon. + </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div> +<p> + The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and + <span><strong class="command">nslookup</strong></span> programs are all command + line tools + for manually querying name servers. They differ in style and + output format. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt> +<dd> +<p> + The domain information groper (<span><strong class="command">dig</strong></span>) + is the most versatile and complete of these lookup tools. + It has two modes: simple interactive + mode for a single query, and batch mode which executes a + query for + each in a list of several query lines. All query options are + accessible + from the command line. + </p> +<div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div> +<p> + The usual simple use of <span><strong class="command">dig</strong></span> will take the form + </p> +<p> + <span><strong class="command">dig @server domain query-type query-class</strong></span> + </p> +<p> + For more information and a list of available commands and + options, see the <span><strong class="command">dig</strong></span> man + page. + </p> +</dd> +<dt><span class="term"><span><strong class="command">host</strong></span></span></dt> +<dd> +<p> + The <span><strong class="command">host</strong></span> utility emphasizes + simplicity + and ease of use. By default, it converts + between host names and Internet addresses, but its + functionality + can be extended with the use of options. + </p> +<div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div> +<p> + For more information and a list of available commands and + options, see the <span><strong class="command">host</strong></span> man + page. + </p> +</dd> +<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt> +<dd> +<p><span><strong class="command">nslookup</strong></span> + has two modes: interactive and + non-interactive. Interactive mode allows the user to + query name servers for information about various + hosts and domains or to print a list of hosts in a + domain. Non-interactive mode is used to print just + the name and requested information for a host or + domain. + </p> +<div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div> +<p> + Interactive mode is entered when no arguments are given (the + default name server will be used) or when the first argument + is a + hyphen (`-') and the second argument is the host name or + Internet address + of a name server. + </p> +<p> + Non-interactive mode is used when the name or Internet + address + of the host to be looked up is given as the first argument. + The + optional second argument specifies the host name or address + of a name server. + </p> +<p> + Due to its arcane user interface and frequently inconsistent + behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>. + Use <span><strong class="command">dig</strong></span> instead. + </p> +</dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="admin_tools"></a>Administrative Tools</h4></div></div></div> +<p> + Administrative tools play an integral part in the management + of a server. + </p> +<div class="variablelist"><dl> +<dt> +<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span> +</dt> +<dd> +<p> + The <span><strong class="command">named-checkconf</strong></span> program + checks the syntax of a <code class="filename">named.conf</code> file. + </p> +<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div> +</dd> +<dt> +<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span> +</dt> +<dd> +<p> + The <span><strong class="command">named-checkzone</strong></span> program + checks a master file for + syntax and consistency. + </p> +<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div> +</dd> +<dt> +<a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span> +</dt> +<dd><p> + Similar to <span><strong class="command">named-checkzone,</strong></span> but + it always dumps the zone content to a specified file + (typically in a different format). + </p></dd> +<dt> +<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span> +</dt> +<dd> +<p> + The remote name daemon control + (<span><strong class="command">rndc</strong></span>) program allows the + system + administrator to control the operation of a name server. + Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span> + supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span> + utility except <span><strong class="command">ndc start</strong></span> and + <span><strong class="command">ndc restart</strong></span>, which were also + not supported in <span><strong class="command">ndc</strong></span>'s + channel mode. + If you run <span><strong class="command">rndc</strong></span> without any + options + it will display a usage message as follows: + </p> +<div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div> +<p>The <span><strong class="command">command</strong></span> + is one of the following: + </p> +<div class="variablelist"><dl> +<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt> +<dd><p> + Reload configuration file and zones. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd><p> + Reload the given zone. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd><p> + Schedule zone maintenance for the given zone. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> + + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd><p> + Retransfer the given zone from the master. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd> +<p> + Fetch all DNSSEC keys for the given zone + from the key directory (see + <span><strong class="command">key-directory</strong></span> in + <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and + Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + Usage”</a>). If they are within + their publication period, merge them into the + zone's DNSKEY RRset. If the DNSKEY RRset + is changed, then the zone is automatically + re-signed with the new key set. + </p> +<p> + This command requires that the + <span><strong class="command">auto-dnssec</strong></span> zone option be set + to <code class="literal">allow</code> or + <code class="literal">maintain</code>, + and also requires the zone to be configured to + allow dynamic DNS. + See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for + more details. + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd> +<p> + Fetch all DNSSEC keys for the given zone + from the key directory (see + <span><strong class="command">key-directory</strong></span> in + <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and + Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + Usage”</a>). If they are within + their publication period, merge them into the + zone's DNSKEY RRset. Unlike <span><strong class="command">rndc + sign</strong></span>, however, the zone is not + immediately re-signed by the new keys, but is + allowed to incrementally re-sign over time. + </p> +<p> + This command requires that the + <span><strong class="command">auto-dnssec</strong></span> zone option + be set to <code class="literal">maintain</code>, + and also requires the zone to be configured to + allow dynamic DNS. + See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for + more details. + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>freeze + [<span class="optional"><em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> +<dd><p> + Suspend updates to a dynamic zone. If no zone is + specified, then all zones are suspended. This allows + manual edits to be made to a zone normally updated by + dynamic update. It also causes changes in the + journal file to be synced into the master file. + All dynamic update attempts will be refused while + the zone is frozen. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>thaw + [<span class="optional"><em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> +<dd><p> + Enable updates to a frozen dynamic zone. If no + zone is specified, then all frozen zones are + enabled. This causes the server to reload the zone + from disk, and re-enables dynamic updates after the + load has completed. After a zone is thawed, + dynamic updates will no longer be refused. If + the zone has changed and the + <span><strong class="command">ixfr-from-differences</strong></span> option is + in use, then the journal file will be updated to + reflect changes in the zone. Otherwise, if the + zone has changed, any existing journal file will be + removed. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>sync + [<span class="optional">-clean</span>] + [<span class="optional"><em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> +<dd><p> + Sync changes in the journal file for a dynamic zone + to the master file. If the "-clean" option is + specified, the journal file is also removed. If + no zone is specified, then all zones are synced. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> +<dd><p> + Resend NOTIFY messages for the zone. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt> +<dd><p> + Reload the configuration file and load new zones, + but do not reload existing zone files even if they + have changed. + This is faster than a full <span><strong class="command">reload</strong></span> when there + is a large number of zones because it avoids the need + to examine the + modification times of the zones files. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt> +<dd><p> + Write server statistics to the statistics file. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> + [<span class="optional">on|off</span>] + </span></dt> +<dd> +<p> + Enable or disable query logging. (For backward + compatibility, this command can also be used without + an argument to toggle query logging on and off.) + </p> +<p> + Query logging can also be enabled + by explicitly directing the <span><strong class="command">queries</strong></span> + <span><strong class="command">category</strong></span> to a + <span><strong class="command">channel</strong></span> in the + <span><strong class="command">logging</strong></span> section of + <code class="filename">named.conf</code> or by specifying + <span><strong class="command">querylog yes;</strong></span> in the + <span><strong class="command">options</strong></span> section of + <code class="filename">named.conf</code>. + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>dumpdb + [<span class="optional">-all|-cache|-zone</span>] + [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> +<dd><p> + Dump the server's caches (default) and/or zones to + the + dump file for the specified views. If no view is + specified, all + views are dumped. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>secroots + [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> +<dd><p> + Dump the server's security roots to the secroots + file for the specified views. If no view is + specified, security roots for all + views are dumped. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt> +<dd><p> + Stop the server, making sure any recent changes + made through dynamic update or IXFR are first saved to + the master files of the updated zones. + If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. + This allows an external process to determine when <span><strong class="command">named</strong></span> + had completed stopping. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt> +<dd><p> + Stop the server immediately. Recent changes + made through dynamic update or IXFR are not saved to + the master files, but will be rolled forward from the + journal files when the server is restarted. + If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. + This allows an external process to determine when <span><strong class="command">named</strong></span> + had completed halting. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt> +<dd><p> + Increment the servers debugging level by one. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt> +<dd><p> + Sets the server's debugging level to an explicit + value. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt> +<dd><p> + Sets the server's debugging level to 0. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt> +<dd><p> + Flushes the server's cache. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> + <em class="replaceable"><code>name</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>] + </span></dt> +<dd><p> + Flushes the given name from the server's DNS cache, + and from the server's nameserver address database + if applicable. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> + <em class="replaceable"><code>name</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>] + </span></dt> +<dd><p> + Flushes the given name, and all of its subdomains, + from the server's DNS cache. (The server's + nameserver address database is not affected.) + </p></dd> +<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt> +<dd><p> + Display status of the server. + Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone + and the default <span><strong class="command">./IN</strong></span> + hint zone if there is not an + explicit root zone configured. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt> +<dd><p> + Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing + on. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>validation + [<span class="optional">on|off</span>] + [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] + </code></strong></span></dt> +<dd><p> + Enable or disable DNSSEC validation. + Note <span><strong class="command">dnssec-enable</strong></span> also needs to be + set to <strong class="userinput"><code>yes</code></strong> to be effective. + It defaults to enabled. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt> +<dd><p> + List the names of all TSIG keys currently configured + for use by <span><strong class="command">named</strong></span> in each view. The + list both statically configured keys and dynamic + TKEY-negotiated keys. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> + <em class="replaceable"><code>keyname</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt> +<dd><p> + Delete a given TKEY-negotiated key from the server. + (This does not apply to statically configured TSIG + keys.) + </p></dd> +<dt><span class="term"><strong class="userinput"><code>addzone + <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] + <em class="replaceable"><code>configuration</code></em> + </code></strong></span></dt> +<dd> +<p> + Add a zone while the server is running. This + command requires the + <span><strong class="command">allow-new-zones</strong></span> option to be set + to <strong class="userinput"><code>yes</code></strong>. The + <em class="replaceable"><code>configuration</code></em> string + specified on the command line is the zone + configuration text that would ordinarily be + placed in <code class="filename">named.conf</code>. + </p> +<p> + The configuration is saved in a file called + <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>, + where <em class="replaceable"><code>hash</code></em> is a + cryptographic hash generated from the name of + the view. When <span><strong class="command">named</strong></span> is + restarted, the file will be loaded into the view + configuration, so that zones that were added + can persist after a restart. + </p> +<p> + This sample <span><strong class="command">addzone</strong></span> command + would add the zone <code class="literal">example.com</code> + to the default view: + </p> +<p> +<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong> + </p> +<p> + (Note the brackets and semi-colon around the zone + configuration text.) + </p> +</dd> +<dt><span class="term"><strong class="userinput"><code>delzone + <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] + </code></strong></span></dt> +<dd><p> + Delete a zone while the server is running. + Only zones that were originally added via + <span><strong class="command">rndc addzone</strong></span> can be deleted + in this matter. + </p></dd> +<dt><span class="term"><strong class="userinput"><code>signing + [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] + <em class="replaceable"><code>zone</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em> + [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] + </code></strong></span></dt> +<dd> +<p> + List, edit, or remove the DNSSEC signing state for + the specified zone. The status of ongoing DNSSEC + operations (such as signing or generating + NSEC3 chains) is stored in the zone in the form + of DNS resource records of type + <span><strong class="command">sig-signing-type</strong></span>. + <span><strong class="command">rndc signing -list</strong></span> converts + these records into a human-readable form, + indicating which keys are currently signing + or have finished signing the zone, and which NSEC3 + NSEC3 chains are being created or removed. + </p> +<p> + <span><strong class="command">rndc signing -clear</strong></span> can remove + a single key (specified in the same format that + <span><strong class="command">rndc signing -list</strong></span> uses to + display it), or all keys. In either case, only + completed keys are removed; any record indicating + that a key has not yet finished signing the zone + will be retained. + </p> +<p> + <span><strong class="command">rndc signing -nsec3param</strong></span> sets + the NSEC3 parameters for a zone. This is the + only supported mechanism for using NSEC3 with + <span><strong class="command">inline-signing</strong></span> zones. + Parameters are specified in the same format as + an NSEC3PARAM resource record: hash algorithm, + flags, iterations, and salt, in that order. + </p> +<p> + Currently, the only defined value for hash algorithm + is <code class="literal">1</code>, representing SHA-1. + The <code class="option">flags</code> may be set to + <code class="literal">0</code> or <code class="literal">1</code>, + depending on whether you wish to set the opt-out + bit in the NSEC3 chain. <code class="option">iterations</code> + defines the number of additional times to apply + the algorithm when generating an NSEC3 hash. The + <code class="option">salt</code> is a string of data expressed + in hexidecimal, or a hyphen (`-') if no salt is + to be used. + </p> +<p> + So, for example, to create an NSEC3 chain using + the SHA-1 hash algorithm, no opt-out flag, + 10 iterations, and a salt value of "FFFF", use: + <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <zone></strong></span>. + To set the opt-out flag, 15 iterations, and no + salt, use: + <span><strong class="command">rndc signing -nsec3param 1 1 15 - <zone></strong></span>. + </p> +<p> + <span><strong class="command">rndc signing -nsec3param none</strong></span> + removes an existing NSEC3 chain and replaces it + with NSEC. + </p> +</dd> +</dl></div> +<p> + A configuration file is required, since all + communication with the server is authenticated with + digital signatures that rely on a shared secret, and + there is no way to provide that secret other than with a + configuration file. The default location for the + <span><strong class="command">rndc</strong></span> configuration file is + <code class="filename">/etc/rndc.conf</code>, but an + alternate + location can be specified with the <code class="option">-c</code> + option. If the configuration file is not found, + <span><strong class="command">rndc</strong></span> will also look in + <code class="filename">/etc/rndc.key</code> (or whatever + <code class="varname">sysconfdir</code> was defined when + the <acronym class="acronym">BIND</acronym> build was + configured). + The <code class="filename">rndc.key</code> file is + generated by + running <span><strong class="command">rndc-confgen -a</strong></span> as + described in + <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and + Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and + Usage”</a>. + </p> +<p> + The format of the configuration file is similar to + that of <code class="filename">named.conf</code>, but + limited to + only four statements, the <span><strong class="command">options</strong></span>, + <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and + <span><strong class="command">include</strong></span> + statements. These statements are what associate the + secret keys to the servers with which they are meant to + be shared. The order of statements is not + significant. + </p> +<p> + The <span><strong class="command">options</strong></span> statement has + three clauses: + <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>, + and <span><strong class="command">default-port</strong></span>. + <span><strong class="command">default-server</strong></span> takes a + host name or address argument and represents the server + that will + be contacted if no <code class="option">-s</code> + option is provided on the command line. + <span><strong class="command">default-key</strong></span> takes + the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement. + <span><strong class="command">default-port</strong></span> specifies the + port to which + <span><strong class="command">rndc</strong></span> should connect if no + port is given on the command line or in a + <span><strong class="command">server</strong></span> statement. + </p> +<p> + The <span><strong class="command">key</strong></span> statement defines a + key to be used + by <span><strong class="command">rndc</strong></span> when authenticating + with + <span><strong class="command">named</strong></span>. Its syntax is + identical to the + <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>. + The keyword <strong class="userinput"><code>key</code></strong> is + followed by a key name, which must be a valid + domain name, though it need not actually be hierarchical; + thus, + a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid + name. + The <span><strong class="command">key</strong></span> statement has two + clauses: + <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>. + While the configuration parser will accept any string as the + argument + to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>" + has any meaning. The secret is a base-64 encoded string + as specified in RFC 3548. + </p> +<p> + The <span><strong class="command">server</strong></span> statement + associates a key + defined using the <span><strong class="command">key</strong></span> + statement with a server. + The keyword <strong class="userinput"><code>server</code></strong> is followed by a + host name or address. The <span><strong class="command">server</strong></span> statement + has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>. + The <span><strong class="command">key</strong></span> clause specifies the + name of the key + to be used when communicating with this server, and the + <span><strong class="command">port</strong></span> clause can be used to + specify the port <span><strong class="command">rndc</strong></span> should + connect + to on the server. + </p> +<p> + A sample minimal configuration file is as follows: + </p> +<pre class="programlisting"> +key rndc_key { + algorithm "hmac-md5"; + secret + "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; +}; +options { + default-server 127.0.0.1; + default-key rndc_key; +}; +</pre> +<p> + This file, if installed as <code class="filename">/etc/rndc.conf</code>, + would allow the command: + </p> +<p> + <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong> + </p> +<p> + to connect to 127.0.0.1 port 953 and cause the name server + to reload, if a name server on the local machine were + running with + following controls statements: + </p> +<pre class="programlisting"> +controls { + inet 127.0.0.1 + allow { localhost; } keys { rndc_key; }; +}; +</pre> +<p> + and it had an identical key statement for + <code class="literal">rndc_key</code>. + </p> +<p> + Running the <span><strong class="command">rndc-confgen</strong></span> + program will + conveniently create a <code class="filename">rndc.conf</code> + file for you, and also display the + corresponding <span><strong class="command">controls</strong></span> + statement that you need to + add to <code class="filename">named.conf</code>. + Alternatively, + you can run <span><strong class="command">rndc-confgen -a</strong></span> + to set up + a <code class="filename">rndc.key</code> file and not + modify + <code class="filename">named.conf</code> at all. + </p> +</dd> +</dl></div> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2570600"></a>Signals</h3></div></div></div> +<p> + Certain UNIX signals cause the name server to take specific + actions, as described in the following table. These signals can + be sent using the <span><strong class="command">kill</strong></span> command. + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p><span><strong class="command">SIGHUP</strong></span></p> + </td> +<td> + <p> + Causes the server to read <code class="filename">named.conf</code> and + reload the database. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">SIGTERM</strong></span></p> + </td> +<td> + <p> + Causes the server to clean up and exit. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">SIGINT</strong></span></p> + </td> +<td> + <p> + Causes the server to clean up and exit. + </p> + </td> +</tr> +</tbody> +</table></div> +</div> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td> +</tr> +</table> +</div> +</body> +</html> |
