/contrib/bind9/doc/arm/Bv9ARM.ch03.html
https://bitbucket.org/freebsd/freebsd-head/ · HTML · 957 lines · 937 code · 3 blank · 17 comment · 0 complexity · 56fd8847e44f89610f3762515d6c063e MD5 · raw file
- <!--
- - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
- -->
- <!-- $Id$ -->
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <title>Chapter 3. Name Server Configuration</title>
- <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
- <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
- <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
- <link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
- <link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
- </head>
- <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
- <div class="navheader">
- <table width="100%" summary="Navigation header">
- <tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr>
- <tr>
- <td width="20%" align="left">
- <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
- <th width="60%" align="center"> </th>
- <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
- </td>
- </tr>
- </table>
- <hr>
- </div>
- <div class="chapter" lang="en">
- <div class="titlepage"><div><div><h2 class="title">
- <a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div>
- <div class="toc">
- <p><b>Table of Contents</b></p>
- <dl>
- <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567771">A Caching-only Name Server</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567992">An Authoritative-only Name Server</a></span></dt>
- </dl></dd>
- <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568014">Load Balancing</a></span></dt>
- <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568369">Name Server Operations</a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568374">Tools for Use With the Name Server Daemon</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570421">Signals</a></span></dt>
- </dl></dd>
- </dl>
- </div>
- <p>
- In this chapter we provide some suggested configurations along
- with guidelines for their use. We suggest reasonable values for
- certain option settings.
- </p>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2567771"></a>A Caching-only Name Server</h3></div></div></div>
- <p>
- The following sample configuration is appropriate for a caching-only
- name server for use by clients internal to a corporation. All
- queries
- from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
- option. Alternatively, the same effect could be achieved using
- suitable
- firewall rules.
- </p>
- <pre class="programlisting">
- // Two corporate subnets we wish to allow queries from.
- acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
- options {
- // Working directory
- directory "/etc/namedb";
- allow-query { corpnets; };
- };
- // Provide a reverse mapping for the loopback
- // address 127.0.0.1
- zone "0.0.127.in-addr.arpa" {
- type master;
- file "localhost.rev";
- notify no;
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2567992"></a>An Authoritative-only Name Server</h3></div></div></div>
- <p>
- This sample configuration is for an authoritative-only server
- that is the master server for "<code class="filename">example.com</code>"
- and a slave for the subdomain "<code class="filename">eng.example.com</code>".
- </p>
- <pre class="programlisting">
- options {
- // Working directory
- directory "/etc/namedb";
- // Do not allow access to cache
- allow-query-cache { none; };
- // This is the default
- allow-query { any; };
- // Do not provide recursive service
- recursion no;
- };
- // Provide a reverse mapping for the loopback
- // address 127.0.0.1
- zone "0.0.127.in-addr.arpa" {
- type master;
- file "localhost.rev";
- notify no;
- };
- // We are the master server for example.com
- zone "example.com" {
- type master;
- file "example.com.db";
- // IP addresses of slave servers allowed to
- // transfer example.com
- allow-transfer {
- 192.168.4.14;
- 192.168.5.53;
- };
- };
- // We are a slave server for eng.example.com
- zone "eng.example.com" {
- type slave;
- file "eng.example.com.bk";
- // IP address of eng.example.com master server
- masters { 192.168.4.12; };
- };
- </pre>
- </div>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="id2568014"></a>Load Balancing</h2></div></div></div>
- <p>
- A primitive form of load balancing can be achieved in
- the <acronym class="acronym">DNS</acronym> by using multiple records
- (such as multiple A records) for one name.
- </p>
- <p>
- For example, if you have three WWW servers with network addresses
- of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
- following means that clients will connect to each machine one third
- of the time:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- <col>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- Name
- </p>
- </td>
- <td>
- <p>
- TTL
- </p>
- </td>
- <td>
- <p>
- CLASS
- </p>
- </td>
- <td>
- <p>
- TYPE
- </p>
- </td>
- <td>
- <p>
- Resource Record (RR) Data
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="literal">www</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">600</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10.0.0.1</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p></p>
- </td>
- <td>
- <p>
- <code class="literal">600</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10.0.0.2</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p></p>
- </td>
- <td>
- <p>
- <code class="literal">600</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10.0.0.3</code>
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
- them and respond to the query with the records in a different
- order. In the example above, clients will randomly receive
- records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
- will use the first record returned and discard the rest.
- </p>
- <p>
- For more detail on ordering responses, check the
- <span><strong class="command">rrset-order</strong></span> sub-statement in the
- <span><strong class="command">options</strong></span> statement, see
- <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
- </p>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="id2568369"></a>Name Server Operations</h2></div></div></div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2568374"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
- <p>
- This section describes several indispensable diagnostic,
- administrative and monitoring tools available to the system
- administrator for controlling and debugging the name server
- daemon.
- </p>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
- <p>
- The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
- <span><strong class="command">nslookup</strong></span> programs are all command
- line tools
- for manually querying name servers. They differ in style and
- output format.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
- <dd>
- <p>
- The domain information groper (<span><strong class="command">dig</strong></span>)
- is the most versatile and complete of these lookup tools.
- It has two modes: simple interactive
- mode for a single query, and batch mode which executes a
- query for
- each in a list of several query lines. All query options are
- accessible
- from the command line.
- </p>
- <div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
- <p>
- The usual simple use of <span><strong class="command">dig</strong></span> will take the form
- </p>
- <p>
- <span><strong class="command">dig @server domain query-type query-class</strong></span>
- </p>
- <p>
- For more information and a list of available commands and
- options, see the <span><strong class="command">dig</strong></span> man
- page.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
- <dd>
- <p>
- The <span><strong class="command">host</strong></span> utility emphasizes
- simplicity
- and ease of use. By default, it converts
- between host names and Internet addresses, but its
- functionality
- can be extended with the use of options.
- </p>
- <div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
- <p>
- For more information and a list of available commands and
- options, see the <span><strong class="command">host</strong></span> man
- page.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
- <dd>
- <p><span><strong class="command">nslookup</strong></span>
- has two modes: interactive and
- non-interactive. Interactive mode allows the user to
- query name servers for information about various
- hosts and domains or to print a list of hosts in a
- domain. Non-interactive mode is used to print just
- the name and requested information for a host or
- domain.
- </p>
- <div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div>
- <p>
- Interactive mode is entered when no arguments are given (the
- default name server will be used) or when the first argument
- is a
- hyphen (`-') and the second argument is the host name or
- Internet address
- of a name server.
- </p>
- <p>
- Non-interactive mode is used when the name or Internet
- address
- of the host to be looked up is given as the first argument.
- The
- optional second argument specifies the host name or address
- of a name server.
- </p>
- <p>
- Due to its arcane user interface and frequently inconsistent
- behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
- Use <span><strong class="command">dig</strong></span> instead.
- </p>
- </dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
- <p>
- Administrative tools play an integral part in the management
- of a server.
- </p>
- <div class="variablelist"><dl>
- <dt>
- <a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
- </dt>
- <dd>
- <p>
- The <span><strong class="command">named-checkconf</strong></span> program
- checks the syntax of a <code class="filename">named.conf</code> file.
- </p>
- <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
- </dd>
- <dt>
- <a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
- </dt>
- <dd>
- <p>
- The <span><strong class="command">named-checkzone</strong></span> program
- checks a master file for
- syntax and consistency.
- </p>
- <div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
- </dd>
- <dt>
- <a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
- </dt>
- <dd><p>
- Similar to <span><strong class="command">named-checkzone,</strong></span> but
- it always dumps the zone content to a specified file
- (typically in a different format).
- </p></dd>
- <dt>
- <a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
- </dt>
- <dd>
- <p>
- The remote name daemon control
- (<span><strong class="command">rndc</strong></span>) program allows the
- system
- administrator to control the operation of a name server.
- Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
- supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
- utility except <span><strong class="command">ndc start</strong></span> and
- <span><strong class="command">ndc restart</strong></span>, which were also
- not supported in <span><strong class="command">ndc</strong></span>'s
- channel mode.
- If you run <span><strong class="command">rndc</strong></span> without any
- options
- it will display a usage message as follows:
- </p>
- <div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div>
- <p>The <span><strong class="command">command</strong></span>
- is one of the following:
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
- <dd><p>
- Reload configuration file and zones.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
- <dd><p>
- Reload the given zone.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
- <dd><p>
- Schedule zone maintenance for the given zone.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
- <dd><p>
- Retransfer the given zone from the master.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
- <dd>
- <p>
- Fetch all DNSSEC keys for the given zone
- from the key directory (see
- <span><strong class="command">key-directory</strong></span> in
- <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
- Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
- Usage”</a>). If they are within
- their publication period, merge them into the
- zone's DNSKEY RRset. If the DNSKEY RRset
- is changed, then the zone is automatically
- re-signed with the new key set.
- </p>
- <p>
- This command requires that the
- <span><strong class="command">auto-dnssec</strong></span> zone option be set
- to <code class="literal">allow</code> or
- <code class="literal">maintain</code>,
- and also requires the zone to be configured to
- allow dynamic DNS.
- See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for
- more details.
- </p>
- </dd>
- <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
- <dd>
- <p>
- Fetch all DNSSEC keys for the given zone
- from the key directory (see
- <span><strong class="command">key-directory</strong></span> in
- <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
- Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
- Usage”</a>). If they are within
- their publication period, merge them into the
- zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
- sign</strong></span>, however, the zone is not
- immediately re-signed by the new keys, but is
- allowed to incrementally re-sign over time.
- </p>
- <p>
- This command requires that the
- <span><strong class="command">auto-dnssec</strong></span> zone option
- be set to <code class="literal">maintain</code>,
- and also requires the zone to be configured to
- allow dynamic DNS.
- See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for
- more details.
- </p>
- </dd>
- <dt><span class="term"><strong class="userinput"><code>freeze
- [<span class="optional"><em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
- <dd><p>
- Suspend updates to a dynamic zone. If no zone is
- specified,
- then all zones are suspended. This allows manual
- edits to be made to a zone normally updated by dynamic
- update. It
- also causes changes in the journal file to be synced
- into the master
- and the journal file to be removed. All dynamic
- update attempts will
- be refused while the zone is frozen.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>thaw
- [<span class="optional"><em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
- <dd><p>
- Enable updates to a frozen dynamic zone. If no zone
- is
- specified, then all frozen zones are enabled. This
- causes
- the server to reload the zone from disk, and
- re-enables dynamic updates
- after the load has completed. After a zone is thawed,
- dynamic updates
- will no longer be refused.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
- <dd><p>
- Resend NOTIFY messages for the zone.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
- <dd><p>
- Reload the configuration file and load new zones,
- but do not reload existing zone files even if they
- have changed.
- This is faster than a full <span><strong class="command">reload</strong></span> when there
- is a large number of zones because it avoids the need
- to examine the
- modification times of the zones files.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
- <dd><p>
- Write server statistics to the statistics file.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>querylog</code></strong></span></dt>
- <dd><p>
- Toggle query logging. Query logging can also be enabled
- by explicitly directing the <span><strong class="command">queries</strong></span>
- <span><strong class="command">category</strong></span> to a
- <span><strong class="command">channel</strong></span> in the
- <span><strong class="command">logging</strong></span> section of
- <code class="filename">named.conf</code> or by specifying
- <span><strong class="command">querylog yes;</strong></span> in the
- <span><strong class="command">options</strong></span> section of
- <code class="filename">named.conf</code>.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>dumpdb
- [<span class="optional">-all|-cache|-zone</span>]
- [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
- <dd><p>
- Dump the server's caches (default) and/or zones to
- the
- dump file for the specified views. If no view is
- specified, all
- views are dumped.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>secroots
- [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
- <dd><p>
- Dump the server's security roots to the secroots
- file for the specified views. If no view is
- specified, security roots for all
- views are dumped.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
- <dd><p>
- Stop the server, making sure any recent changes
- made through dynamic update or IXFR are first saved to
- the master files of the updated zones.
- If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
- This allows an external process to determine when <span><strong class="command">named</strong></span>
- had completed stopping.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
- <dd><p>
- Stop the server immediately. Recent changes
- made through dynamic update or IXFR are not saved to
- the master files, but will be rolled forward from the
- journal files when the server is restarted.
- If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
- This allows an external process to determine when <span><strong class="command">named</strong></span>
- had completed halting.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
- <dd><p>
- Increment the servers debugging level by one.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
- <dd><p>
- Sets the server's debugging level to an explicit
- value.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
- <dd><p>
- Sets the server's debugging level to 0.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
- <dd><p>
- Flushes the server's cache.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em></span></dt>
- <dd><p>
- Flushes the given name from the server's cache.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
- <dd><p>
- Display status of the server.
- Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
- and the default <span><strong class="command">./IN</strong></span>
- hint zone if there is not an
- explicit root zone configured.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
- <dd><p>
- Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
- on.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>validation
- [<span class="optional">on|off</span>]
- [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]
- </code></strong></span></dt>
- <dd><p>
- Enable or disable DNSSEC validation.
- Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
- set to <strong class="userinput"><code>yes</code></strong> to be effective.
- It defaults to enabled.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
- <dd><p>
- List the names of all TSIG keys currently configured
- for use by <span><strong class="command">named</strong></span> in each view. The
- list both statically configured keys and dynamic
- TKEY-negotiated keys.
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong>
- <em class="replaceable"><code>keyname</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
- <dd><p>
- Delete a given TKEY-negotated key from the server.
- (This does not apply to statically configured TSIG
- keys.)
- </p></dd>
- <dt><span class="term"><strong class="userinput"><code>addzone
- <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
- <em class="replaceable"><code>configuration</code></em>
- </code></strong></span></dt>
- <dd>
- <p>
- Add a zone while the server is running. This
- command requires the
- <span><strong class="command">allow-new-zones</strong></span> option to be set
- to <strong class="userinput"><code>yes</code></strong>. The
- <em class="replaceable"><code>configuration</code></em> string
- specified on the command line is the zone
- configuration text that would ordinarily be
- placed in <code class="filename">named.conf</code>.
- </p>
- <p>
- The configuration is saved in a file called
- <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
- where <em class="replaceable"><code>hash</code></em> is a
- cryptographic hash generated from the name of
- the view. When <span><strong class="command">named</strong></span> is
- restarted, the file will be loaded into the view
- configuration, so that zones that were added
- can persist after a restart.
- </p>
- <p>
- This sample <span><strong class="command">addzone</strong></span> command
- would add the zone <code class="literal">example.com</code>
- to the default view:
- </p>
- <p>
- <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
- </p>
- <p>
- (Note the brackets and semi-colon around the zone
- configuration text.)
- </p>
- </dd>
- <dt><span class="term"><strong class="userinput"><code>delzone
- <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
- </code></strong></span></dt>
- <dd><p>
- Delete a zone while the server is running.
- Only zones that were originally added via
- <span><strong class="command">rndc addzone</strong></span> can be deleted
- in this matter.
- </p></dd>
- </dl></div>
- <p>
- A configuration file is required, since all
- communication with the server is authenticated with
- digital signatures that rely on a shared secret, and
- there is no way to provide that secret other than with a
- configuration file. The default location for the
- <span><strong class="command">rndc</strong></span> configuration file is
- <code class="filename">/etc/rndc.conf</code>, but an
- alternate
- location can be specified with the <code class="option">-c</code>
- option. If the configuration file is not found,
- <span><strong class="command">rndc</strong></span> will also look in
- <code class="filename">/etc/rndc.key</code> (or whatever
- <code class="varname">sysconfdir</code> was defined when
- the <acronym class="acronym">BIND</acronym> build was
- configured).
- The <code class="filename">rndc.key</code> file is
- generated by
- running <span><strong class="command">rndc-confgen -a</strong></span> as
- described in
- <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
- Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- <p>
- The format of the configuration file is similar to
- that of <code class="filename">named.conf</code>, but
- limited to
- only four statements, the <span><strong class="command">options</strong></span>,
- <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
- <span><strong class="command">include</strong></span>
- statements. These statements are what associate the
- secret keys to the servers with which they are meant to
- be shared. The order of statements is not
- significant.
- </p>
- <p>
- The <span><strong class="command">options</strong></span> statement has
- three clauses:
- <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
- and <span><strong class="command">default-port</strong></span>.
- <span><strong class="command">default-server</strong></span> takes a
- host name or address argument and represents the server
- that will
- be contacted if no <code class="option">-s</code>
- option is provided on the command line.
- <span><strong class="command">default-key</strong></span> takes
- the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
- <span><strong class="command">default-port</strong></span> specifies the
- port to which
- <span><strong class="command">rndc</strong></span> should connect if no
- port is given on the command line or in a
- <span><strong class="command">server</strong></span> statement.
- </p>
- <p>
- The <span><strong class="command">key</strong></span> statement defines a
- key to be used
- by <span><strong class="command">rndc</strong></span> when authenticating
- with
- <span><strong class="command">named</strong></span>. Its syntax is
- identical to the
- <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
- The keyword <strong class="userinput"><code>key</code></strong> is
- followed by a key name, which must be a valid
- domain name, though it need not actually be hierarchical;
- thus,
- a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
- name.
- The <span><strong class="command">key</strong></span> statement has two
- clauses:
- <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
- While the configuration parser will accept any string as the
- argument
- to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
- has any meaning. The secret is a base-64 encoded string
- as specified in RFC 3548.
- </p>
- <p>
- The <span><strong class="command">server</strong></span> statement
- associates a key
- defined using the <span><strong class="command">key</strong></span>
- statement with a server.
- The keyword <strong class="userinput"><code>server</code></strong> is followed by a
- host name or address. The <span><strong class="command">server</strong></span> statement
- has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
- The <span><strong class="command">key</strong></span> clause specifies the
- name of the key
- to be used when communicating with this server, and the
- <span><strong class="command">port</strong></span> clause can be used to
- specify the port <span><strong class="command">rndc</strong></span> should
- connect
- to on the server.
- </p>
- <p>
- A sample minimal configuration file is as follows:
- </p>
- <pre class="programlisting">
- key rndc_key {
- algorithm "hmac-md5";
- secret
- "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
- };
- options {
- default-server 127.0.0.1;
- default-key rndc_key;
- };
- </pre>
- <p>
- This file, if installed as <code class="filename">/etc/rndc.conf</code>,
- would allow the command:
- </p>
- <p>
- <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
- </p>
- <p>
- to connect to 127.0.0.1 port 953 and cause the name server
- to reload, if a name server on the local machine were
- running with
- following controls statements:
- </p>
- <pre class="programlisting">
- controls {
- inet 127.0.0.1
- allow { localhost; } keys { rndc_key; };
- };
- </pre>
- <p>
- and it had an identical key statement for
- <code class="literal">rndc_key</code>.
- </p>
- <p>
- Running the <span><strong class="command">rndc-confgen</strong></span>
- program will
- conveniently create a <code class="filename">rndc.conf</code>
- file for you, and also display the
- corresponding <span><strong class="command">controls</strong></span>
- statement that you need to
- add to <code class="filename">named.conf</code>.
- Alternatively,
- you can run <span><strong class="command">rndc-confgen -a</strong></span>
- to set up
- a <code class="filename">rndc.key</code> file and not
- modify
- <code class="filename">named.conf</code> at all.
- </p>
- </dd>
- </dl></div>
- </div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2570421"></a>Signals</h3></div></div></div>
- <p>
- Certain UNIX signals cause the name server to take specific
- actions, as described in the following table. These signals can
- be sent using the <span><strong class="command">kill</strong></span> command.
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><span><strong class="command">SIGHUP</strong></span></p>
- </td>
- <td>
- <p>
- Causes the server to read <code class="filename">named.conf</code> and
- reload the database.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">SIGTERM</strong></span></p>
- </td>
- <td>
- <p>
- Causes the server to clean up and exit.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">SIGINT</strong></span></p>
- </td>
- <td>
- <p>
- Causes the server to clean up and exit.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- </div>
- </div>
- </div>
- <div class="navfooter">
- <hr>
- <table width="100%" summary="Navigation footer">
- <tr>
- <td width="40%" align="left">
- <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
- <td width="20%" align="center"> </td>
- <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
- </td>
- </tr>
- <tr>
- <td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td>
- <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
- <td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td>
- </tr>
- </table>
- </div>
- </body>
- </html>