/contrib/bind9/doc/arm/Bv9ARM.ch03.html

https://bitbucket.org/freebsd/freebsd-head/ · HTML · 957 lines · 937 code · 3 blank · 17 comment · 0 complexity · 56fd8847e44f89610f3762515d6c063e MD5 · raw file

  1. <!--
  2. - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
  3. - Copyright (C) 2000-2003 Internet Software Consortium.
  4. -
  5. - Permission to use, copy, modify, and/or distribute this software for any
  6. - purpose with or without fee is hereby granted, provided that the above
  7. - copyright notice and this permission notice appear in all copies.
  8. -
  9. - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  10. - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  11. - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  12. - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  13. - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  14. - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  15. - PERFORMANCE OF THIS SOFTWARE.
  16. -->
  17. <!-- $Id$ -->
  18. <html>
  19. <head>
  20. <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
  21. <title>Chapter 3. Name Server Configuration</title>
  22. <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
  23. <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
  24. <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
  25. <link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
  26. <link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
  27. </head>
  28. <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
  29. <div class="navheader">
  30. <table width="100%" summary="Navigation header">
  31. <tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr>
  32. <tr>
  33. <td width="20%" align="left">
  34. <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
  35. <th width="60%" align="center"> </th>
  36. <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
  37. </td>
  38. </tr>
  39. </table>
  40. <hr>
  41. </div>
  42. <div class="chapter" lang="en">
  43. <div class="titlepage"><div><div><h2 class="title">
  44. <a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div>
  45. <div class="toc">
  46. <p><b>Table of Contents</b></p>
  47. <dl>
  48. <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
  49. <dd><dl>
  50. <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567771">A Caching-only Name Server</a></span></dt>
  51. <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567992">An Authoritative-only Name Server</a></span></dt>
  52. </dl></dd>
  53. <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568014">Load Balancing</a></span></dt>
  54. <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568369">Name Server Operations</a></span></dt>
  55. <dd><dl>
  56. <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568374">Tools for Use With the Name Server Daemon</a></span></dt>
  57. <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570421">Signals</a></span></dt>
  58. </dl></dd>
  59. </dl>
  60. </div>
  61. <p>
  62. In this chapter we provide some suggested configurations along
  63. with guidelines for their use. We suggest reasonable values for
  64. certain option settings.
  65. </p>
  66. <div class="sect1" lang="en">
  67. <div class="titlepage"><div><div><h2 class="title" style="clear: both">
  68. <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
  69. <div class="sect2" lang="en">
  70. <div class="titlepage"><div><div><h3 class="title">
  71. <a name="id2567771"></a>A Caching-only Name Server</h3></div></div></div>
  72. <p>
  73. The following sample configuration is appropriate for a caching-only
  74. name server for use by clients internal to a corporation. All
  75. queries
  76. from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
  77. option. Alternatively, the same effect could be achieved using
  78. suitable
  79. firewall rules.
  80. </p>
  81. <pre class="programlisting">
  82. // Two corporate subnets we wish to allow queries from.
  83. acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
  84. options {
  85. // Working directory
  86. directory "/etc/namedb";
  87. allow-query { corpnets; };
  88. };
  89. // Provide a reverse mapping for the loopback
  90. // address 127.0.0.1
  91. zone "0.0.127.in-addr.arpa" {
  92. type master;
  93. file "localhost.rev";
  94. notify no;
  95. };
  96. </pre>
  97. </div>
  98. <div class="sect2" lang="en">
  99. <div class="titlepage"><div><div><h3 class="title">
  100. <a name="id2567992"></a>An Authoritative-only Name Server</h3></div></div></div>
  101. <p>
  102. This sample configuration is for an authoritative-only server
  103. that is the master server for "<code class="filename">example.com</code>"
  104. and a slave for the subdomain "<code class="filename">eng.example.com</code>".
  105. </p>
  106. <pre class="programlisting">
  107. options {
  108. // Working directory
  109. directory "/etc/namedb";
  110. // Do not allow access to cache
  111. allow-query-cache { none; };
  112. // This is the default
  113. allow-query { any; };
  114. // Do not provide recursive service
  115. recursion no;
  116. };
  117. // Provide a reverse mapping for the loopback
  118. // address 127.0.0.1
  119. zone "0.0.127.in-addr.arpa" {
  120. type master;
  121. file "localhost.rev";
  122. notify no;
  123. };
  124. // We are the master server for example.com
  125. zone "example.com" {
  126. type master;
  127. file "example.com.db";
  128. // IP addresses of slave servers allowed to
  129. // transfer example.com
  130. allow-transfer {
  131. 192.168.4.14;
  132. 192.168.5.53;
  133. };
  134. };
  135. // We are a slave server for eng.example.com
  136. zone "eng.example.com" {
  137. type slave;
  138. file "eng.example.com.bk";
  139. // IP address of eng.example.com master server
  140. masters { 192.168.4.12; };
  141. };
  142. </pre>
  143. </div>
  144. </div>
  145. <div class="sect1" lang="en">
  146. <div class="titlepage"><div><div><h2 class="title" style="clear: both">
  147. <a name="id2568014"></a>Load Balancing</h2></div></div></div>
  148. <p>
  149. A primitive form of load balancing can be achieved in
  150. the <acronym class="acronym">DNS</acronym> by using multiple records
  151. (such as multiple A records) for one name.
  152. </p>
  153. <p>
  154. For example, if you have three WWW servers with network addresses
  155. of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
  156. following means that clients will connect to each machine one third
  157. of the time:
  158. </p>
  159. <div class="informaltable"><table border="1">
  160. <colgroup>
  161. <col>
  162. <col>
  163. <col>
  164. <col>
  165. <col>
  166. </colgroup>
  167. <tbody>
  168. <tr>
  169. <td>
  170. <p>
  171. Name
  172. </p>
  173. </td>
  174. <td>
  175. <p>
  176. TTL
  177. </p>
  178. </td>
  179. <td>
  180. <p>
  181. CLASS
  182. </p>
  183. </td>
  184. <td>
  185. <p>
  186. TYPE
  187. </p>
  188. </td>
  189. <td>
  190. <p>
  191. Resource Record (RR) Data
  192. </p>
  193. </td>
  194. </tr>
  195. <tr>
  196. <td>
  197. <p>
  198. <code class="literal">www</code>
  199. </p>
  200. </td>
  201. <td>
  202. <p>
  203. <code class="literal">600</code>
  204. </p>
  205. </td>
  206. <td>
  207. <p>
  208. <code class="literal">IN</code>
  209. </p>
  210. </td>
  211. <td>
  212. <p>
  213. <code class="literal">A</code>
  214. </p>
  215. </td>
  216. <td>
  217. <p>
  218. <code class="literal">10.0.0.1</code>
  219. </p>
  220. </td>
  221. </tr>
  222. <tr>
  223. <td>
  224. <p></p>
  225. </td>
  226. <td>
  227. <p>
  228. <code class="literal">600</code>
  229. </p>
  230. </td>
  231. <td>
  232. <p>
  233. <code class="literal">IN</code>
  234. </p>
  235. </td>
  236. <td>
  237. <p>
  238. <code class="literal">A</code>
  239. </p>
  240. </td>
  241. <td>
  242. <p>
  243. <code class="literal">10.0.0.2</code>
  244. </p>
  245. </td>
  246. </tr>
  247. <tr>
  248. <td>
  249. <p></p>
  250. </td>
  251. <td>
  252. <p>
  253. <code class="literal">600</code>
  254. </p>
  255. </td>
  256. <td>
  257. <p>
  258. <code class="literal">IN</code>
  259. </p>
  260. </td>
  261. <td>
  262. <p>
  263. <code class="literal">A</code>
  264. </p>
  265. </td>
  266. <td>
  267. <p>
  268. <code class="literal">10.0.0.3</code>
  269. </p>
  270. </td>
  271. </tr>
  272. </tbody>
  273. </table></div>
  274. <p>
  275. When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
  276. them and respond to the query with the records in a different
  277. order. In the example above, clients will randomly receive
  278. records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
  279. will use the first record returned and discard the rest.
  280. </p>
  281. <p>
  282. For more detail on ordering responses, check the
  283. <span><strong class="command">rrset-order</strong></span> sub-statement in the
  284. <span><strong class="command">options</strong></span> statement, see
  285. <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
  286. </p>
  287. </div>
  288. <div class="sect1" lang="en">
  289. <div class="titlepage"><div><div><h2 class="title" style="clear: both">
  290. <a name="id2568369"></a>Name Server Operations</h2></div></div></div>
  291. <div class="sect2" lang="en">
  292. <div class="titlepage"><div><div><h3 class="title">
  293. <a name="id2568374"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
  294. <p>
  295. This section describes several indispensable diagnostic,
  296. administrative and monitoring tools available to the system
  297. administrator for controlling and debugging the name server
  298. daemon.
  299. </p>
  300. <div class="sect3" lang="en">
  301. <div class="titlepage"><div><div><h4 class="title">
  302. <a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
  303. <p>
  304. The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
  305. <span><strong class="command">nslookup</strong></span> programs are all command
  306. line tools
  307. for manually querying name servers. They differ in style and
  308. output format.
  309. </p>
  310. <div class="variablelist"><dl>
  311. <dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
  312. <dd>
  313. <p>
  314. The domain information groper (<span><strong class="command">dig</strong></span>)
  315. is the most versatile and complete of these lookup tools.
  316. It has two modes: simple interactive
  317. mode for a single query, and batch mode which executes a
  318. query for
  319. each in a list of several query lines. All query options are
  320. accessible
  321. from the command line.
  322. </p>
  323. <div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
  324. <p>
  325. The usual simple use of <span><strong class="command">dig</strong></span> will take the form
  326. </p>
  327. <p>
  328. <span><strong class="command">dig @server domain query-type query-class</strong></span>
  329. </p>
  330. <p>
  331. For more information and a list of available commands and
  332. options, see the <span><strong class="command">dig</strong></span> man
  333. page.
  334. </p>
  335. </dd>
  336. <dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
  337. <dd>
  338. <p>
  339. The <span><strong class="command">host</strong></span> utility emphasizes
  340. simplicity
  341. and ease of use. By default, it converts
  342. between host names and Internet addresses, but its
  343. functionality
  344. can be extended with the use of options.
  345. </p>
  346. <div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
  347. <p>
  348. For more information and a list of available commands and
  349. options, see the <span><strong class="command">host</strong></span> man
  350. page.
  351. </p>
  352. </dd>
  353. <dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
  354. <dd>
  355. <p><span><strong class="command">nslookup</strong></span>
  356. has two modes: interactive and
  357. non-interactive. Interactive mode allows the user to
  358. query name servers for information about various
  359. hosts and domains or to print a list of hosts in a
  360. domain. Non-interactive mode is used to print just
  361. the name and requested information for a host or
  362. domain.
  363. </p>
  364. <div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div>
  365. <p>
  366. Interactive mode is entered when no arguments are given (the
  367. default name server will be used) or when the first argument
  368. is a
  369. hyphen (`-') and the second argument is the host name or
  370. Internet address
  371. of a name server.
  372. </p>
  373. <p>
  374. Non-interactive mode is used when the name or Internet
  375. address
  376. of the host to be looked up is given as the first argument.
  377. The
  378. optional second argument specifies the host name or address
  379. of a name server.
  380. </p>
  381. <p>
  382. Due to its arcane user interface and frequently inconsistent
  383. behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
  384. Use <span><strong class="command">dig</strong></span> instead.
  385. </p>
  386. </dd>
  387. </dl></div>
  388. </div>
  389. <div class="sect3" lang="en">
  390. <div class="titlepage"><div><div><h4 class="title">
  391. <a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
  392. <p>
  393. Administrative tools play an integral part in the management
  394. of a server.
  395. </p>
  396. <div class="variablelist"><dl>
  397. <dt>
  398. <a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
  399. </dt>
  400. <dd>
  401. <p>
  402. The <span><strong class="command">named-checkconf</strong></span> program
  403. checks the syntax of a <code class="filename">named.conf</code> file.
  404. </p>
  405. <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
  406. </dd>
  407. <dt>
  408. <a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
  409. </dt>
  410. <dd>
  411. <p>
  412. The <span><strong class="command">named-checkzone</strong></span> program
  413. checks a master file for
  414. syntax and consistency.
  415. </p>
  416. <div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
  417. </dd>
  418. <dt>
  419. <a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
  420. </dt>
  421. <dd><p>
  422. Similar to <span><strong class="command">named-checkzone,</strong></span> but
  423. it always dumps the zone content to a specified file
  424. (typically in a different format).
  425. </p></dd>
  426. <dt>
  427. <a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
  428. </dt>
  429. <dd>
  430. <p>
  431. The remote name daemon control
  432. (<span><strong class="command">rndc</strong></span>) program allows the
  433. system
  434. administrator to control the operation of a name server.
  435. Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
  436. supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
  437. utility except <span><strong class="command">ndc start</strong></span> and
  438. <span><strong class="command">ndc restart</strong></span>, which were also
  439. not supported in <span><strong class="command">ndc</strong></span>'s
  440. channel mode.
  441. If you run <span><strong class="command">rndc</strong></span> without any
  442. options
  443. it will display a usage message as follows:
  444. </p>
  445. <div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div>
  446. <p>The <span><strong class="command">command</strong></span>
  447. is one of the following:
  448. </p>
  449. <div class="variablelist"><dl>
  450. <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
  451. <dd><p>
  452. Reload configuration file and zones.
  453. </p></dd>
  454. <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
  455. [<span class="optional"><em class="replaceable"><code>class</code></em>
  456. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
  457. <dd><p>
  458. Reload the given zone.
  459. </p></dd>
  460. <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
  461. [<span class="optional"><em class="replaceable"><code>class</code></em>
  462. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
  463. <dd><p>
  464. Schedule zone maintenance for the given zone.
  465. </p></dd>
  466. <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em>
  467. [<span class="optional"><em class="replaceable"><code>class</code></em>
  468. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
  469. <dd><p>
  470. Retransfer the given zone from the master.
  471. </p></dd>
  472. <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em>
  473. [<span class="optional"><em class="replaceable"><code>class</code></em>
  474. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
  475. <dd>
  476. <p>
  477. Fetch all DNSSEC keys for the given zone
  478. from the key directory (see
  479. <span><strong class="command">key-directory</strong></span> in
  480. <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
  481. Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
  482. Usage&#8221;</a>). If they are within
  483. their publication period, merge them into the
  484. zone's DNSKEY RRset. If the DNSKEY RRset
  485. is changed, then the zone is automatically
  486. re-signed with the new key set.
  487. </p>
  488. <p>
  489. This command requires that the
  490. <span><strong class="command">auto-dnssec</strong></span> zone option be set
  491. to <code class="literal">allow</code> or
  492. <code class="literal">maintain</code>,
  493. and also requires the zone to be configured to
  494. allow dynamic DNS.
  495. See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for
  496. more details.
  497. </p>
  498. </dd>
  499. <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em>
  500. [<span class="optional"><em class="replaceable"><code>class</code></em>
  501. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
  502. <dd>
  503. <p>
  504. Fetch all DNSSEC keys for the given zone
  505. from the key directory (see
  506. <span><strong class="command">key-directory</strong></span> in
  507. <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
  508. Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
  509. Usage&#8221;</a>). If they are within
  510. their publication period, merge them into the
  511. zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
  512. sign</strong></span>, however, the zone is not
  513. immediately re-signed by the new keys, but is
  514. allowed to incrementally re-sign over time.
  515. </p>
  516. <p>
  517. This command requires that the
  518. <span><strong class="command">auto-dnssec</strong></span> zone option
  519. be set to <code class="literal">maintain</code>,
  520. and also requires the zone to be configured to
  521. allow dynamic DNS.
  522. See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for
  523. more details.
  524. </p>
  525. </dd>
  526. <dt><span class="term"><strong class="userinput"><code>freeze
  527. [<span class="optional"><em class="replaceable"><code>zone</code></em>
  528. [<span class="optional"><em class="replaceable"><code>class</code></em>
  529. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
  530. <dd><p>
  531. Suspend updates to a dynamic zone. If no zone is
  532. specified,
  533. then all zones are suspended. This allows manual
  534. edits to be made to a zone normally updated by dynamic
  535. update. It
  536. also causes changes in the journal file to be synced
  537. into the master
  538. and the journal file to be removed. All dynamic
  539. update attempts will
  540. be refused while the zone is frozen.
  541. </p></dd>
  542. <dt><span class="term"><strong class="userinput"><code>thaw
  543. [<span class="optional"><em class="replaceable"><code>zone</code></em>
  544. [<span class="optional"><em class="replaceable"><code>class</code></em>
  545. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
  546. <dd><p>
  547. Enable updates to a frozen dynamic zone. If no zone
  548. is
  549. specified, then all frozen zones are enabled. This
  550. causes
  551. the server to reload the zone from disk, and
  552. re-enables dynamic updates
  553. after the load has completed. After a zone is thawed,
  554. dynamic updates
  555. will no longer be refused.
  556. </p></dd>
  557. <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em>
  558. [<span class="optional"><em class="replaceable"><code>class</code></em>
  559. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
  560. <dd><p>
  561. Resend NOTIFY messages for the zone.
  562. </p></dd>
  563. <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
  564. <dd><p>
  565. Reload the configuration file and load new zones,
  566. but do not reload existing zone files even if they
  567. have changed.
  568. This is faster than a full <span><strong class="command">reload</strong></span> when there
  569. is a large number of zones because it avoids the need
  570. to examine the
  571. modification times of the zones files.
  572. </p></dd>
  573. <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
  574. <dd><p>
  575. Write server statistics to the statistics file.
  576. </p></dd>
  577. <dt><span class="term"><strong class="userinput"><code>querylog</code></strong></span></dt>
  578. <dd><p>
  579. Toggle query logging. Query logging can also be enabled
  580. by explicitly directing the <span><strong class="command">queries</strong></span>
  581. <span><strong class="command">category</strong></span> to a
  582. <span><strong class="command">channel</strong></span> in the
  583. <span><strong class="command">logging</strong></span> section of
  584. <code class="filename">named.conf</code> or by specifying
  585. <span><strong class="command">querylog yes;</strong></span> in the
  586. <span><strong class="command">options</strong></span> section of
  587. <code class="filename">named.conf</code>.
  588. </p></dd>
  589. <dt><span class="term"><strong class="userinput"><code>dumpdb
  590. [<span class="optional">-all|-cache|-zone</span>]
  591. [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
  592. <dd><p>
  593. Dump the server's caches (default) and/or zones to
  594. the
  595. dump file for the specified views. If no view is
  596. specified, all
  597. views are dumped.
  598. </p></dd>
  599. <dt><span class="term"><strong class="userinput"><code>secroots
  600. [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
  601. <dd><p>
  602. Dump the server's security roots to the secroots
  603. file for the specified views. If no view is
  604. specified, security roots for all
  605. views are dumped.
  606. </p></dd>
  607. <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
  608. <dd><p>
  609. Stop the server, making sure any recent changes
  610. made through dynamic update or IXFR are first saved to
  611. the master files of the updated zones.
  612. If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
  613. This allows an external process to determine when <span><strong class="command">named</strong></span>
  614. had completed stopping.
  615. </p></dd>
  616. <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
  617. <dd><p>
  618. Stop the server immediately. Recent changes
  619. made through dynamic update or IXFR are not saved to
  620. the master files, but will be rolled forward from the
  621. journal files when the server is restarted.
  622. If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
  623. This allows an external process to determine when <span><strong class="command">named</strong></span>
  624. had completed halting.
  625. </p></dd>
  626. <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
  627. <dd><p>
  628. Increment the servers debugging level by one.
  629. </p></dd>
  630. <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
  631. <dd><p>
  632. Sets the server's debugging level to an explicit
  633. value.
  634. </p></dd>
  635. <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
  636. <dd><p>
  637. Sets the server's debugging level to 0.
  638. </p></dd>
  639. <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
  640. <dd><p>
  641. Flushes the server's cache.
  642. </p></dd>
  643. <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em></span></dt>
  644. <dd><p>
  645. Flushes the given name from the server's cache.
  646. </p></dd>
  647. <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
  648. <dd><p>
  649. Display status of the server.
  650. Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
  651. and the default <span><strong class="command">./IN</strong></span>
  652. hint zone if there is not an
  653. explicit root zone configured.
  654. </p></dd>
  655. <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
  656. <dd><p>
  657. Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
  658. on.
  659. </p></dd>
  660. <dt><span class="term"><strong class="userinput"><code>validation
  661. [<span class="optional">on|off</span>]
  662. [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]
  663. </code></strong></span></dt>
  664. <dd><p>
  665. Enable or disable DNSSEC validation.
  666. Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
  667. set to <strong class="userinput"><code>yes</code></strong> to be effective.
  668. It defaults to enabled.
  669. </p></dd>
  670. <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
  671. <dd><p>
  672. List the names of all TSIG keys currently configured
  673. for use by <span><strong class="command">named</strong></span> in each view. The
  674. list both statically configured keys and dynamic
  675. TKEY-negotiated keys.
  676. </p></dd>
  677. <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong>
  678. <em class="replaceable"><code>keyname</code></em>
  679. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
  680. <dd><p>
  681. Delete a given TKEY-negotated key from the server.
  682. (This does not apply to statically configured TSIG
  683. keys.)
  684. </p></dd>
  685. <dt><span class="term"><strong class="userinput"><code>addzone
  686. <em class="replaceable"><code>zone</code></em>
  687. [<span class="optional"><em class="replaceable"><code>class</code></em>
  688. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
  689. <em class="replaceable"><code>configuration</code></em>
  690. </code></strong></span></dt>
  691. <dd>
  692. <p>
  693. Add a zone while the server is running. This
  694. command requires the
  695. <span><strong class="command">allow-new-zones</strong></span> option to be set
  696. to <strong class="userinput"><code>yes</code></strong>. The
  697. <em class="replaceable"><code>configuration</code></em> string
  698. specified on the command line is the zone
  699. configuration text that would ordinarily be
  700. placed in <code class="filename">named.conf</code>.
  701. </p>
  702. <p>
  703. The configuration is saved in a file called
  704. <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
  705. where <em class="replaceable"><code>hash</code></em> is a
  706. cryptographic hash generated from the name of
  707. the view. When <span><strong class="command">named</strong></span> is
  708. restarted, the file will be loaded into the view
  709. configuration, so that zones that were added
  710. can persist after a restart.
  711. </p>
  712. <p>
  713. This sample <span><strong class="command">addzone</strong></span> command
  714. would add the zone <code class="literal">example.com</code>
  715. to the default view:
  716. </p>
  717. <p>
  718. <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
  719. </p>
  720. <p>
  721. (Note the brackets and semi-colon around the zone
  722. configuration text.)
  723. </p>
  724. </dd>
  725. <dt><span class="term"><strong class="userinput"><code>delzone
  726. <em class="replaceable"><code>zone</code></em>
  727. [<span class="optional"><em class="replaceable"><code>class</code></em>
  728. [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
  729. </code></strong></span></dt>
  730. <dd><p>
  731. Delete a zone while the server is running.
  732. Only zones that were originally added via
  733. <span><strong class="command">rndc addzone</strong></span> can be deleted
  734. in this matter.
  735. </p></dd>
  736. </dl></div>
  737. <p>
  738. A configuration file is required, since all
  739. communication with the server is authenticated with
  740. digital signatures that rely on a shared secret, and
  741. there is no way to provide that secret other than with a
  742. configuration file. The default location for the
  743. <span><strong class="command">rndc</strong></span> configuration file is
  744. <code class="filename">/etc/rndc.conf</code>, but an
  745. alternate
  746. location can be specified with the <code class="option">-c</code>
  747. option. If the configuration file is not found,
  748. <span><strong class="command">rndc</strong></span> will also look in
  749. <code class="filename">/etc/rndc.key</code> (or whatever
  750. <code class="varname">sysconfdir</code> was defined when
  751. the <acronym class="acronym">BIND</acronym> build was
  752. configured).
  753. The <code class="filename">rndc.key</code> file is
  754. generated by
  755. running <span><strong class="command">rndc-confgen -a</strong></span> as
  756. described in
  757. <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
  758. Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
  759. Usage&#8221;</a>.
  760. </p>
  761. <p>
  762. The format of the configuration file is similar to
  763. that of <code class="filename">named.conf</code>, but
  764. limited to
  765. only four statements, the <span><strong class="command">options</strong></span>,
  766. <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
  767. <span><strong class="command">include</strong></span>
  768. statements. These statements are what associate the
  769. secret keys to the servers with which they are meant to
  770. be shared. The order of statements is not
  771. significant.
  772. </p>
  773. <p>
  774. The <span><strong class="command">options</strong></span> statement has
  775. three clauses:
  776. <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
  777. and <span><strong class="command">default-port</strong></span>.
  778. <span><strong class="command">default-server</strong></span> takes a
  779. host name or address argument and represents the server
  780. that will
  781. be contacted if no <code class="option">-s</code>
  782. option is provided on the command line.
  783. <span><strong class="command">default-key</strong></span> takes
  784. the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
  785. <span><strong class="command">default-port</strong></span> specifies the
  786. port to which
  787. <span><strong class="command">rndc</strong></span> should connect if no
  788. port is given on the command line or in a
  789. <span><strong class="command">server</strong></span> statement.
  790. </p>
  791. <p>
  792. The <span><strong class="command">key</strong></span> statement defines a
  793. key to be used
  794. by <span><strong class="command">rndc</strong></span> when authenticating
  795. with
  796. <span><strong class="command">named</strong></span>. Its syntax is
  797. identical to the
  798. <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
  799. The keyword <strong class="userinput"><code>key</code></strong> is
  800. followed by a key name, which must be a valid
  801. domain name, though it need not actually be hierarchical;
  802. thus,
  803. a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
  804. name.
  805. The <span><strong class="command">key</strong></span> statement has two
  806. clauses:
  807. <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
  808. While the configuration parser will accept any string as the
  809. argument
  810. to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
  811. has any meaning. The secret is a base-64 encoded string
  812. as specified in RFC 3548.
  813. </p>
  814. <p>
  815. The <span><strong class="command">server</strong></span> statement
  816. associates a key
  817. defined using the <span><strong class="command">key</strong></span>
  818. statement with a server.
  819. The keyword <strong class="userinput"><code>server</code></strong> is followed by a
  820. host name or address. The <span><strong class="command">server</strong></span> statement
  821. has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
  822. The <span><strong class="command">key</strong></span> clause specifies the
  823. name of the key
  824. to be used when communicating with this server, and the
  825. <span><strong class="command">port</strong></span> clause can be used to
  826. specify the port <span><strong class="command">rndc</strong></span> should
  827. connect
  828. to on the server.
  829. </p>
  830. <p>
  831. A sample minimal configuration file is as follows:
  832. </p>
  833. <pre class="programlisting">
  834. key rndc_key {
  835. algorithm "hmac-md5";
  836. secret
  837. "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
  838. };
  839. options {
  840. default-server 127.0.0.1;
  841. default-key rndc_key;
  842. };
  843. </pre>
  844. <p>
  845. This file, if installed as <code class="filename">/etc/rndc.conf</code>,
  846. would allow the command:
  847. </p>
  848. <p>
  849. <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
  850. </p>
  851. <p>
  852. to connect to 127.0.0.1 port 953 and cause the name server
  853. to reload, if a name server on the local machine were
  854. running with
  855. following controls statements:
  856. </p>
  857. <pre class="programlisting">
  858. controls {
  859. inet 127.0.0.1
  860. allow { localhost; } keys { rndc_key; };
  861. };
  862. </pre>
  863. <p>
  864. and it had an identical key statement for
  865. <code class="literal">rndc_key</code>.
  866. </p>
  867. <p>
  868. Running the <span><strong class="command">rndc-confgen</strong></span>
  869. program will
  870. conveniently create a <code class="filename">rndc.conf</code>
  871. file for you, and also display the
  872. corresponding <span><strong class="command">controls</strong></span>
  873. statement that you need to
  874. add to <code class="filename">named.conf</code>.
  875. Alternatively,
  876. you can run <span><strong class="command">rndc-confgen -a</strong></span>
  877. to set up
  878. a <code class="filename">rndc.key</code> file and not
  879. modify
  880. <code class="filename">named.conf</code> at all.
  881. </p>
  882. </dd>
  883. </dl></div>
  884. </div>
  885. </div>
  886. <div class="sect2" lang="en">
  887. <div class="titlepage"><div><div><h3 class="title">
  888. <a name="id2570421"></a>Signals</h3></div></div></div>
  889. <p>
  890. Certain UNIX signals cause the name server to take specific
  891. actions, as described in the following table. These signals can
  892. be sent using the <span><strong class="command">kill</strong></span> command.
  893. </p>
  894. <div class="informaltable"><table border="1">
  895. <colgroup>
  896. <col>
  897. <col>
  898. </colgroup>
  899. <tbody>
  900. <tr>
  901. <td>
  902. <p><span><strong class="command">SIGHUP</strong></span></p>
  903. </td>
  904. <td>
  905. <p>
  906. Causes the server to read <code class="filename">named.conf</code> and
  907. reload the database.
  908. </p>
  909. </td>
  910. </tr>
  911. <tr>
  912. <td>
  913. <p><span><strong class="command">SIGTERM</strong></span></p>
  914. </td>
  915. <td>
  916. <p>
  917. Causes the server to clean up and exit.
  918. </p>
  919. </td>
  920. </tr>
  921. <tr>
  922. <td>
  923. <p><span><strong class="command">SIGINT</strong></span></p>
  924. </td>
  925. <td>
  926. <p>
  927. Causes the server to clean up and exit.
  928. </p>
  929. </td>
  930. </tr>
  931. </tbody>
  932. </table></div>
  933. </div>
  934. </div>
  935. </div>
  936. <div class="navfooter">
  937. <hr>
  938. <table width="100%" summary="Navigation footer">
  939. <tr>
  940. <td width="40%" align="left">
  941. <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
  942. <td width="20%" align="center"> </td>
  943. <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
  944. </td>
  945. </tr>
  946. <tr>
  947. <td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td>
  948. <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
  949. <td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td>
  950. </tr>
  951. </table>
  952. </div>
  953. </body>
  954. </html>