/contrib/bind9/doc/arm/libdns.xml

https://bitbucket.org/freebsd/freebsd-head/ · XML · 530 lines · 509 code · 4 blank · 17 comment · 0 complexity · b4ed988a7812a60cd1dcd319a38b8a9d MD5 · raw file

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!--
  3. - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
  4. -
  5. - Permission to use, copy, modify, and/or distribute this software for any
  6. - purpose with or without fee is hereby granted, provided that the above
  7. - copyright notice and this permission notice appear in all copies.
  8. -
  9. - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  10. - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  11. - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  12. - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  13. - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  14. - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  15. - PERFORMANCE OF THIS SOFTWARE.
  16. -->
  17. <sect1 id="bind9.library">
  18. <title>BIND 9 DNS Library Support</title>
  19. <para>This version of BIND 9 "exports" its internal libraries so
  20. that they can be used by third-party applications more easily (we
  21. call them "export" libraries in this document). In addition to
  22. all major DNS-related APIs BIND 9 is currently using, the export
  23. libraries provide the following features:</para>
  24. <itemizedlist>
  25. <listitem>
  26. <para>The newly created "DNS client" module. This is a higher
  27. level API that provides an interface to name resolution,
  28. single DNS transaction with a particular server, and dynamic
  29. update. Regarding name resolution, it supports advanced
  30. features such as DNSSEC validation and caching. This module
  31. supports both synchronous and asynchronous mode.</para>
  32. </listitem>
  33. <listitem>
  34. <para>The new "IRS" (Information Retrieval System) library.
  35. It provides an interface to parse the traditional resolv.conf
  36. file and more advanced, DNS-specific configuration file for
  37. the rest of this package (see the description for the
  38. dns.conf file below).</para>
  39. </listitem>
  40. <listitem>
  41. <para>As part of the IRS library, newly implemented standard
  42. address-name mapping functions, getaddrinfo() and
  43. getnameinfo(), are provided. They use the DNSSEC-aware
  44. validating resolver backend, and could use other advanced
  45. features of the BIND 9 libraries such as caching. The
  46. getaddrinfo() function resolves both A and AAAA RRs
  47. concurrently (when the address family is unspecified).</para>
  48. </listitem>
  49. <listitem>
  50. <para>An experimental framework to support other event
  51. libraries than BIND 9's internal event task system.</para>
  52. </listitem>
  53. </itemizedlist>
  54. <sect2>
  55. <title>Prerequisite</title>
  56. <para>GNU make is required to build the export libraries (other
  57. part of BIND 9 can still be built with other types of make). In
  58. the reminder of this document, "make" means GNU make. Note that
  59. in some platforms you may need to invoke a different command name
  60. than "make" (e.g. "gmake") to indicate it's GNU make.</para>
  61. </sect2>
  62. <sect2>
  63. <title>Compilation</title>
  64. <screen>
  65. $ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput>
  66. $ <userinput>make</userinput>
  67. </screen>
  68. <para>
  69. This will create (in addition to usual BIND 9 programs) and a
  70. separate set of libraries under the lib/export directory. For
  71. example, <filename>lib/export/dns/libdns.a</filename> is the archive file of the
  72. export version of the BIND 9 DNS library. Sample application
  73. programs using the libraries will also be built under the
  74. lib/export/samples directory (see below).</para>
  75. </sect2>
  76. <sect2>
  77. <title>Installation</title>
  78. <screen>
  79. $ <userinput>cd lib/export</userinput>
  80. $ <userinput>make install</userinput>
  81. </screen>
  82. <para>
  83. This will install library object files under the directory
  84. specified by the --with-export-libdir configure option (default:
  85. EPREFIX/lib/bind9), and header files under the directory
  86. specified by the --with-export-includedir configure option
  87. (default: PREFIX/include/bind9).
  88. Root privilege is normally required.
  89. "<command>make install</command>" at the top directory will do the
  90. same.
  91. </para>
  92. <para>
  93. To see how to build your own
  94. application after the installation, see
  95. <filename>lib/export/samples/Makefile-postinstall.in</filename>.</para>
  96. </sect2>
  97. <sect2>
  98. <title>Known Defects/Restrictions</title>
  99. <itemizedlist>
  100. <listitem>
  101. <!-- TODO: what about AIX? -->
  102. <para>Currently, win32 is not supported for the export
  103. library. (Normal BIND 9 application can be built as
  104. before).</para>
  105. </listitem>
  106. <listitem>
  107. <para>The "fixed" RRset order is not (currently) supported in
  108. the export library. If you want to use "fixed" RRset order
  109. for, e.g. <command>named</command> while still building the
  110. export library even without the fixed order support, build
  111. them separately:
  112. <screen>
  113. $ <userinput>./configure --enable-fixed-rrset <replaceable>[other flags, but not --enable-exportlib]</replaceable></userinput>
  114. $ <userinput>make</userinput>
  115. $ <userinput>./configure --enable-exportlib <replaceable>[other flags, but not --enable-fixed-rrset]</replaceable></userinput>
  116. $ <userinput>cd lib/export</userinput>
  117. $ <userinput>make</userinput>
  118. </screen>
  119. </para>
  120. </listitem>
  121. <listitem>
  122. <para>The client module and the IRS library currently do not
  123. support DNSSEC validation using DLV (the underlying modules
  124. can handle it, but there is no tunable interface to enable
  125. the feature).</para>
  126. </listitem>
  127. <listitem>
  128. <para>RFC 5011 is not supported in the validating stub
  129. resolver of the export library. In fact, it is not clear
  130. whether it should: trust anchors would be a system-wide
  131. configuration which would be managed by an administrator,
  132. while the stub resolver will be used by ordinary applications
  133. run by a normal user.</para>
  134. </listitem>
  135. <listitem>
  136. <para>Not all common <filename>/etc/resolv.conf</filename>
  137. options are supported
  138. in the IRS library. The only available options in this
  139. version are "debug" and "ndots".</para>
  140. </listitem>
  141. </itemizedlist>
  142. </sect2>
  143. <sect2>
  144. <title>The dns.conf File</title>
  145. <para>The IRS library supports an "advanced" configuration file
  146. related to the DNS library for configuration parameters that
  147. would be beyond the capability of the
  148. <filename>resolv.conf</filename> file.
  149. Specifically, it is intended to provide DNSSEC related
  150. configuration parameters. By default the path to this
  151. configuration file is <filename>/etc/dns.conf</filename>.
  152. This module is very
  153. experimental and the configuration syntax or library interfaces
  154. may change in future versions. Currently, only the
  155. <command>trusted-keys</command>
  156. statement is supported, whose syntax is the same as the same name
  157. of statement for <filename>named.conf</filename>. (See
  158. <xref linkend="trusted-keys" /> for details.)</para>
  159. </sect2>
  160. <sect2>
  161. <title>Sample Applications</title>
  162. <para>Some sample application programs using this API are
  163. provided for reference. The following is a brief description of
  164. these applications.
  165. </para>
  166. <sect3>
  167. <title>sample: a simple stub resolver utility</title>
  168. <para>
  169. It sends a query of a given name (of a given optional RR type) to a
  170. specified recursive server, and prints the result as a list of
  171. RRs. It can also act as a validating stub resolver if a trust
  172. anchor is given via a set of command line options.</para>
  173. <para>
  174. Usage: sample [options] server_address hostname
  175. </para>
  176. <para>
  177. Options and Arguments:
  178. </para>
  179. <variablelist>
  180. <varlistentry>
  181. <term>
  182. -t RRtype
  183. </term>
  184. <listitem><para>
  185. specify the RR type of the query. The default is the A RR.
  186. </para></listitem>
  187. </varlistentry>
  188. <varlistentry>
  189. <term>
  190. [-a algorithm] [-e] -k keyname -K keystring
  191. </term>
  192. <listitem><para>
  193. specify a command-line DNS key to validate the answer. For
  194. example, to specify the following DNSKEY of example.com:
  195. <literallayout>
  196. example.com. 3600 IN DNSKEY 257 3 5 xxx
  197. </literallayout>
  198. specify the options as follows:
  199. <screen>
  200. <userinput>
  201. -e -k example.com -K "xxx"
  202. </userinput>
  203. </screen>
  204. -e means that this key is a zone's "key signing key" (as known
  205. as "secure Entry point").
  206. When -a is omitted rsasha1 will be used by default.
  207. </para></listitem>
  208. </varlistentry>
  209. <varlistentry>
  210. <term>
  211. -s domain:alt_server_address
  212. </term>
  213. <listitem><para>
  214. specify a separate recursive server address for the specific
  215. "domain". Example: -s example.com:2001:db8::1234
  216. </para></listitem>
  217. </varlistentry>
  218. <varlistentry>
  219. <term>server_address</term>
  220. <listitem><para>
  221. an IP(v4/v6) address of the recursive server to which queries
  222. are sent.
  223. </para></listitem>
  224. </varlistentry>
  225. <varlistentry>
  226. <term>hostname</term>
  227. <listitem><para>
  228. the domain name for the query
  229. </para></listitem>
  230. </varlistentry>
  231. </variablelist>
  232. </sect3>
  233. <sect3>
  234. <title>sample-async: a simple stub resolver, working asynchronously</title>
  235. <para>
  236. Similar to "sample", but accepts a list
  237. of (query) domain names as a separate file and resolves the names
  238. asynchronously.</para>
  239. <para>
  240. Usage: sample-async [-s server_address] [-t RR_type] input_file</para>
  241. <para>
  242. Options and Arguments:
  243. </para>
  244. <variablelist>
  245. <varlistentry>
  246. <term>
  247. -s server_address
  248. </term>
  249. <listitem>
  250. an IPv4 address of the recursive server to which queries are sent.
  251. (IPv6 addresses are not supported in this implementation)
  252. </listitem>
  253. </varlistentry>
  254. <varlistentry>
  255. <term>
  256. -t RR_type
  257. </term>
  258. <listitem>
  259. specify the RR type of the queries. The default is the A
  260. RR.
  261. </listitem>
  262. </varlistentry>
  263. <varlistentry>
  264. <term>
  265. input_file
  266. </term>
  267. <listitem>
  268. a list of domain names to be resolved. each line
  269. consists of a single domain name. Example:
  270. <literallayout>
  271. www.example.com
  272. mx.examle.net
  273. ns.xxx.example
  274. </literallayout>
  275. </listitem>
  276. </varlistentry>
  277. </variablelist>
  278. </sect3>
  279. <sect3>
  280. <title>sample-request: a simple DNS transaction client</title>
  281. <para>
  282. It sends a query to a specified server, and
  283. prints the response with minimal processing. It doesn't act as a
  284. "stub resolver": it stops the processing once it gets any
  285. response from the server, whether it's a referral or an alias
  286. (CNAME or DNAME) that would require further queries to get the
  287. ultimate answer. In other words, this utility acts as a very
  288. simplified <command>dig</command>.
  289. </para>
  290. <para>
  291. Usage: sample-request [-t RRtype] server_address hostname
  292. </para>
  293. <para>
  294. Options and Arguments:
  295. </para>
  296. <variablelist>
  297. <varlistentry>
  298. <term>
  299. -t RRtype
  300. </term>
  301. <listitem>
  302. <para>
  303. specify the RR type of
  304. the queries. The default is the A RR.
  305. </para>
  306. </listitem>
  307. </varlistentry>
  308. <varlistentry>
  309. <term>
  310. server_address
  311. </term>
  312. <listitem>
  313. <para>
  314. an IP(v4/v6)
  315. address of the recursive server to which the query is sent.
  316. </para>
  317. </listitem>
  318. </varlistentry>
  319. <varlistentry>
  320. <term>
  321. hostname
  322. </term>
  323. <listitem>
  324. <para>
  325. the domain name for the query
  326. </para>
  327. </listitem>
  328. </varlistentry>
  329. </variablelist>
  330. </sect3>
  331. <sect3>
  332. <title>sample-gai: getaddrinfo() and getnameinfo() test code</title>
  333. <para>
  334. This is a test program
  335. to check getaddrinfo() and getnameinfo() behavior. It takes a
  336. host name as an argument, calls getaddrinfo() with the given host
  337. name, and calls getnameinfo() with the resulting IP addresses
  338. returned by getaddrinfo(). If the dns.conf file exists and
  339. defines a trust anchor, the underlying resolver will act as a
  340. validating resolver, and getaddrinfo()/getnameinfo() will fail
  341. with an EAI_INSECUREDATA error when DNSSEC validation fails.
  342. </para>
  343. <para>
  344. Usage: sample-gai hostname
  345. </para>
  346. </sect3>
  347. <sect3>
  348. <title>sample-update: a simple dynamic update client program</title>
  349. <para>
  350. It accepts a single update command as a
  351. command-line argument, sends an update request message to the
  352. authoritative server, and shows the response from the server. In
  353. other words, this is a simplified <command>nsupdate</command>.
  354. </para>
  355. <para>
  356. Usage: sample-update [options] (add|delete) "update data"
  357. </para>
  358. <para>
  359. Options and Arguments:
  360. </para>
  361. <variablelist>
  362. <varlistentry>
  363. <term>
  364. -a auth_server
  365. </term>
  366. <listitem><para>
  367. An IP address of the authoritative server that has authority
  368. for the zone containing the update name. This should normally
  369. be the primary authoritative server that accepts dynamic
  370. updates. It can also be a secondary server that is configured
  371. to forward update requests to the primary server.
  372. </para></listitem>
  373. </varlistentry>
  374. <varlistentry>
  375. <term>
  376. -k keyfile
  377. </term>
  378. <listitem><para>
  379. A TSIG key file to secure the update transaction. The keyfile
  380. format is the same as that for the nsupdate utility.
  381. </para></listitem>
  382. </varlistentry>
  383. <varlistentry>
  384. <term>
  385. -p prerequisite
  386. </term>
  387. <listitem><para>
  388. A prerequisite for the update (only one prerequisite can be
  389. specified). The prerequisite format is the same as that is
  390. accepted by the nsupdate utility.
  391. </para></listitem>
  392. </varlistentry>
  393. <varlistentry>
  394. <term>
  395. -r recursive_server
  396. </term>
  397. <listitem><para>
  398. An IP address of a recursive server that this utility will
  399. use. A recursive server may be necessary to identify the
  400. authoritative server address to which the update request is
  401. sent.
  402. </para></listitem>
  403. </varlistentry>
  404. <varlistentry>
  405. <term>
  406. -z zonename
  407. </term>
  408. <listitem><para>
  409. The domain name of the zone that contains
  410. </para></listitem>
  411. </varlistentry>
  412. <varlistentry>
  413. <term>
  414. (add|delete)
  415. </term>
  416. <listitem><para>
  417. Specify the type of update operation. Either "add" or "delete"
  418. must be specified.
  419. </para></listitem>
  420. </varlistentry>
  421. <varlistentry>
  422. <term>
  423. "update data"
  424. </term>
  425. <listitem><para>
  426. Specify the data to be updated. A typical example of the data
  427. would look like "name TTL RRtype RDATA".
  428. </para></listitem>
  429. </varlistentry>
  430. </variablelist>
  431. <note>In practice, either -a or -r must be specified. Others can
  432. be optional; the underlying library routine tries to identify the
  433. appropriate server and the zone name for the update.</note>
  434. <para>
  435. Examples: assuming the primary authoritative server of the
  436. dynamic.example.com zone has an IPv6 address 2001:db8::1234,
  437. </para>
  438. <screen>
  439. $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</userinput></screen>
  440. <para>
  441. adds an A RR for foo.dynamic.example.com using the given key.
  442. </para>
  443. <screen>
  444. $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</userinput></screen>
  445. <para>
  446. removes all A RRs for foo.dynamic.example.com using the given key.
  447. </para>
  448. <screen>
  449. $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</userinput></screen>
  450. <para>
  451. removes all RRs for foo.dynamic.example.com using the given key.
  452. </para>
  453. </sect3>
  454. <sect3>
  455. <title>nsprobe: domain/name server checker in terms of RFC 4074</title>
  456. <para>
  457. It checks a set
  458. of domains to see the name servers of the domains behave
  459. correctly in terms of RFC 4074. This is included in the set of
  460. sample programs to show how the export library can be used in a
  461. DNS-related application.
  462. </para>
  463. <para>
  464. Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
  465. </para>
  466. <para>
  467. Options
  468. </para>
  469. <variablelist>
  470. <varlistentry>
  471. <term>
  472. -d
  473. </term>
  474. <listitem><para>
  475. run in the "debug" mode. with this option nsprobe will dump
  476. every RRs it receives.
  477. </para></listitem>
  478. </varlistentry>
  479. <varlistentry>
  480. <term>
  481. -v
  482. </term>
  483. <listitem><para>
  484. increase verbosity of other normal log messages. This can be
  485. specified multiple times
  486. </para></listitem>
  487. </varlistentry>
  488. <varlistentry>
  489. <term>
  490. -c cache_address
  491. </term>
  492. <listitem><para>
  493. specify an IP address of a recursive (caching) name server.
  494. nsprobe uses this server to get the NS RRset of each domain and
  495. the A and/or AAAA RRsets for the name servers. The default
  496. value is 127.0.0.1.
  497. </para></listitem>
  498. </varlistentry>
  499. <varlistentry>
  500. <term>
  501. input_file
  502. </term>
  503. <listitem><para>
  504. a file name containing a list of domain (zone) names to be
  505. probed. when omitted the standard input will be used. Each
  506. line of the input file specifies a single domain name such as
  507. "example.com". In general this domain name must be the apex
  508. name of some DNS zone (unlike normal "host names" such as
  509. "www.example.com"). nsprobe first identifies the NS RRsets for
  510. the given domain name, and sends A and AAAA queries to these
  511. servers for some "widely used" names under the zone;
  512. specifically, adding "www" and "ftp" to the zone name.
  513. </para></listitem>
  514. </varlistentry>
  515. </variablelist>
  516. </sect3>
  517. </sect2>
  518. <sect2>
  519. <title>Library References</title>
  520. <para>As of this writing, there is no formal "manual" of the
  521. libraries, except this document, header files (some of them
  522. provide pretty detailed explanations), and sample application
  523. programs.</para>
  524. </sect2>
  525. </sect1>
  526. <!-- $Id: libdns.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ -->