[an error occurred while processing this directive]

HP OpenVMS Systems Documentation
Content starts here >

Compaq TCP/IP Services for OpenVMS
Release Notes

Previous Contents

C.6.4.4 Reverse Translation File

The reverse translation file, address.DB, stores address-to-host-name mapping (reverse mapping) information. For example, for the same domain, a file with the name 208_20_9_IN-ADDR_ARPA.DB is created.

The following example shows an address.DB file: 


$TTL 86400 
$ORIGIN 208.20.9.in-addr.arpa. 
@     IN   SOA   owl.ucx.ern.sea.com. pmaster.owl.ucx.ern.sea.com. 
( 
                          1       ; Serial 
                          600     ; Refresh 
                          300     ; Retry 
                          172800  ; Expire 
                          43200 ) ; Minimum 
; 
      IN      NS      owl.ucx.ern.sea.com. 
      IN      NS      condor.ucx.ern.sea.com. 
; 
53              IN      PTR     thrush.ucx.ern.sea.com. 
10              IN      PTR     condor.ucx.ern.sea.com. 
47              IN      PTR     birdy.ucx.ern.sea.com. 
30              IN      PTR     seagull.ucx.ern.sea.com. 
72              IN      PTR     owl.ucx.ern.sea.com. 
73              IN      PTR     peacock.ucx.ern.sea.com. 
79              IN      PTR     redwing.ucx.ern.sea.com.

PTR records predominate in this file because they are used to translate addresses to host names.

C.7 Examining Name Server Statistics

The BIND server collects statistics that record server activity. To examine BIND statistics, use one of the following commands:

  • The TCP/IP management command SHOW NAME_SERVICE/STATISTICS
  • The rndc stats command

Statistics are logged to the TCPIP$BIND.STATS file, located in SYS$SPECIFIC:[TCPIP$BIND].

The following sample shows a statistics log: 


+++ Statistics Dump +++ (1004986341) 
success 17 
referral 0 
nxrrset 1 
nxdomain 1 
recursion 6 
failure 0 
--- Statistics Dump --- (1004986341)

The statistics dump begins with the line +++ Statistics Dump +++ (973798949) . The number in parentheses is a standard UNIX timestamp, measured as seconds since January 1, 1970. Following that line are a series of lines containing a counter type, the value of the counter, a zone name (optional), and a view name (optional).

The lines without view and zone listed are global statistics for the entire server. Lines with a zone and view name are for the given view and zone. (The view name is omitted for the default view.)

The statistics dump ends with the line --- Statistics Dump --- (973798949) The number in parentheses is identical to the number in the beginning line.

The following statistics counters are maintained:

  • success
    The number of successful queries made to the server or zone. A successful query is defined as query that returns a NOERROR response other than a referral response.
  • referral
    The number of queries that resulted in referral responses.
  • nxrrset
    The number of queries that resulted in NOERROR responses with no data.
  • nxdomain
    The number of queries that resulted in NXDOMAIN responses.
  • recursion
    The number of queries that caused the server to perform recursion in order to find the final answer.
  • failure
    The number of queries that resulted in a failure response other than those described in the previous counters.

C.8 Configuring BIND with the SET CONFIGURATION Command

The following sections describe how to set up BIND servers manually using the TCP/IP management command SET CONFIGURATION BIND.

Note
This command creates a UCX Version 4.x configuration. If you set up your BIND name server using this command, you must also use the TCP/IP management command CONVERT/CONFIGURATION BIND command to convert the databases to the BIND Version 9 format. If you omit this step, your changes will not take effect.

C.8.1 Setting Up a Master Name Server

To instruct the master name server to read the appropriate database files using the information in TCPIP$CONFIGURATION.DAT, use the SET CONFIGURATION BIND command. Use the SHOW CONFIGURATION BIND command to display BIND information from the configuration database (TCPIP$CONFIGURATION.DAT).

The following commands tell the name server to read the appropriate files: 


TCPIP> SET CONFIGURATION BIND /CACHE 
 
TCPIP> SET CONFIGURATION BIND - 
_TCPIP> /PRIMARY=(DOMAIN:0.0.127.IN-ADDR.ARPA, FILE:NAMED.LOCAL) 
 
TCPIP> SET CONFIGURATION BIND - 
_TCPIP> /PRIMARY=(DOMAIN:UCX.ERN.SEA.COM, FILE:UCX_ERN_SEA_COM.DB) 
 
TCPIP> SET CONFIGURATION BIND - 
_TCPIP> /PRIMARY=(DOMAIN:208.20.9.IN-ADDR.ARPA, FILE:208_20_9_IN-ADDR_ARPA.DB)

To view these settings, use the SHOW CONFIGURATION BIND command.

C.8.2 Setting Up a Secondary (Slave) Name Server

You can configure a secondary server to populate itself by copying the DNS database files from the master server.

To configure a secondary server, enter the following commands: 


TCPIP> SET CONFIGURATION BIND /CACHE 
 
TCPIP> SET CONFIGURATION BIND - 
_TCPIP> /PRIMARY=(DOMAIN:0.0.127.IN-ADDR.ARPA, FILE:NAMED.LOCAL) 
 
 
TCPIP> SET CONFIGURATION BIND - 
_TCPIP> /SECONDARY=(DOMAIN:UCX.ERN.SEA.COM, - 
_TCPIP> FILE:UCX_ERN_SEA_COM.DB,HOST:OWL) 
 
 
TCPIP> SET CONFIGURATION BIND - 
_TCPIP> /SECONDARY=(DOMAIN:208.20.9.IN-ADDR.ARPA, - 
_TCPIP> FILE:208_20_9_IN-ADDR_ARPA.DB, - 
_TCPIP> HOST:OWL.UCX.ERN.SEA.COM)

C.8.3 Setting Up a Cache-Only Server

To configure a cache-only server, enter the following command: 


TCPIP> SET CONFIGURATION BIND /CACHE

This command points the server to the file NAMED.CA.

C.8.4 Setting Up a Forwarder Name Server

To configure a forwarder server, enter the following command: 


 
TCPIP> SET CONFIGURATION BIND /FORWARDERS=(HOST:host)

In this command, host specifies the forwarding server.

Note
You cannot set up a server to be both a forwarder and a caching server.

C.9 Configuring the BIND Resolver

Your host uses the BIND resolver to obtain information from a name server. When a request for name translation arrives, the resolver first searches the local host database for the host information. If the information is not found, the resolver then queries the BIND name server for host information.

Note
The BIND resolver is based on the BIND Version 8 implementation of DNS.

The resolver is automatically configured by TCPIP$CONFIG when you choose Option 1 --- Core Environment . To display your resolver configuration, enter the following TCP/IP management command: 


TCPIP> SHOW NAME_SERVICE

TCP/IP Services displays the following data: 


BIND Resolver Parameters 
 
 Local domain: ucx.ern.sea.com 
 
 System 
 
  State:     Started, Enabled 
 
  Transport: UDP 
  Domain:    ucx.ern.sea.com 
  Retry:     4 
  Timeout:   4 
  Servers:   lark 
  Path:      ucx.ern.sea.com,ern.sea.com,sea.com 
 
 Process 
 
  State:     Enabled 
 
  Transport: 
  Domain: 
  Retry: 
  Timeout: 
  Servers: 
  Path:

Here, host LARK in the current domain is the default name server. To add records to the local hosts database, use the SET HOST command. For example, the following command adds host birdy to the local hosts database. (For more information about using SET commands, see the Compaq TCP/IP Services for OpenVMS Management Command Reference manual.) 


 
TCPIP> SET HOST birdy /ADDRESS=9.20.208.47

To delete server entries from the configuration database or to add new entries, enter the following command: 


TCPIP> SET NAME_SERVICE /NOSERVER=LARK /SYSTEM

This command modifies the volatile database. To the the change to the permanent database, enter the SET CONFIGURATION NAME_SERVICE command.

To view the results, enter the SHOW CONFIGURATION NAME_SERVICE command.

C.9.1 Changing the Default Configuration

To add a new server and enable the BIND resolver, enter the following command: 


TCPIP> SET NAME_SERVICE /SERVER=host /ENABLE /SYSTEM

For host, specify the host name or IP address of the BIND server or servers that the BIND resolver is to query.

To specify multiple hosts, list them by request preference. The BIND resolver sends the first lookup request to the first host on the list.

If you define a server list and then add a new server with the SET NAME_SERVICE /SERVER command, the new server is added to the end of the list.

SET commands affect the volatile database. To save your changes to the permanent database, use the SET CONFIGURATION commands. The changes you make with the SET CONFIGURATION commands take effect the next time the software starts up. For example: 


TCPIP> SET CONFIGURATION NAME_SERVICE /SERVER=host /ENABLE 



TCPIP> SHOW CONFIGURATION NAME_SERVICE 
 
BIND Resolver Configuration 
 
  Transport:  UDP 
  Domain:     ucx.ern.sea.com 
  Retry:         4 
  Timeout:       4 
  Servers:    9.20.208.47, 9.20.208.53 
  Path:       No values defined

C.9.2 Examples

The following command defines hosts PARROT, SORA, and JACANA as systemwide BIND servers and enables the BIND resolver: 


PARROT> TCPIP 
TCPIP> SET NAME_SERVICE /SERVER=(PARROT,SORA,JACANA) /SYSTEM /ENABLE

The following example defines, for the current login session, host OSPREY as the BIND server. As a result, the servers that are defined systemwide are not queried. 


TCPIP> SET NAME_SERVICE /SERVER=OSPREY

C.9.3 Resolver Default Search Behavior

By default, if no search list is defined and the host name as you typed it has no dot (.) in the name, the BIND resolver performs a lookup using the following forms of the host name (in this order):

  1. The host name, with the default domain appended
  2. Just the host name

For example, suppose you enter the following command: 


TCPIP> SHOW HOST OWL

Assuming that the default domain is ucx.ern.sea.com , the resolver performs lookups as follows:

  1. On the host name and domain owl.ucx.ern.sea.com .
  2. If that lookup was unsuccessful, the resolver searches for host owl .

This behavior is different than the resolver lookup behavior in previous releases (UCX BIND Version 4.x.). The following section provides more information.

C.9.4 Resolver Search Behavior in Earlier Releases

In previous releases, the resolver performed lookups as follows:

  1. Appended the default domain to the host name and performed a lookup.
  2. If the previous lookup failed, the resolver removed the leftmost label from the default domain name, appended the result to the host name and performed the lookup.
  3. If that lookup failed, the resolver again removed the leftmost label from the default domain name, appended the result to the host name, and performed the lookup.

For each unsuccessful lookup, this procedure was repeated until only two labels remained in the resulting domain name.

If all these attempts failed, the resolver tried just the host name as typed (as long as it contained at least one dot).

For example, suppose you entered the following command: 


TCPIP> SHOW HOST OWL

Assuming the default domain was ucx.ern.sea.com , the resolver performed lookups as follows:

  1. On owl.ucx.ern.sea.com .
  2. If the previous lookup was unsuccessful, the resolver searched for owl.ern.sea.com .
  3. If that lookup was unsuccessful, the resolver searched for owl.sea.com .
  4. Finally, if the preceding lookup was unsuccessful, the resolver searched for owl .

C.9.5 Setting the Resolver's Domain Search List

The search list is provided to make entering lookup commands easier by not requiring you to type fully qualified domain names. The search list consists of domain names that the resolver uses when performing lookups. By default, the search list consists of only the default domain, which is stored in the TCPIP$CONFIGURATION.DAT file.

You can change the elements in the search list by entering the SET NAME_SERVICE command, as shown in the following example: 


TCPIP> SET NAME_SERVICE /PATH=(ucx.ern.sea.com,dux.sea.com,mux.ern.sea.com)/SYSTEM

For example, suppose you enter the following command: 


TCPIP> SHOW HOST CANARY

The resolver performs lookups as follows:

  1. On canary.ucx.ern.sea.com .
  2. If the previous lookup was unsuccessful, the resolver searches for canary.dux.sea.com .
  3. If that lookup was unsuccessful, the resolver searches for canary.mux.ern.sea.com .
  4. If that lookup was unsuccessful, the resolver searches for canary .

In the following output of the SHOW NAME_SERVICE command, the PATH: label shows the search list information entered with the SET NAME_SERVICE /PATH command. This command displays systemwide information and process-specific information (if process-specific information is set). 


TCPIP> SHOW NAME_SERVICE 
 
BIND Resolver Parameters 
 
Local domain: ucx.ern.sea.com 
 
System 
 
State:     Started, Enabled 
 
Transport: UDP 
Domain:    ucx.ern.sea.com 
Retry:     4 
Timeout:   4 
Servers:   ucx, lemng, 16.99.0.10 
Path:      ucx.ern.sea.com, dux.ern.sea.com, mux.ern.sea.com 
 
Process 
 
State:     Enabled 
Transport: 
Domain: 
Retry: 
Timeout: 
Servers: 
Path: 
$
< >C.10 BIND Server Administrative Tools

The following administrative tools play an integral part in the management of a server.

  • The bind_checkconf utility checks the syntax of the BIND server configuration file.
  • The bind_checkzone utility checks a zone file for syntax and consistency.
  • The dnssec_keygen generates keys for DNSSEC (secure DNS) and TSIG (transaction signatures).
  • The dnssec_makekeyset utility generates a key set.
  • The dnssec_signkey utility signs a key set.
  • The dnssec_signzone utility signs a zone.
  • The rndc utility allows you to control the operation of a name server.
  • The rndc_confgen utility generates configuration files for the rndc utility.

To use these utilities, you must have system management privileges. Run the TCPIP$DEFINE_COMMANDS.COM procedure to define the commands described in the following reference sections.

bind_checkconf

Checks the syntax of a BIND server configuration file.

Format

bind_checkconf [-v] [-t directory] filename

description

The bind_checkconf utility checks the syntax, but not the semantics, of a BIND server configuration file.

Options

-t directory

Looks for filename in the specified directory. The default directory is SYS$SPECIFIC:[TCPIP$BIND].

-v

Displays only the version number of the bind_checkconf utility and exits.

filename

Specifies the name of the configuration file to be checked. The default file is SYS$SPECIFIC:[TCPIP$BIND]TCPIP$BIND.CONF.

bind_checkzone

Checks a zone file for syntax and consistency.

Format

bind_checkzone [-d] [-q] [-v] [-c class] [-t directory] zonename filename

description

The bind_checkzone utility checks the syntax and integrity of a zone file. It performs the same checks as the BIND server does when it loads a zone. This makes bind_checkzone useful for checking zone files before configuring them into a name server.

Options

-d

Enables debugging mode.

-q

Enables quiet mode (exit code only).

-v

Print the version number of bind_checkzone and exits.

-c class

Specifies the class of the zone. If not specified, the default is IN.

-t directory

Looks for the zone in the specified directory. The default directory is SYS$SYSPECIFIC:[TCPIP$BIND].

zonename

Specifies the name of the zone being checked.

filename

Specifies the name of the zone file.

dnssec_keygen

Generates keys for DNSSEC.

Format

dnssec_keygen -a algorithm -b keysize -n nametype [-c class] [-e] [-g generator] [-h]
[-p protocol] [-r randomfile] [-t type] [-v level] name

description

The dnssec_keygen generates keys for DNSSEC, as defined in RFC 2535. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.

Parameters

-a algorithm

Selects the cryptographic algorithm. The value of algorithm must be one of the following:
  • RSAMD5
  • RSA
  • DSA
  • DH (Diffie-Hellman)
  • HMAC-MD5

These values are not case sensitive.

-b keysize

Specifies the number of bits in the key. The choice of key size depends on the algorithm used:
  • RSA keys must be between 512 and 4096 bits.
  • Diffie-Hellman keys must be between 128 and 4096 bits.
  • DSA keys must be between 512 and 1024 bits and must be an exact multiple of 64.
  • HMAC-MD5 keys must be between 1 and 512 bits.

-n nametype

Specifies the owner type of the key. The value of nametype must one of the following:
  • ZONE (for a DNSSEC zone key)
  • HOST or ENTITY (for a key associated with a host)
  • USER (for a key associated with a user)

These values are not case sensitive.

name

Specifies the name of the domain.

Options

-c class

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.

-e

If generating an RSA key, specifies the use of a large exponent.

-g generator

If generating a Diffie-Hellman key, specifies the generator. Allowed values for generator are 2 and 5. If no generator is specified, a known prime from RFC 2539 is used, if possible; otherwise the default is 2.

-h

Displays a short summary of the options and arguments to the dnssec_keygen command.

-p protocol

Sets the protocol value for the generated key. The value of protocol is a number between 0 and 255. For keys of type USER, the default is 2 (e-mail). For all other key types, the default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.

-r randomfile

Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

Note
When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.

-s strength

Specifies the strength value of the key. The value of strength is a number between 0 and 15. This option is currently not used.

-t type

Indicates the use of the key. The type must be one of the following:
  • AUTHCONF (authenticate and encrypt data)
  • NOAUTHCONF (do not authenticate and do not encrypt data)
  • NOAUTH (do not authenticate data)
  • NOCONF (do not encrypt data)

The default is AUTHCONF.

-v level

Sets the debugging level.

generated keys

When dnssec_keygen completes successfully, it displays a string of the following form to standard output: 


Knnnn.aaa-iiiii

This is an identification string for the key it has generated. These strings can be used as arguments to the dnssec_makekeyset utility. The string is interpreted as follows:

  • nnnn is the key name.
  • aaa is the numeric representation of the algorithm.
  • iiiii is the key identifier (or footprint).

dnssec_keygen creates two files, with names based on the printed string. The file Knnnn.aaa-iiiii_KEY contains the public key, and Knnnn.aaa-iiiii_PRIVATE contains the private key.

The _KEY file contains a DNS KEY record that can be inserted into a zone file (either directly, or using an $INCLUDE statement).

The _PRIVATE file contains algorithm-specific fields. For security reasons, this file does not have general read permission.

Both _KEY and _PRIVATE files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent.

Examples

To generate a 768-bit DSA key for the domain example.com , enter the following command:
#1 

$ dnssec_keygen -a DSA -b 768 -n ZONE example.com

This command displays a string of the form: 


Kexample_com.003-26160

In this example, dnssec_keygen creates the files KEXAMPLE_COM.003-26160_KEY and KEXAMPLE_COM.003-26160_PRIVATE.

Previous Next Contents