[an error occurred while processing this directive]

HP OpenVMS Systems Documentation

Content starts here

HP TCP/IP Services for OpenVMS
Management


Previous Contents Index

6.8 Configuring BIND with the SET CONFIGURATION Command

The following sections describe how to set up BIND servers manually using the TCP/IP management command SET CONFIGURATION BIND.

Note

This command creates a UCX Version 4.x configuration. If you set up your BIND name server using this command, you must also use the TCP/IP management command CONVERT/CONFIGURATION BIND command to convert the databases to the BIND Version 9 format. If you omit this step, your changes will not take effect.

6.8.1 Setting Up a Master Name Server

To instruct the master name server to read the appropriate database files using the information in TCPIP$CONFIGURATION.DAT, use the SET CONFIGURATION BIND command. Use the SHOW CONFIGURATION BIND command to display BIND information from the configuration database (TCPIP$CONFIGURATION.DAT).

The following commands tell the name server to read the appropriate files:


TCPIP> SET CONFIGURATION BIND /CACHE

TCPIP> SET CONFIGURATION BIND -
_TCPIP> /PRIMARY=(DOMAIN:0.0.127.IN-ADDR.ARPA, FILE:NAMED.LOCAL)

TCPIP> SET CONFIGURATION BIND -
_TCPIP> /PRIMARY=(DOMAIN:UCX.ERN.SEA.COM, FILE:UCX_ERN_SEA_COM.DB)

TCPIP> SET CONFIGURATION BIND -
_TCPIP> /PRIMARY=(DOMAIN:208.20.9.IN-ADDR.ARPA, FILE:208_20_9_IN-ADDR_ARPA.DB)

To view these settings, use the SHOW CONFIGURATION BIND command.

6.8.2 Setting Up a Secondary (Slave) Name Server

You can configure a secondary server to populate itself by copying the DNS database files from the master server.

To configure a secondary server, enter the following commands:


TCPIP> SET CONFIGURATION BIND /CACHE

TCPIP> SET CONFIGURATION BIND -
_TCPIP> /PRIMARY=(DOMAIN:0.0.127.IN-ADDR.ARPA, FILE:NAMED.LOCAL)


TCPIP> SET CONFIGURATION BIND -
_TCPIP> /SECONDARY=(DOMAIN:UCX.ERN.SEA.COM, -
_TCPIP> FILE:UCX_ERN_SEA_COM.DB,HOST:OWL)


TCPIP> SET CONFIGURATION BIND -
_TCPIP> /SECONDARY=(DOMAIN:208.20.9.IN-ADDR.ARPA, -
_TCPIP> FILE:208_20_9_IN-ADDR_ARPA.DB, -
_TCPIP> HOST:OWL.UCX.ERN.SEA.COM)

6.8.3 Setting Up a Cache-Only Server

To configure a cache-only server, enter the following command:


TCPIP> SET CONFIGURATION BIND /CACHE

This command points the server to the file NAMED.CA.

6.8.4 Setting Up a Forwarder Name Server

To configure a forwarder server, enter the following command:



TCPIP> SET CONFIGURATION BIND /FORWARDERS=(HOST:host)

In this command, host specifies the forwarding server.

Note

You cannot set up a server to be both a forwarder and a caching server.

6.9 Configuring the BIND Resolver

Your host uses the BIND resolver to obtain information from a name server. When a request for name translation arrives, the resolver first searches the local host database for the host information. If the information is not found, the resolver then queries the BIND name server for host information.

Note

The BIND resolver is based on the BIND Version 9 implementation of DNS.

The resolver is automatically configured by TCPIP$CONFIG when you choose Option 1 --- Core Environment . To display your resolver configuration, enter the following TCP/IP management command:


TCPIP> SHOW NAME_SERVICE

TCP/IP Services displays the following data:


BIND Resolver Parameters

 Local domain: ucx.ern.sea.com

 System

  State:     Started, Enabled

  Transport: UDP
  Domain:    ucx.ern.sea.com
  Retry:     2
  Timeout:   5
  Servers:   lark
  Path:      ucx.ern.sea.com,ern.sea.com,sea.com

 Process

  State:     Enabled

  Transport:
  Domain:
  Retry:
  Timeout:
  Servers:
  Path:

Here, host LARK in the current domain is the default name server. To add records to the local hosts database, use the SET HOST command. For example, the following command adds host birdy to the local hosts database. (For more information about using SET commands, see the HP TCP/IP Services for OpenVMS Management Command Reference manual.)



TCPIP> SET HOST birdy /ADDRESS=9.20.208.47

To delete server entries from the configuration database or to add new entries, enter the following command:


TCPIP> SET NAME_SERVICE /NOSERVER=LARK /SYSTEM

This command modifies the volatile database. To make a change to the permanent database, enter the SET CONFIGURATION NAME_SERVICE command.

To view the results, enter the SHOW CONFIGURATION NAME_SERVICE command.

6.9.1 Changing the Default Configuration Using the TCP/IP Management Command Interface

Note

You can also change the default configuration in the RESOLV.CONF configuration file (described in Section 6.9.3. If you use the configuration file, any BIND resolver configuration changes you make through the TCP/IP management command interface will be ignored.

To add a new server and enable the BIND resolver, enter the following command:


TCPIP> SET NAME_SERVICE /SERVER=host /ENABLE /SYSTEM

For host, specify the host name or IPv4 address of the BIND server or servers that the BIND resolver is to query.

To specify multiple hosts, list them by request preference. A maximum of three BIND servers will be listed. The BIND resolver sends the first lookup request to the first host on the list.

If you define a server list and then add a new server with the SET NAME_SERVICE /SERVER command, the new server is added to the end of the list.

SET commands affect the volatile database. To save your changes to the permanent database, use the SET CONFIGURATION commands. The changes you make with the SET CONFIGURATION commands take effect the next time the software starts up. For example:


TCPIP> SET CONFIGURATION NAME_SERVICE /SERVER=host /ENABLE


TCPIP> SHOW CONFIGURATION NAME_SERVICE

BIND Resolver Configuration

  Transport:  UDP
  Domain:     ucx.ern.sea.com
  Retry:         2
  Timeout:       5
  Servers:    9.20.208.47, 9.20.208.53
  Path:       No values defined

6.9.2 Examples

The following command defines hosts PARROT, SORA, and JACANA as systemwide BIND servers and enables the BIND resolver:


PARROT> TCPIP
TCPIP> SET NAME_SERVICE /SERVER=(PARROT,SORA,JACANA) /SYSTEM /ENABLE

The following example defines, for the current login session, host OSPREY as the BIND server. As a result, the servers that are defined systemwide are not queried.


TCPIP> SET NAME_SERVICE /SERVER=OSPREY

6.9.3 Configuring the Resolver Using RESOLV.CONF

You can configure the BIND resolver using the ASCII configuration file TCPIP$ETC:RESOLV.CONF.

When you configure the resolver using TCPIP$CONFIG.COM (as described in the HP TCP/IP Services for OpenVMS Installation and Configuration, the template file TCPIP$ETC:RESOLV_CONF.TEMPLATE is created. To configure the BIND resolver, rename this file to TCPIP$ETC:RESOLV.CONF.

The RESOLV.CONF file supersedes any configuration settings you implement with the TCP/IP management command interface (described in Section 6.9.1. The two configuration methods cannot be used in combination with one another.

The following is a sample RESOLV.CONF file:


File name:      RESOLV.CONF
Product:        HP TCP/IP Services for OpenVMS
Version:        T5.6-3V

© Copyright 1976, 2005 Hewlett-Packard Development Company, L.P.

DESCRIPTION:
   The RESOLV.CONF file lists name-value pairs that provide information
   to the BIND resolver.

SYNTAX:

   Caution: White space entered after the domain name is  not  ignored;
   it is interpreted as part of the domain name.

   domain <domainname>      local domain name
   nameserver <address>     Internet address of a name server that the
                            resolver should query
   search <domainname> ...  search list for host-name lookup

   options <option> ...     list of options separated by a space; must
                            be all lower case; available options  are:

   debug                    turn on resolver diagnostics

     ndots:<N>       the minimum number of dots a  domain  name
                      must contain before  an  initial  absolute
                      query will be made.  default: 1

     timeout:<N>      amount of time the resolver will wait  for
                      a response before retrying the query via a
                      different nameserver.  default: 5 seconds

     attempts:<N>     number of times the resolver will  send  a
                      query to each nameserver before giving up.
                      default: 2

     no-tld-query     do not attempt  to  resolve  a  top  level
                      domain name

     no-check-names   disables sanity checks for valid characters
                      in hostnames

     edns             attach OPT pseudo-RR  for  EDNS0  extension
                      to inform DNS server of our receive  buffer
                      size

     dname            evaluate DNAME records when  querying  IPv6
                      addresses

     nibble:<suffix>  determine  the  base  domain  for  reverse-
                      resolving IPv6  addresses  in  nibble  mode
                      default: ip6.arpa

     nibble2:<suffix> determine  the  base  domain  for  reverse-
                      resolving IPv6  addresses  in  nibble  mode
                      default: ip6.int

     v6revmode:<mode> determine   the   strategy   for   reverse-
                      resolving IPv6 addresses. <mode> can be one
                      of:
                      single  query using a base domain of ip6.arpa
                      both    query using ip6.arpa and ip6.int

   There are two logical names that can override values in this file:

   LOCALDOMAIN <domainname>                 local domain name
   TCPIP$BIND_RES_OPTIONS <"options ...">  set resolver options

domain a.b.c.d
nameserver 1.2.3.4
nameserver 5.6.7.8
options debug

6.9.3.1 Specifying Nameservers With IPv6 Addresses

You can use RESOLV.CONF to specify nameservers with IPv6 addresses. The BIND resolver then uses the IPv6 transport to contact the nameserver and for subsequent communications.

A maximum of three nameservers may be specified in the RESOLV.CONF file. If you specify nameservers with IPv6 addresses, the TCP/IP management command SHOW HOST will use the IPv6 transport to contact the nameserver, but will not display the IPv6 address of the server queried. Instead it will display:


server: IPv6

To obtain more detailed information, including the name and IP address of the nameserver used for resolution, use the dig utility, described in Section 6.12.1.

6.9.3.2 Resolver Default Retry and Timeout

The BIND resolver searches the local hosts database (TCPIP$HOST.DAT), and then TCPIP$ETC:IPNODES.DAT. If the information is not found, the resolver queries the BIND nameserver for host information.

The timeout is the length of time that the resolver will wait for a response from a nameserver before sending another query. If the resolver encounters an error that indicates the nameserver is actually down or unreachable, or if it times out, it doubles the timeout and queries the nameserver again. This process is repeated up to three more times, until the default of four retry attempts is reached. The default is two retries and a timeout of five seconds. Therefore, only one set of retries (a total of two queries) will be made to each nameserver. This reduces the amount of time a user must wait for the resolver to return if none of the nameservers are responding.

When multiple nameservers are configured, and the resolver has queried all of them with no response, it updates the timeout and cycles through them again. The timeout for this next round of queries is based on the number of configured nameservers. The timeout is ten seconds divided by the total number of configured nameservers, rounded down. After one set of retransmissions (a total of two timeouts for each configured nameserver), the resolver gives up trying to query name servers. The default timeout behavior is expressed in the following table:

  Name Servers Configured
Retry 1 2 3
0 5 sec (2x)5 sec (3x)5 sec
1 10 sec (2x)5 sec (3x)3 sec
Total 15 sec 20 sec 24 sec

Therefore, if you configure three nameservers, the resolver queries the first server with a timeout period of five seconds. If that query times out, the resolver queries the second server with the same timeout, and similarly for the third. If the resolver cycles through all three servers, it doubles the timeout period and divides by three (rounded down), resulting in three seconds, and queries the first nameserver again.

6.9.4 Resolver Default Search Behavior

By default, if no search list is defined and the host name as you typed it has no dot (.) in the name, the BIND resolver performs a lookup using the following forms of the host name (in this order):

  1. The host name, with the default domain appended
  2. Just the host name

For example, suppose you enter the following command:


TCPIP> SHOW HOST OWL

Assuming that the default domain is ucx.ern.sea.com , the resolver performs lookups as follows:

  1. On the host name and domain owl.ucx.ern.sea.com .
  2. If that lookup was unsuccessful, the resolver searches for host owl .

This behavior is different than the resolver lookup behavior in previous releases (UCX BIND Version 4.x.). The following section provides more information.

6.9.5 Resolver Search Behavior in Earlier Releases

In previous releases, the resolver performed lookups as follows:

  1. Appended the default domain to the host name and performed a lookup.
  2. If the previous lookup failed, the resolver removed the leftmost label from the default domain name, appended the result to the host name and performed the lookup.
  3. If that lookup failed, the resolver again removed the leftmost label from the default domain name, appended the result to the host name, and performed the lookup.

For each unsuccessful lookup, this procedure was repeated until only two labels remained in the resulting domain name.

If all these attempts failed, the resolver tried just the host name as typed (as long as it contained at least one dot).

For example, suppose you entered the following command:


TCPIP> SHOW HOST OWL

Assuming the default domain was ucx.ern.sea.com , the resolver performed lookups as follows:

  1. On owl.ucx.ern.sea.com .
  2. If the previous lookup was unsuccessful, the resolver searched for owl.ern.sea.com .
  3. If that lookup was unsuccessful, the resolver searched for owl.sea.com .
  4. Finally, if the preceding lookup was unsuccessful, the resolver searched for owl .

6.9.6 Setting the Resolver's Domain Search List

The search list is provided to make entering lookup commands easier by not requiring you to type fully qualified domain names. The search list consists of domain names that the resolver uses when performing lookups. By default, the search list consists of only the default domain, which is stored in the TCPIP$CONFIGURATION.DAT file.

6.9.6.1 Setting the Search List with TCP/IP Management Commands

You can change the elements in the search list by entering the SET NAME_SERVICE command, as shown in the following example:


TCPIP> SET NAME_SERVICE /PATH=(ucx.ern.sea.com,dux.sea.com,mux.ern.sea.com)/SYSTEM

For example, suppose you enter the following command:


TCPIP> SHOW HOST CANARY

The resolver performs lookups as follows:

  1. On canary.ucx.ern.sea.com .
  2. If the previous lookup was unsuccessful, the resolver searches for canary.dux.sea.com .
  3. If that lookup was unsuccessful, the resolver searches for canary.mux.ern.sea.com .
  4. If that lookup was unsuccessful, the resolver searches for canary .

In the following output of the SHOW NAME_SERVICE command, the PATH: label shows the search list information entered with the SET NAME_SERVICE /PATH command. This command displays systemwide information and process-specific information (if process-specific information is set).


TCPIP> SHOW NAME_SERVICE

BIND Resolver Parameters

Local domain: ucx.ern.sea.com

System

State:     Started, Enabled

Transport: UDP
Domain:    ucx.ern.sea.com
Retry:     2
Timeout:   5
Servers:   ucx, lemng, 16.99.0.10
Path:      ucx.ern.sea.com, dux.ern.sea.com, mux.ern.sea.com

Process

State:     Enabled
Transport:
Domain:
Retry:
Timeout:
Servers:
Path:
$

Any additions you make are appended to the end of the search list.

To remove an element from the search list, enter the following command:


TCPIP> SET NAME_SERVICE /NOPATH=dux.ern.sea.com /SYSTEM

6.9.6.2 Setting the Search List with TCP/IP Management Commands

To configure the resolver search list in the RESOLV.CONF configuration file, change the directives in the search list using the search directive. For example:


search ucx.ern.sea com dux.sea.com mux.ern.sea.com

Note

When you run TCPIP$CONFIG.COM after upgrading from UCX to TCP/IP Services for OpenVMS, the system creates a domain search list that is consistent with the UCX default lookup behavior. TCPIP$CONFIG.COM uses the default domain to create a search list consisting of each parent domain. For example, if the default domain is ucx.ern.sea.com , the resulting search list is ucx.ern.sea.com,ern.sea.com,sea.com . You can modify the current search list by using the SET CONFIGURATION NAME_SERVER /PATH command.

6.10 BIND Server Administrative Tools

The following administrative tools play an integral part in the management of a server.

  • The bind_checkconf utility checks the syntax of the BIND server configuration file.
  • The bind_checkzone utility checks a zone file for syntax and consistency.
  • The dnssec_keygen generates keys for DNSSEC (secure DNS) and TSIG (transaction signatures).
  • The dnssec_signzone utility signs a zone.
  • The rndc utility allows you to control the operation of a name server.
  • The rndc_confgen utility generates configuration files for the rndc utility.

To use these utilities, you must have system management privileges. Run the TCPIP$DEFINE_COMMANDS.COM procedure to define the commands described in the following reference sections.

Note

In this version of TCP/IP Services, the BIND Server and related utilities have been updated to use the OpenSSL shareable image SSL$LIBCRYPTO_SHR32.EXE. There is now a requirement that this shareable image from OpenSSL V1.2 or higher be installed on the system prior to starting the BIND Server. It must also be installed prior to using the following BIND utilities:


BIND_CHECKCONF
BIND_CHECKZONE
DIG
DNSSEC_KEYGEN
DNSSEC_SIGNZONE
HOST
NSUPDATE
RNDC_CONFGEN


Previous Next Contents Index