[an error occurred while processing this directive]

HP OpenVMS Systems Documentation

Content starts here

HP TCP/IP Services for OpenVMS
Management


Previous Contents Index


rndc_confgen

Generates the configuration files used by the rndc utility.


Format

rndc_confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address]

description

The rndc_confgen utility generates configuration files for the rndc utility. It can be used as a convenient alternative to writing the RNDC.CONF file and the corresponding controls and key statements in TCPIP$BIND.CONF by hand. The utility can be run with the -a option to set up an RNDC.KEY file, thereby avoiding the need for an RNDC.CONF file and a controls statement.


Options

-a

Configures rndc automatically. This option creates the file RNDC.KEY in TCPIP$ETC that is read by both rndc and the BIND server on startup. The RNDC.KEY file defines a default command channel and authentication key, allowing rndc to communicate with the BIND server on the local host with no further configuration.

Using the -a option allows BIND Version 9 and rndc to be used as drop-in replacements for BIND Version 8 and ndc , with no changes to the existing TCPIP$BIND.CONF file. For information about BIND Version 8, see Chapter 6.

If a more elaborate configuration than that generated by rndc_confgen -a is required (for example, if rndc is to be used remotely), you should run rndc_confgen without the -a option and set up a TCPIP$RNDC.CONF file and a TCPIP$BIND.CONF file as directed.

Note

For the BIND server to recognize a newly generated RNDC.KEY file, you must stop and restart the BIND server.

-b keysize

Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.

-c keyfile

Used with the -a option to specify an alternate location for RNDC.KEY.

-h

Prints a short summary of the options and arguments to rndc_confgen .

-k keyname

Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is rndc-key .

-p port

Specifies the command channel port where the BIND server listens for connections from rndc . The default is 953.

-r randomfile

Specifies a source of random data for generating the authorization. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

-s address

Specifies the IP address where the BIND server listens for command channel connections from rndc . The default is the loopback address 127.0.0.1.

nsupdate

Updates Domain Name System (DNS) servers interactively.


Format

nsupdate [-d] [-y keyname:secret | [-k keyfile] [-r udpretries] [-t timeout] [-u udptimeout] [-v] [filename]

description

The nsupdate utility creates dynamic updates, which are sent to a DNS server to update the zone database. nsupdate uses the DNS resolver library to send dynamic updates to a DNS server requesting the addition or deletion of resource records. The zone must be configured to accept dynamic updates for the nsupdate utility to work.

The nsupdate command can accept either a command or the name of a command file.

Zones that are under dynamic control (with nsupdate or a DHCP server) should not be edited by hand. Manual updates could conflict with dynamic updates, causing data to be lost.

If you use a file to supply the updates, the data in the file must be in the following format:


category section name ttl type rdata

In this format:

  • category is any one of the following keywords:
    • update
    • zone
    • prereq
  • section is any one of the following keywords:
    • add
    • delete
    • nxdomain
    • yxdomain
    • nxrrset
    • yxrrset
  • name is the name of the entry being added.
  • ttl is the time to live (in seconds) for this entry. After this time period, the name server no longer serves the entry.
  • type specifies the RR type (for example, A, CNAME, NS, MX, TXT).
  • rdata specifies the data appropriate for the RR type being updated.

Lines beginning with a semicolon are comments and are ignored.


Options

-d

Specifies debug mode.

-y keyname:secret

Generates a signature, where keyname specifies the name of the key and secret is a base-64 encoded secret. This option is not recommended because it displays the shared secret in plain text. Instead, use the -k option.

-k keyfile

Specifies a file that contains the shared secret. The file name has the following format:


Kname.157-random_PRIVATE

For historical reasons, the file Kname.157-random_KEY must also be present.

-r udpretries

Sets the number of UDP retries. The default is 3. If zero, only one update request will be made.

-t timeout

Sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.

-u udpretries

Sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.

-v

Specifies that nsupdate use the TCP protocol instead of the UDP protocol. By default, nsupdate sends update requests using UDP.

filename

Specifies a file that contains nsupdate commands.

If you do not specify the name of a command file, the NSUPDATE command prompts for a command line. Enter one or more of the following commands.


Commands

server servername [port]

Sends all dynamic update requests to the specified name server. When no name server is specified, the nsupdate utility sends updates to the master server of the correct zone. The MNAME field of that zone's SOA record identifies the master server for that zone. port is the port number to which the dynamic update requests are sent on the specified name server. If no port number is specified, the default DNS port number of 53 is used.

local address [port]

Sends all dynamic update requests using the local address. When no local address is provided, the nsupdate utility sends updates using an address and port chosen by the system. Specify port to make requests come from a specific port. If no port number is specified, the system assigns one.

zone zonename

Specifies that all updates are to be made to the specified zone. If no zone command is provided, the nsupdate utility attempts to determine the correct zone to update based on the rest of the input.

class classname

Specifies the default class. If no class is specified, the default class is IN.

key keyname secret

Specifies that all updates are to be TSIG signed, using the specified keyname and key secret pair.

The key command overrides any key specified on the command line using the -y or -k options.

prereq nxdomain domain-name

Requires that no resource record of any type exist with the specified domain name.

prereq yxrset domain-name type [data]

Makes the presence of an RR set of the specified type owned by domain-name a prerequisite to performing the update. This requires that a resource record of the specified type, class, and domain name must exist. If class is omitted, IN (Internet) is assumed.

prereq nxrrset domain-name [class] {type}

Makes the nonexistence of an RRset of type owned by domain-name a prerequisite to performing the update specified in successive update commands. This requires that no resource record exist of the specified type, class, and domain name. If class is omitted, IN (Internet) is assumed.

The data from each set of prerequisites of this form sharing a common type, class, and domain name are combined to form a set of resource records. This set of resource records must exactly match the set of resource records on the zone at the given type, class, and domain name. The data is written in the standard text representation of the resource record's RDATA.

prereq yxdomain domain-name

Makes the existence of the specified domain-name a prerequisite to performing the update. This requires that the domain name has at least one resource record of any type.

update delete domain-name ttl[class] [type] [rdata]

Deletes any resource records with the specified domain name. If type and data are provided, only matching resource records are removed. If class is omitted, IN (Internet) is assumed. The ttl value is ignored and is included only for compatibility.

update add domain-name ttl[class] type data

Adds a new resource record with the specified ttl, class, and data to the zone. The ttl value, the type, and the data must be included. The class is optional and defaults to IN.

show

Displays the current message, containing all of the prerequisites and updates specified since the last send command.

send

Sends the current message. This is equivalent to entering a blank line.

answer

Displays the answer.

Examples

#1

$ TYPE NSUPD.TXT
update delete www.nads.zn.
update add www.nads.zn. 60 CNAME ivy18.nads.zn

$ NSUPDATE NSUPD.TXT

      

This example shows how to supply a file (NSUPD.TXT) to the nsupdate utility.

#2

$ NSUPDATE
> update delete oldhost.example.com A
> update add newhost.example.com 86400 A 172.16.1.1
>

      

This example shows how the nsupdate utility is used interactively to insert and delete resource records from the example.com zone. Notice that the input contains an extra blank line so that a group of commands are sent as one dynamic update request to the master name server for example.com .

Any A records for oldhost.example.com are deleted, and an A record for newhost.example.com with IP address 172.16.1.1 is added. The newly added record has a TTL value of 86400 seconds (one day).

#3

$ NSUPDATE
> prereq nxdomain nickname.example.com
> update add nickname.example.com 86400 CNAME somehost.example.com
>
      

This example tells the BIND server to verify the prerequisite condition that no resource records of any type exist for nickname.example.com . If any records exist, the update request fails. If no records with that name exist, a CNAME is added for it.

This prerequisite condition is an RFC restriction that has been relaxed to allow for RRSIG, DNSKEY, and NSEC records to exist.

After entering data in interactive mode, press Return (or Enter) on a line with no data to complete the input. Alternatively, you can issue the SEND command. The nsupdate utility then processes all update entries in one operation.

6.11 BIND Version 9 Restrictions

BIND Version 9 has the following restrictions:
  • Certain DNS server implementations do not support AAAA (IPv6 address) records. When queried for an AAAA (IPv6) record type by the BIND resolver, these name servers will return an NXDOMAIN status, even if an A (IPv4) record exists for the same domain name. These name servers should be returning NOERROR as the status for such a query. This problem can result in delays during host name resolution.
    BIND Version 9.3.1, which is supported with this release of TCP/IP Services, and prior versions of BIND do not exhibit this problem.
  • Serving secure zones
    When acting as an authoritative name server, BIND Version 9 includes KEY, SIG, and NXT records in responses as specified in RFC 2535 when the request has the DO flag set in the query.
    Response generation for wildcard records in secure zones is not fully supported. Responses indicating the nonexistence of a name include an NXT record proving the nonexistence of the name itself, but do not include any NXT records to prove the nonexistence of a matching wildcard record. Positive responses resulting from wildcard expansion do not include the NXT records to prove the nonexistence of a non-wildcard match or a more specific wildcard match.
  • Secure resolution
    Basic support for validation of DNSSEC signatures in responses has been implemented but should be considered experimental.
    When acting as a caching name server, BIND Version 9 is capable of performing basic DNSSEC validation of positive as well as nonexistence responses. You can enable this functionality by including a trusted-keys clause containing the top-level zone key of the DNSSEC tree in the configuration file.
    Validation of wildcard responses is not currently supported. In particular, a " name does not exist " response will validate successfully even if the server does not contain the NXT records to prove the nonexistence of a matching wildcard.
    Proof of insecure status for insecure zones delegated from secure zones works when the zones are completely insecure. Privately secured zones delegated from secure zones will not work in all cases, such as when the privately secured zone is served by the same server as an ancestor (but not parent) zone.
    Handling of the CD bit in queries is now fully implemented. Validation is not attempted for recursive queries if CD is set.
  • Secure dynamic update
    Dynamic updating of secure zones has been partially implemented. Affected NXT and SIG records are updated by the server when an update occurs. Use the update-policy statement in the zone definition for advanced access control.
  • Secure zone transfers
    BIND Version 9 does not implement the zone transfer security mechanisms of RFC 2535 because they are considered inferior to the use of TSIG or SIG(0) to ensure the integrity of zone transfers.

6.12 Solving Bind Server Problems

To solve BIND server problems, see the following sections:

6.12.1 BIND Server Diagnostic Tools

The TCP/IP Services product provides the following utilities for diagnosing problems with the BIND server:

  • The dig utility
  • The host utility
  • The nslookup utility

The following sections describe these utilities.

Note

The nslookup utility is no longer recommended. Use the dig utility instead.

dig

Gathers information from the Domain Name System servers.


Format

dig [@server] [-option] [name] [type] [class] [queryopt...]

description

dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name servers that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig .

Although dig normally is used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given. Unlike earlier versions of BIND, the BIND Version 9 implementation of dig allows multiple lookups to be issued from the command line.

Unless it is told to query a specific name server, dig tries each of the servers listed in your resolver configuration. When no command line arguments or options are given, dig performs an NS query for "." (the root).

dig has two modes: simple interactive mode, for a single query, and batch mode, which executes a query for each in a list of several query lines. All query options are accessible from the command line.

To get online help for the dig utility, enter the -h option on the command line. For example:


$ dig -h

Parameters

@server

Specifies the name or IP address of the name server to query. This can be either an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied server argument is a host name, dig resolves that name before querying that name server. If no server argument is provided, dig consults your resolver configuration and queries the name servers listed there. The reply from the name server that responds is displayed.

name

Specifies the name of the resource record to look up.

type

Indicates the type of query required (ANY, A, MX, SIG, and so forth). If the type parameter is not supplied, dig performs a lookup for an A record.

class

Specifies the DNS query class. The default is class IN (Internet).

Options

-b address

Sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or 0.0.0.0 or :: . You can specify an optional port by appending #port .

-c class

Specifies the query class. class is any valid class, such as HS for hesiod records or CH for CHAOSnet records. The default query class is IN (Internet).

-f filename

Makes dig operate in batch mode by reading a list of lookup requests to process from the specified file. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way that dig queries are presented using the command-line interface.

-k filename

Allows you to sign the DNS queries sent by dig and their responses using transaction signatures (TSIG). Specify a TSIG key file for filename.

-p port

Allows you to specify a nonstandard port number. port is the port number that dig uses to send its queries instead of the standard DNS port number 53. You can use this option to test a name server that has been configured to listen for queries on a nonstandard port number.

-t type

Sets the query type to type, which can be any valid query type supported in BIND Version 9. The default query type is A, unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, type is set to ixfr=N . The incremental zone transfer contains the changes made to the zone since the serial number in the zone's SOA record was N.

-x addr

Specifies reverse lookups (mapping addresses to names). addr is either an IPv4 address in dotted-decimal notation or a colon-delimited IPv6 address. This option eliminates the need to provide the name, class, and type arguments. dig automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN, respectively. By default, IPv6 addresses are looked up using the IP6.ARPA domain and the nibble format. To use the older RFC 1886 method using the IP6.INT domain, specify the -i option. Bit string labels (RFC 2874) are now experimental and are not attempted.

-y name:key

Allows you to specify the TSIG key itself on the command line. name is the name of the TSIG key and key is the actual key. The key is a base-64 encoded string, typically generated by dnssec_keygen . When using TSIG authentication with dig , the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in TCPIP$BIND.CONF.

-4

Forces dig to only use IPv4 query transport.

-6

Forces dig to only use IPv6 query transport.

Query Options

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These can be preceded by the string no to negate the meaning of that keyword. Other keywords (like that which sets the timeout interval) assign values to options. These types of keywords have the form +keyword=value .

The query options are:

+[no]tcp

Specifies whether to use TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.

+[no]vc

Specifies whether to use TCP when querying name servers. This alternate syntax to [no]tcp is provided for backward compatibility. ( vc stands for virtual circuit.)

+[no]ignore

Ignores truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.

+domain=name

Sets the search list to contain the single domain name, as if specified in a domain directive in your resolver configuration. Enables search list processing as if the search option were specified.

+[no]search

Specifies whether to use the search list defined by the path directive in your resolver configuration. By default, the search list is not used.

+[no]defname

This deprecated option is treated as a synonym for [no]search .

+[no]aaonly

Sets the aa flag in the query.

+[no]aaflag

Same as +[no]aaonly .

+[no]cl

Display or no not display the class when printing the record.

+[no]adflag

Specifies whether to set the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.

+[no]cdflag

Specifies whether to set the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.

+[no]recurse

Toggles the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when the nssearch or trace query options are used.

+[no]nssearch

Attempts to find the authoritative name servers for the zone containing the name being looked up. Displays the SOA record that each name server has for the zone.

+[no]trace

Toggles tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up, following referrals from the root servers and showing the answer from each server that was used to resolve the lookup.

+[no]cmd

Toggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default.

+[no]short

Provides a terse answer. The default is to print the answer in verbose form.

+[no]identify

Specifies whether to show the IP address and port number that supplied the answer when the +short option is enabled. If terse answers are requested, the default is not to show the source address and port number of the server that provided the answer.

+[no]comments

Toggles the display of comment lines in the output. The default is to print comments.

+[no]stats

Toggles the printing of statistics, such as when the query was made, the size of the reply, and so on. The default behavior is to print the query statistics.

+[no]qr

Specifies whether to print the query as it is sent. By default, the query is not printed.

+[no]question

Specifies whether to print the question section of a query when an answer is returned. The default is to print the question section as a comment.

+[no]answer

Specifies whether to display the answer section of a reply. The default is to display the answer section.

+[no]authority

Specifies whether to display the authority section of a reply. The default is to display the authority section.

+[no]additional

Specifies whether to display the additional section of a reply. The default is to display the additional section.

+[no]all

Specifies whether to set or clear all display flags.

+time=T

Sets the timeout for a query to T seconds. The default timeout is 5 seconds. An attempt to set T to less than 1 results in a query timeout of 1 second.

+retry=A

Sets the number of times to try UDP queries to the server to A instead of to the default of 2. Unlike +tries , this does not include the initial query.

+tries=A

Sets the number of times to try UDP queries to the server to A instead of the default of 2. Unlike +tries , this does not include the initial query.

+ndots=D

Set the number of dots that have to appear in name to D for it to be considered absolute. The default value is 1.


Previous Next Contents Index