Previous | Contents | Index |
Generates the configuration files used by the rndc utility.
rndc_confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address]
The rndc_confgen utility generates configuration files for the rndc utility. It can be used as a convenient alternative to writing the RNDC.CONF file and the corresponding controls and key statements in TCPIP$BIND.CONF by hand. The utility can be run with the -a option to set up an RNDC.KEY file, thereby avoiding the need for an RNDC.CONF file and a controls statement.
-a
Configures rndc automatically. This option creates the file RNDC.KEY in TCPIP$ETC that is read by both rndc and the BIND server on startup. The RNDC.KEY file defines a default command channel and authentication key, allowing rndc to communicate with the BIND server on the local host with no further configuration.Using the -a option allows BIND Version 9 and rndc to be used as drop-in replacements for BIND Version 8 and ndc , with no changes to the existing TCPIP$BIND.CONF file. For information about BIND Version 8, see Chapter 6.
If a more elaborate configuration than that generated by rndc_confgen -a is required (for example, if rndc is to be used remotely), you should run rndc_confgen without the -a option and set up a TCPIP$RNDC.CONF file and a TCPIP$BIND.CONF file as directed.
Note
For the BIND server to recognize a newly generated RNDC.KEY file, you must stop and restart the BIND server.-b keysize
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.-c keyfile
Used with the -a option to specify an alternate location for RNDC.KEY.-h
Prints a short summary of the options and arguments to rndc_confgen .-k keyname
Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is rndc-key .-p port
Specifies the command channel port where the BIND server listens for connections from rndc . The default is 953.-r randomfile
Specifies a source of random data for generating the authorization. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.-s address
Specifies the IP address where the BIND server listens for command channel connections from rndc . The default is the loopback address 127.0.0.1.
Updates Domain Name System (DNS) servers interactively.
nsupdate [-d] [-y keyname:secret | [-k keyfile] [-r udpretries] [-t timeout] [-u udptimeout] [-v] [filename]
The nsupdate utility creates dynamic updates, which are sent to a DNS server to update the zone database. nsupdate uses the DNS resolver library to send dynamic updates to a DNS server requesting the addition or deletion of resource records. The zone must be configured to accept dynamic updates for the nsupdate utility to work.
The nsupdate command can accept either a command or the name of a command file.
Zones that are under dynamic control (with nsupdate or a DHCP server) should not be edited by hand. Manual updates could conflict with dynamic updates, causing data to be lost.
If you use a file to supply the updates, the data in the file must be in the following format:
category section name ttl type rdataIn this format:
- category is any one of the following keywords:
- update
- zone
- prereq
- section is any one of the following keywords:
- add
- delete
- nxdomain
- yxdomain
- nxrrset
- yxrrset
- name is the name of the entry being added.
- ttl is the time to live (in seconds) for this entry. After this time period, the name server no longer serves the entry.
- type specifies the RR type (for example, A, CNAME, NS, MX, TXT).
- rdata specifies the data appropriate for the RR type being updated.
Lines beginning with a semicolon are comments and are ignored.
-d
Specifies debug mode.-y keyname:secret
Generates a signature, where keyname specifies the name of the key and secret is a base-64 encoded secret. This option is not recommended because it displays the shared secret in plain text. Instead, use the -k option.-k keyfile
Specifies a file that contains the shared secret. The file name has the following format:
Kname.157-random_PRIVATEFor historical reasons, the file Kname.157-random_KEY must also be present.
-r udpretries
Sets the number of UDP retries. The default is 3. If zero, only one update request will be made.-t timeout
Sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.-u udpretries
Sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.-v
Specifies that nsupdate use the TCP protocol instead of the UDP protocol. By default, nsupdate sends update requests using UDP.filename
Specifies a file that contains nsupdate commands.If you do not specify the name of a command file, the NSUPDATE command prompts for a command line. Enter one or more of the following commands.
server servername [port]
Sends all dynamic update requests to the specified name server. When no name server is specified, the nsupdate utility sends updates to the master server of the correct zone. The MNAME field of that zone's SOA record identifies the master server for that zone. port is the port number to which the dynamic update requests are sent on the specified name server. If no port number is specified, the default DNS port number of 53 is used.local address [port]
Sends all dynamic update requests using the local address. When no local address is provided, the nsupdate utility sends updates using an address and port chosen by the system. Specify port to make requests come from a specific port. If no port number is specified, the system assigns one.zone zonename
Specifies that all updates are to be made to the specified zone. If no zone command is provided, the nsupdate utility attempts to determine the correct zone to update based on the rest of the input.class classname
Specifies the default class. If no class is specified, the default class is IN.key keyname secret
Specifies that all updates are to be TSIG signed, using the specified keyname and key secret pair.The key command overrides any key specified on the command line using the -y or -k options.
prereq nxdomain domain-name
Requires that no resource record of any type exist with the specified domain name.prereq yxrset domain-name type [data]
Makes the presence of an RR set of the specified type owned by domain-name a prerequisite to performing the update. This requires that a resource record of the specified type, class, and domain name must exist. If class is omitted, IN (Internet) is assumed.prereq nxrrset domain-name [class] {type}
Makes the nonexistence of an RRset of type owned by domain-name a prerequisite to performing the update specified in successive update commands. This requires that no resource record exist of the specified type, class, and domain name. If class is omitted, IN (Internet) is assumed.The data from each set of prerequisites of this form sharing a common type, class, and domain name are combined to form a set of resource records. This set of resource records must exactly match the set of resource records on the zone at the given type, class, and domain name. The data is written in the standard text representation of the resource record's RDATA.
prereq yxdomain domain-name
Makes the existence of the specified domain-name a prerequisite to performing the update. This requires that the domain name has at least one resource record of any type.update delete domain-name ttl[class] [type] [rdata]
Deletes any resource records with the specified domain name. If type and data are provided, only matching resource records are removed. If class is omitted, IN (Internet) is assumed. The ttl value is ignored and is included only for compatibility.update add domain-name ttl[class] type data
Adds a new resource record with the specified ttl, class, and data to the zone. The ttl value, the type, and the data must be included. The class is optional and defaults to IN.show
Displays the current message, containing all of the prerequisites and updates specified since the last send command.send
Sends the current message. This is equivalent to entering a blank line.answer
Displays the answer.
#1 |
---|
$ TYPE NSUPD.TXT update delete www.nads.zn. update add www.nads.zn. 60 CNAME ivy18.nads.zn $ NSUPDATE NSUPD.TXT |
This example shows how to supply a file (NSUPD.TXT) to the nsupdate utility.
#2 |
---|
$ NSUPDATE > update delete oldhost.example.com A > update add newhost.example.com 86400 A 172.16.1.1 > |
This example shows how the nsupdate utility is used interactively to insert and delete resource records from the example.com zone. Notice that the input contains an extra blank line so that a group of commands are sent as one dynamic update request to the master name server for example.com .
Any A records for oldhost.example.com are deleted, and an A record for newhost.example.com with IP address 172.16.1.1 is added. The newly added record has a TTL value of 86400 seconds (one day).
#3 |
---|
$ NSUPDATE > prereq nxdomain nickname.example.com > update add nickname.example.com 86400 CNAME somehost.example.com > |
This example tells the BIND server to verify the prerequisite condition that no resource records of any type exist for nickname.example.com . If any records exist, the update request fails. If no records with that name exist, a CNAME is added for it.
This prerequisite condition is an RFC restriction that has been relaxed to allow for RRSIG, DNSKEY, and NSEC records to exist.
After entering data in interactive mode, press Return (or Enter) on a line with no data to complete the input. Alternatively, you can issue the SEND command. The nsupdate utility then processes all update entries in one operation.
6.11 BIND Version 9 Restrictions
BIND Version 9 has the following restrictions:
To solve BIND server problems, see the following sections:
The TCP/IP Services product provides the following utilities for diagnosing problems with the BIND server:
The following sections describe these utilities.
The nslookup utility is no longer recommended. Use the dig utility instead. |
Gathers information from the Domain Name System servers.
dig [@server] [-option] [name] [type] [class] [queryopt...]
dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name servers that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig .Although dig normally is used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given. Unlike earlier versions of BIND, the BIND Version 9 implementation of dig allows multiple lookups to be issued from the command line.
Unless it is told to query a specific name server, dig tries each of the servers listed in your resolver configuration. When no command line arguments or options are given, dig performs an NS query for "." (the root).
dig has two modes: simple interactive mode, for a single query, and batch mode, which executes a query for each in a list of several query lines. All query options are accessible from the command line.
To get online help for the dig utility, enter the -h option on the command line. For example:
$ dig -h
@server
Specifies the name or IP address of the name server to query. This can be either an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied server argument is a host name, dig resolves that name before querying that name server. If no server argument is provided, dig consults your resolver configuration and queries the name servers listed there. The reply from the name server that responds is displayed.name
Specifies the name of the resource record to look up.type
Indicates the type of query required (ANY, A, MX, SIG, and so forth). If the type parameter is not supplied, dig performs a lookup for an A record.class
Specifies the DNS query class. The default is class IN (Internet).
-b address
Sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or 0.0.0.0 or :: . You can specify an optional port by appending #port .-c class
Specifies the query class. class is any valid class, such as HS for hesiod records or CH for CHAOSnet records. The default query class is IN (Internet).-f filename
Makes dig operate in batch mode by reading a list of lookup requests to process from the specified file. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way that dig queries are presented using the command-line interface.-k filename
Allows you to sign the DNS queries sent by dig and their responses using transaction signatures (TSIG). Specify a TSIG key file for filename.-p port
Allows you to specify a nonstandard port number. port is the port number that dig uses to send its queries instead of the standard DNS port number 53. You can use this option to test a name server that has been configured to listen for queries on a nonstandard port number.-t type
Sets the query type to type, which can be any valid query type supported in BIND Version 9. The default query type is A, unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, type is set to ixfr=N . The incremental zone transfer contains the changes made to the zone since the serial number in the zone's SOA record was N.-x addr
Specifies reverse lookups (mapping addresses to names). addr is either an IPv4 address in dotted-decimal notation or a colon-delimited IPv6 address. This option eliminates the need to provide the name, class, and type arguments. dig automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN, respectively. By default, IPv6 addresses are looked up using the IP6.ARPA domain and the nibble format. To use the older RFC 1886 method using the IP6.INT domain, specify the -i option. Bit string labels (RFC 2874) are now experimental and are not attempted.-y name:key
Allows you to specify the TSIG key itself on the command line. name is the name of the TSIG key and key is the actual key. The key is a base-64 encoded string, typically generated by dnssec_keygen . When using TSIG authentication with dig , the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in TCPIP$BIND.CONF.-4
Forces dig to only use IPv4 query transport.-6
Forces dig to only use IPv6 query transport.
Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These can be preceded by the string no to negate the meaning of that keyword. Other keywords (like that which sets the timeout interval) assign values to options. These types of keywords have the form +keyword=value .The query options are:
+[no]tcp
Specifies whether to use TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.+[no]vc
Specifies whether to use TCP when querying name servers. This alternate syntax to [no]tcp is provided for backward compatibility. ( vc stands for virtual circuit.)+[no]ignore
Ignores truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.+domain=name
Sets the search list to contain the single domain name, as if specified in a domain directive in your resolver configuration. Enables search list processing as if the search option were specified.+[no]search
Specifies whether to use the search list defined by the path directive in your resolver configuration. By default, the search list is not used.+[no]defname
This deprecated option is treated as a synonym for [no]search .+[no]aaonly
Sets the aa flag in the query.+[no]aaflag
Same as +[no]aaonly .+[no]cl
Display or no not display the class when printing the record.+[no]adflag
Specifies whether to set the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.+[no]cdflag
Specifies whether to set the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.+[no]recurse
Toggles the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when the nssearch or trace query options are used.+[no]nssearch
Attempts to find the authoritative name servers for the zone containing the name being looked up. Displays the SOA record that each name server has for the zone.+[no]trace
Toggles tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up, following referrals from the root servers and showing the answer from each server that was used to resolve the lookup.+[no]cmd
Toggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default.+[no]short
Provides a terse answer. The default is to print the answer in verbose form.+[no]identify
Specifies whether to show the IP address and port number that supplied the answer when the +short option is enabled. If terse answers are requested, the default is not to show the source address and port number of the server that provided the answer.+[no]comments
Toggles the display of comment lines in the output. The default is to print comments.+[no]stats
Toggles the printing of statistics, such as when the query was made, the size of the reply, and so on. The default behavior is to print the query statistics.+[no]qr
Specifies whether to print the query as it is sent. By default, the query is not printed.+[no]question
Specifies whether to print the question section of a query when an answer is returned. The default is to print the question section as a comment.+[no]answer
Specifies whether to display the answer section of a reply. The default is to display the answer section.+[no]authority
Specifies whether to display the authority section of a reply. The default is to display the authority section.+[no]additional
Specifies whether to display the additional section of a reply. The default is to display the additional section.+[no]all
Specifies whether to set or clear all display flags.+time=T
Sets the timeout for a query to T seconds. The default timeout is 5 seconds. An attempt to set T to less than 1 results in a query timeout of 1 second.+retry=A
Sets the number of times to try UDP queries to the server to A instead of to the default of 2. Unlike +tries , this does not include the initial query.+tries=A
Sets the number of times to try UDP queries to the server to A instead of the default of 2. Unlike +tries , this does not include the initial query.+ndots=D
Set the number of dots that have to appear in name to D for it to be considered absolute. The default value is 1.
Previous Next Contents Index