-
-
Notifications
You must be signed in to change notification settings - Fork 106
/
Copy pathnsd-control.8.in
345 lines (345 loc) · 13.2 KB
/
nsd-control.8.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
.TH "nsd\-control" "8" "@date@" "NLnet Labs" "nsd @version@"
.\" Copyright (c) 2011-2024, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
.B nsd\-control,
.B nsd\-control\-setup
\- NSD remote server control utility.
.SH "SYNOPSIS"
.B nsd\-control
.RB [ \-c
.IR cfgfile ]
.RB [ \-s
.IR server ]
.IR command
.SH "DESCRIPTION"
.B nsd\-control
performs remote administration on the \fInsd\fR(8) DNS server. It reads
the configuration file, contacts the nsd server over SSL, sends the
command and displays the result. Commands that require a reload are queued
and the result indicates the command was accepted.
.P
The available options are:
.TP
.B \-h
Show the version and commandline option help.
.TP
.B \-c \fIcfgfile
The config file to read with settings. If not given the default
config file @nsdconfigfile@ is used.
.TP
.B \-s \fIserver[@port]
IPv4 or IPv6 address of the server to contact. If not given, the
address is read from the config file.
.SH "COMMANDS"
There are several commands that the server understands.
.TP
.B start
Start the server. Simply execs \fInsd\fR(8). The nsd executable
is not searched for in the \fBPATH\fR set in the environment. Instead the
default location relative to the installation prefix specified at
compile-time. The executable location can be overridden by setting
\fINSD_PATH\fR in the environment. It is started with the config file
specified using \fI\-c\fR or the default config file.
.TP
.B stop
Stop the server. The server daemon exits.
.TP
.B reload [<zone>]
Reload zonefiles and reopen logfile. Without argument reads changed
zonefiles. With argument reads the zonefile for the given zone and
loads it.
.TP
.B reconfig
Reload nsd.conf and apply changes to TSIG keys and configuration patterns,
and apply the changes to add and remove zones that are mentioned in the config.
Other changes are not applied, such as listening ip address and port and chroot,
also per-zone statistics are not applied.
The pattern updates means that the configuration options for
zones (request\-xfr, zonefile, notify, ...) are updated. Also new
patterns are available for use with the addzone command.
.TP
.B repattern
Same as the reconfig option.
.TP
.B log_reopen
Reopen the logfile, for log rotate that wants to move the logfile away
and create a new logfile. The log can also be reopened with kill \-HUP
(which also reloads all zonefiles).
.TP
.B status
Display server status. Exit code 3 if not running (the connection to the
port is refused), 1 on error, 0 if running.
.TP
.B stats
Output a sequence of name=value lines with statistics information, requires
NSD to be compiled with this option enabled.
.TP
.B stats_noreset
Same as stats, but does not zero the counters.
.TP
.B addzone <zone name> <pattern name>
Add a new zone to the running server. The zone is added to the zonelist
file on disk, so it stays after a restart. The pattern name determines
the options for the new zone. For secondary zones a zone transfer is
immediately attempted. For zones with a zonefile, the zone file is
attempted to be read in.
.TP
.B delzone <zone name>
Remove the zone from the running server. The zone is removed from the
zonelist file on disk, from the nsd.db file and from the memory. If it
had a zonefile, this remains (but may be outdated). Zones configured
inside nsd.conf itself cannot be removed this way because the daemon
does not write to the nsd.conf file, you need to add such zones to the
zonelist file to be able to delete them with the delzone command.
.TP
.B changezone <zone name> <pattern name>
Change a zone to use the pattern for options. The zone is deleted and added
in one operation, changing it to use the new pattern for the zone options.
Zones configured in nsd.conf cannot be changed like this, instead edit
the nsd.conf (or the included file in nsd.conf) and reconfig.
.TP
.B addzones
Add zones read from stdin of nsd\-control. Input is read per line,
with name space patternname on a line. For bulk additions.
.TP
.B delzones
Remove zones read from stdin of nsd\-control. Input is one name per line.
For bulk removals.
.TP
.B write [<zone>]
Write zonefiles to disk, or the given zonefile to disk. Zones that have
changed (via AXFR or IXFR) are written, or if the zonefile has not been
created yet then it is created. Directory components of the zonefile
path are created if necessary. With argument that zone is written if it
was modified, without argument, all modified zones are written.
.TP
.B notify [<zone>]
Send NOTIFY messages to secondary servers. Sends to the IP addresses
configured in the 'notify:' lists for the primary zones hosted on this
server. Usually NSD sends NOTIFY messages right away when a primary zone
serial is updated. If a zone is given, notifies are sent for that zone.
These secondary servers are supposed to initiate a zone transfer request
later (to this server or another primary), this can be allowed via
the 'provide\-xfr:' acl list configuration. With argument that zone is
processed, without argument, all zones are processed.
.TP
.B transfer [<zone>]
Attempt to update secondary zones that are hosted on this server by contacting
the primaries. The primaries are configured via 'request\-xfr:' lists.
If a zone is given, that zone is updated. Usually NSD receives a NOTIFY
from the primaries (configured via 'allow\-notify:' acl list) that a new zone
serial has to be transferred. For zones with no content, NSD may have backed
off from asking often because the primaries did not respond, but this command
will reset the backoff to its initial timeout, for frequent retries. With
argument that zone is transferred, without argument, all zones are transferred.
.TP
.B force_transfer [<zone>]
Force update secondary zones that are hosted on this server. Even if the
primary hosts the same serial number of the zone, a full AXFR is performed
to fetch it. If you want to use IXFR and check that the serial number
increases, use the 'transfer' command. With argument that zone is
transferred, without argument, all zones are transferred.
.TP
.B zonestatus [<zone>]
Print state of the zone, the serial numbers and since when they have
been acquired. Also prints the notify action (to which server), and
zone transfer (and from which primary) if there is activity right now.
The state of the zone is printed as: 'primary' (primary zones), 'ok' (secondary
zone is up\-to\-date), 'expired' (secondary zone has expired), 'refreshing' (secondary
zone has transfers active). The serial numbers printed are
the 'served\-serial' (currently active), the 'commit\-serial' (is in reload),
the 'notified\-serial' (got notify, busy fetching the data). The serial
numbers are only printed if such a serial number is available. With argument
that zone is printed, without argument, all zones are printed.
.TP
.B serverpid
Prints the PID of the server process. This is used for statistics (and
only works when NSD is compiled with statistics enabled). This pid is
not for sending unix signals, use the pid from nsd.pid for that, that pid
is also stable.
.TP
.B verbosity <number>
Change logging verbosity.
.TP
.B print_tsig [<key_name>]
print the secret and algorithm for the TSIG key with that name.
Or list all the tsig keys with their name, secret and algorithm.
.TP
.B update_tsig <name> <secret>
Change existing TSIG key with name to the new secret. The secret is
a base64 encoded string. The changes are only in-memory and are gone next
restart, for lasting changes edit the nsd.conf file or a file included from it.
.TP
.B add_tsig <name> <secret> [algo]
Add a new TSIG key with the given name, secret and algorithm. Without
algorithm a default (hmac-sha256) algorithm is used. The secret is a
base64 encoded string. The changes are only in-memory and are gone next
restart, for lasting changes edit the nsd.conf file or a file included from it.
.TP
.B assoc_tsig <zone> <key_name>
Associate the zone with the given tsig. The access control lists for
notify, allow-notify, provide-xfr and request-xfr are adjusted to use the
given key.
.TP
.B del_tsig <key_name>
Delete the TSIG key with the given name. Prints error if the key is still
in use by some zone. The changes are only in-memory and are gone next
restart, for lasting changes edit the nsd.conf file or a file included from it.
.TP
.B add_cookie_secret <secret>
Add or replace a cookie secret persistently. <secret> needs to be an 128 bit
hex string.
.sp
Cookie secrets can be either \fIactive\fR or \fIstaging\fR. \fIActive\fR cookie
secrets are used to create DNS Cookies, but verification of a DNS Cookie
succeeds with any of the \fIactive\fR or \fIstaging\fR cookie secrets. The
state of the current cookie secrets can be printed with the
\fBprint_cookie_secrets\fR command.
.sp
When there are no cookie secrets configured yet, the <secret> is added as
\fIactive\fR. If there is already an \fIactive\fR cookie secret, the <secret>
is added as \fIstaging\fR or replacing an existing \fIstaging\fR secret.
.sp
To "roll" a cookie secret used in an anycast set. The new secret has to be
added as staging secret to \fBall\fR nodes in the anycast set. When \fBall\fR
nodes can verify DNS Cookies with the new secret, the new secret can be
activated with the \fBactivate_cookie_secret\fR command. After \fBall\fR nodes
have the new secret \fIactive\fR for at least one hour, the previous secret can
be dropped with the \fBdrop_cookie_secret\fR command.
.sp
Persistence is accomplished by writing to a file which if configured with the
\fBcookie\-secret\-file\fR option in the server section of the config file.
The default value for that is: @cookiesecretsfile@ .
.TP
.B drop_cookie_secret
Drop the \fIstaging\fR cookie secret.
.TP
.B activate_cookie_secret
Make the current \fIstaging\fR cookie secret \fIactive\fR, and the current
\fIactive\fR cookie secret \fIstaging\fR.
.TP
.B print_cookie_secrets
Show the current configured cookie secrets with their status.
.SH "EXIT CODE"
The nsd\-control program exits with status code 1 on error, 0 on success.
.SH "SET UP"
The setup requires a self\-signed certificate and private keys for both
the server and client. The script \fInsd\-control\-setup\fR generates
these in the default run directory, or with \-d in another directory.
If you change the access control permissions on the key files you can decide
who can use nsd\-control, by default owner and group but not all users.
The script preserves private keys present in the directory.
After running the script as root, turn on \fBcontrol\-enable\fR in
\fInsd.conf\fR.
.SH "STATISTIC COUNTERS"
The \fIstats\fR command shows a number of statistic counters.
.TP
.I num.queries
number of queries received (the tls, tcp and udp queries added up).
.TP
.I serverX.queries
number of queries handled by the server process. The number of
server processes is set with the config statement \fBserver\-count\fR.
.TP
.I time.boot
uptime in seconds since the server was started. With fractional seconds.
.TP
.I time.elapsed
time since the last stats report, in seconds. With fractional seconds.
Can be zero if polled quickly and the previous stats command resets the
counters, so that the next gets a fully zero, and zero elapsed time, report.
.TP
.I size.db.disk
size of nsd.db on disk, in bytes.
.TP
.I size.db.mem
size of the DNS database in memory, in bytes.
.TP
.I size.xfrd.mem
size of memory for zone transfers and notifies in xfrd process, excludes
TSIG data, in bytes.
.TP
.I size.config.disk
size of zonelist file on disk, excludes the nsd.conf size, in bytes.
.TP
.I size.config.mem
size of config data in memory, kept twice in server and xfrd process,
in bytes.
.TP
.I num.type.X
number of queries with this query type.
.TP
.I num.opcode.X
number of queries with this opcode.
.TP
.I num.class.X
number of queries with this query class.
.TP
.I num.rcode.X
number of answers that carried this return code.
.TP
.I num.edns
number of queries with EDNS OPT.
.TP
.I num.ednserr
number of queries which failed EDNS parse.
.TP
.I num.udp
number of queries over UDP ip4.
.TP
.I num.udp6
number of queries over UDP ip6.
.TP
.I num.tcp
number of connections over TCP ip4.
.TP
.I num.tcp6
number of connections over TCP ip6.
.TP
.I num.tls
number of connections over TLS ip4. TLS queries are not part of num.tcp.
.TP
.I num.tls6
number of connections over TLS ip6. TLS queries are not part of num.tcp6.
.TP
.I num.answer_wo_aa
number of answers with NOERROR rcode and without AA flag, this includes the referrals.
.TP
.I num.rxerr
number of queries for which the receive failed.
.TP
.I num.txerr
number of answers for which the transmit failed.
.TP
.I num.raxfr
number of AXFR requests from clients (that got served with reply).
.TP
.I num.rixfr
number of IXFR requests from clients (that got served with reply).
.TP
.I num.truncated
number of answers with TC flag set.
.TP
.I num.dropped
number of queries that were dropped because they failed sanity check.
.TP
.I zone.primary
number of primary zones served. These are zones with no 'request\-xfr:'
entries. Also output as 'zone.master' for backwards compatibility.
.TP
.I zone.secondary
number of secondary zones served. These are zones with 'request\-xfr'
entries. Also output as 'zone.slave' for backwards compatibility.
.SH "FILES"
.TP
.I @nsdconfigfile@
nsd configuration file.
.TP
.I @configdir@
directory with private keys (nsd_server.key and nsd_control.key) and
self\-signed certificates (nsd_server.pem and nsd_control.pem).
.SH "SEE ALSO"
\fInsd.conf\fR(5),
\fInsd\fR(8),
\fInsd\-checkconf\fR(8)