2 Domain Name Server Configuration Utilities -- NSC 5.1
4 (c) 1997--2023 Martin Mares <mj@ucw.cz>
6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
9 -----------------------------------------------------------------------
10 WARNING: There were several incompatible changes between major versions
11 See NEWS for the summary of changes.
12 -----------------------------------------------------------------------
15 NSC is a set of shell and M4 scripts for easy maintenance of DNS zone files
16 and name server daemon configuration (currently available only for BIND 8.x/9.x,
17 but easily portable for other daemons). It has been designed to make administration
18 of a DNS server a piece of cake (unlike other utilities which resemble more
19 an English pudding :-) ), which includes automatic generation of reverse records
20 for all your hosts, handling of classless reverse delegations and support for IPv6
21 (AAAA and PTR in ip6.arpa, not A6 and DNAME which seem to be dying out).
23 NSC requires GNU m4, GNU Bash, the `md5sum' and `sha1sum' utilities (which
24 are present for example in GNU coreutils), and utilities distributed with BIND.
25 Some of the extra utilities require Perl 5. I've tested everything on Linux
26 (Debian Stretch), but the whole package should run on other unices as well.
28 The whole package can be used and distributed according to the terms of the
29 GNU General Public License, version 2 or higher. See file COPYING in any of the
30 GNU utility archives (you should have one as you are expected to have at least
34 0. Quick Howto for the Impatient
35 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
36 (everything will be explained in more detail in the subsequent sections)
38 - Create a directory where all NSC files will reside (e.g., /etc/named)
39 and copy everything from the NSC distribution here.
41 - Add an include directive to your BIND configuration file (usually
42 /etc/bind/named.conf), referring to /etc/named/named.conf.
44 - Change directory to /etc/named
46 - Edit cf/domains to suit your needs -- replace the example domains
49 - Create cf/<domain-name> for all domains (again, you can easily follow
52 - If you are using BIND 9.x, make the `bak' directory writable
55 - Run bin/nsconfig (Makefile and named.conf will be generated).
59 - Enjoy your new DNS setup. If everything goes OK, be happy. Else
60 write a bug report :-)
62 - Every time you modify the domain files, re-run make. If you have
63 added or removed domains or changed options which affect named.conf,
64 re-run bin/nsconfig before make.
66 An interesting companion to this package is the DNS Sleuth -- a DNS zone
67 consistency checker. It's a simple utility written in Perl with help of the
68 DNS module and it should be able to detect all common errors in DNS setup
69 (I have written it after much disappointment with the other checkers).
70 The Sleuth is available from http://mj.ucw.cz/sw/sleuth/. However, I haven't
71 updated Sleuth for a long time, so it does not know about DNSSEC yet.
74 1. Directory structure
75 ~~~~~~~~~~~~~~~~~~~~~~
76 The NSC directory (/etc/named in the above example) contains the following
77 files and subdirectories:
79 cf/ - user-defined configuration files
80 cf/domains - the domain list (see Section 2)
81 cf/config - global settings (see Section 3)
82 cf/<domain> - each domain has its own config file
83 bin/ - commands (e.g., nsconfig)
84 m4/ - M4 scripts (used by the commands)
85 zone/ - primary zone files
86 bak/ - backups of zones we serve as a secondary NS for
87 ver/ - version files where NSC remembers version
88 numbers of the primary zones
89 tmp/ - temporary files
90 hash/ - hashes of zone files used for detection of changes
91 dss/<domain> - DNSSEC DS records
92 keys/<domain>/ - DNSSEC keys
93 khash/ - hashes of DNSSEC keys used for detection of changes
95 How are different files created:
97 - You create everything in cf/.
98 - Then you run bin/nsconfig.
99 - If you want to use DNSSEC, create keys (see section 8)
100 - Makefile and named.conf gets created according to cf/domains.
102 - The Makefile creates primary zone files in zone/ and version files
103 in ver/ and tells BIND to reload its configuration.
104 - BIND downloads contents of secondary zones and puts them to bak/.
107 2. The Domain List File
108 ~~~~~~~~~~~~~~~~~~~~~~~
109 The domain list contains configuration commands describing all domains handled
110 by your server and their parameters. In fact, it's a M4 script, but viewing it as
111 a config file is a good approximation (however, see Section 9 for some caveats).
112 Lines starting with a semicolon are treated as comments and ignored. Text outside
113 declarations is silently ignored.
117 PRIMARY(zone, [extra-files...])
118 Define a zone (domain) we run a primary name server for.
119 The contents of the zone are described in cf/<zone>
120 and possibly in other specified cf files (all files are
121 concatenated to produce a single configuration). See the next
122 section for a look inside these files.
124 When the zone name contains a slash (as happens in classless
125 reverse zones), it is replaced by "@" in the cf file name.
127 SECONDARY(zone, primary)
128 Define a zone we run a secondary name server for.
129 "primary" is an IP address of the primary name server.
131 REVERSE(network, primary-files...)
132 Define a reverse zone for the given network. The network name
133 consists of several numbers separated by dots, just like an IP
134 address does, but the network usually has only 3 components.
135 Each reverse zone has its own config file cf/<network> which
136 can of course specify the contents of the zone.
138 However, there is a more convenient method to generate the PTR
139 records directly from the A records: just specify the REVERSE
140 directive in cf/<network> and then include all the config files
141 for the primary zones containing hosts from this network. The
142 automatic concatenation of multiple primary-files comes very
145 In fact, REVERSE(network, p-f...) is almost an equivalent of
146 PRIMARY(REV(network), p-f...) where REV(network) is a macro
147 translating network numbers to names of the corresponding
148 reverse zones [e.g., REV(1.2.3) equals 3.2.1.in-addr.arpa].
149 The only difference is that although the domain name is translated
150 by REV, the config file is still named according to the network.
151 You can also use the REV macro explicitly, which can be handy
152 for example in SECONDARY declarations.
154 FORWARDING(zone, ip...)
155 Define a forwarding zone. All queries are forwarded to the
156 specified name servers.
159 Define an empty zone according to RFC 6303. This is usually done
160 for zones for which clients are known to erroneously ask queries
161 (e.g., reverse resolving of link-local addresses). The contents
162 served for these zones is taken from cf/blackhole.
164 ZONE_OPTIONS(`options;
167 Define options to be inserted to all subsequent zone declarations
168 until the next ZONE_OPTIONS command. Please keep in mind that the
169 semicolon character act as M4 comment, so you need to put the
170 closing quote at a separate line. See our example cf/domains.
173 Insert user data to named.conf, again beware of semicolons.
176 Insert user data to Makefile.
178 DNSSEC(`declarations...')
179 Request DNSSEC signing for all zones declared within the block.
182 Declare dependency of the previous PRIMARY/REVERSE domain on DS
183 records for the given zone configured in dss/*.
188 The domain files contain descriptions of all DNS records for the given
189 domain, starting with the SOA record. Again, these are M4 scripts and the
190 declarations are macro calls. Lines starting with a semicolon are treated
191 as comments and just copied to the generated zone file. Text outside
192 declarations is copied to the zone file as well, so you can spice up the NSC
193 output with your own records.
195 All host or domain names are either names relative to the current domain
196 with no dots inside or absolute names (in this case, NSC automatically
197 ensures that the trailing dot is present in the resource records). If you
198 really need a relative name with dots, escape all dots as "\.".
203 Generate a SOA record for the domain. This must be the first
204 declaration in the config file. The parameters of the SOA
205 are taken from configuration variables (see below). The
206 serial number is calculated from the version number remembered
207 in the version file, following the usual practice of encoding
208 current date and a sequence number within the current day
209 in the serial number, which is guaranteed to be strictly
210 increasing unless you perform more than 99 updates in a single
211 day (in which case NSC stops and tells you to tweak the serial
214 The SOA record otherwise acts like a sub-domain (D) declaration,
215 therefore it can be followed by other records like NS (mandatory)
219 Start declaration of a host. Doesn't generate anything, only
220 remembers the host's name. If you want to amend records for the
221 current domain, use "H(@)" or "D(@)".
224 Specify addresses for the current host. In the normal mode, it
225 creates A/AAAA records, in the reverse mode, PTR records.
228 A shortcut for H(host) ADDR(addr...) -- in many cases everything
229 you need for a single host.
232 Like ADDR, but suppresses PTR records. (This one is useful if you
233 have a single IP address used for zillions of names and you want
234 to avoid having zillions of PTR records for the same address.)
237 A shortcut for H(host) DADDR(addr...)
240 Start declaration of a sub-domain. Technically the same as H(domain),
241 but this one should be more intuitive.
244 Specify a glue record for a name server contained within a sub-domain
245 it's a primary for. Currently it's an equivalent of DH(ns, addr...).
248 Specify a list of name server names for the current domain
249 (started by either a SOA or D declaration). Generates NS records.
253 Include DS records for the current sub-domain. With no arguments,
254 they are loaded from dss/<sub-domain>. If the name of the sub-domain
255 does not match the name of the DSset (as it frequently happens with
256 reverse zones), you can specify the DSset name explicitly.
259 Specify a list of mail exchangers for the current host or domain.
260 Each mail exchanger should be preceded by a priority. Generates
264 Specify a HINFO record for the current host. Very rare in the
268 Specify a list of aliases for the current host or domain.
269 Generates a series of CNAME records pointing from the aliases
270 to the current host/domain.
273 Specify a TXT record for the current host or domain.
276 Specify a RP (responsible person) record for the current host or domain.
277 The first argument is a mail address in DNS notation (with `@' replaced
278 by `.' as in the SOA record), the second one is a name of a TXT record
279 with contact information.
281 SRV(service, protocol, priority, weight, port, target)
282 Specify a SRV (service) record for the current host or domain.
285 Generate a CNAME record -- "src" points to "dest".
288 Generate a PTR record -- "src" points to "dest". It's a common
289 record in reverse zones (and although it's legal in forward
290 zones as well, such use is very rare), however it's more convenient
291 to have your PTR's generated by the REVERSE directive. But if you
292 need anything special, here is the tool.
295 Specify a CAA record for the current host or domain.
297 REVBLOCK(subdomain, min, max)
298 Generate a series of CNAME records numbered from `min' to `max'
299 and pointing to the same name in the given sub-domain, finally
300 declaring the sub-domain as well, so you can continue with its
303 Example: REVBLOCK(a, 16, 18) NS(ns.xyzzy.org) yields
310 This is a very common construct for classless reverse delegations,
311 see Section 6 for more details.
314 Switch to reverse mode. From this point on, all output is suppressed
315 except for ADDR declarations belonging to the specified network which
316 are automatically converted to PTR records.
318 With help of this feature, defining reverse zones can be as easy as:
320 ; Reverse zone for 10.0.0.0/24 a.k.a. 0.0.10.in-addr.arpa.
322 NS(ns1.example.com, ns2.example.com)
324 ; Include all primary zones containing ADDR's from this range,
325 ; which can be accomplished by a multi-file REVERSE declaration
329 4. Configuration variables
330 ~~~~~~~~~~~~~~~~~~~~~~~~~~
331 There is a fair amount of configuration variables (which are in reality normal
332 M4 macros). Each variable has a hard-wired default value which can be overridden
333 in cf/config by re-defining the variable. Also, all other config files can specify
334 their local definitions, but you need to be careful to change the variable before
335 it is used for the first time.
337 To change the setting, use
339 define(`variable', `value')
341 As usually, even this config file is a M4 script. Comments can be started by
342 semicolons, text outside macros is ignored.
344 The following variables are available:
346 NAMED_RESTART_CMD Shell command for restarting the name server daemon
347 (default: rndc reload)
349 CFDIR Directory with config files (default: cf)
351 REFRESH SOA record parameters
355 NSNAME Origin server (default: hostname of your machine)
356 MAINTNAME Domain maintainer name (default: root@NSNAME)
358 KEYGEN_OPTIONS Extra options given to dnssec-keygen
359 (by default, it selects key type and key size).
360 SIGNZONE_OPTIONS Extra options given to dnssec-signzone
361 (by default, it specifies signature validity of 365 days).
362 DSFROMKEY_OPTIONS Extra options given to dnssec-dsfromkey
363 (by default, there are none).
365 For the timing parameters, the following shortcuts are available:
367 HOURS(n) Convert hours to seconds
368 MINUTES(n) Convert minutes to seconds
369 DAYS(n) Convert days to seconds
374 The Makefile generated by NSC offers the following targets:
376 all (default) - update all zone files and reload the daemon
377 clean - clean all generated zone files, backups, and hashes
378 clobber - clean + delete Makefile and named.conf
379 (wise to do after major reconfigurations)
380 distclean - clobber + delete all version files (use only
381 if you really know what you are doing as the
382 serial number information in newly generated
383 files might be inconsistent then).
386 6. Classless reverse delegations
387 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
388 NSC also supports classless delegations for reverse zones using the mechanism
389 described in RFC 2317, i.e. by putting CNAME records to the reverse zone which
390 point to records of the same name in a sub-domain which you can delegate directly.
392 For example if you want to delegate 64-127 in 0.0.10.in-addr.arpa to ns.example.net,
393 you create a 64/26 sub-domain (26 is the network prefix length) and add the following
394 records to 0.0.10.in-addr.arpa:
396 64 CNAME 64.64/26.0.0.10.in-addr.arpa.
397 65 CNAME 65.64/26.0.0.10.in-addr.arpa.
399 127 CNAME 127.64/26.0.0.10.in-addr.arpa.
401 64/26 NS ns.example.net.
403 Then you configure ns.example.net to be a primary name server for the zone
404 64/26.0.0.10.in-addr.arpa and put the PTR records there:
406 64 PTR sixty-four.example.net.
407 65 PTR sixty-five.example.net.
409 127 PTR two-to-seven-minus-one.example.net.
411 NSC offers special primitives for configuring such delegations, but not limited
412 to the sub-domain name syntax shown above (which is recommended by the RFC, but it's
413 far from being the only one used in the real world, other possibilities being for
414 example 64-127, 64+64 etc.).
416 The CNAME block can be generated by the REVBLOCK(subdomain-name, low-addr, high-addr)
417 directive in the configuration of the whole reverse zone. The example above would
420 REVBLOCK(64/26, 64, 127)
422 The sub-zone can be created automatically like any another reverse zone, you only
423 need to use the three-parameter form of the REVERSE directive to specify the
424 address range in order to filter out possible hosts falling outside your range.
426 CAVEAT: The slashes in zone names are automatically translated to @'s when forming
429 Again for the example above, you need to put the following to cf/domains:
431 REVERSE(10.0.0.64/26, <list-of-domains-to-gather-the-addresses-from>)
433 And to cf/64@26.0.0.10:
435 SOA(REV(10.0.0.64/26))
436 NS(<list-of-name-servers>)
437 REVERSE(10.0.0, 64, 127)
439 NOTE: It's usually helpful to configure the primary name server for the parent
440 domain (i.e., the one where you configure the delegation and create the CNAME's)
441 as a secondary for the sub-zone as well, so if it replies with the CNAME, it will
442 include the PTR record pointed to by the CNAME in the additional section of its
443 reply, eliminating the need for an extra query.
448 NSC also supports IPv6 in a pretty straightforward form: wherever you can write
449 an IPv4 address, you can use an IPv6 address as well. Incomplete IP addresses
450 or ranges used for specifying address blocks for reverse delegations are replaced
451 by network prefixes of the standard form <address>/<prefix-length>.
455 H(ianus, 1.2.3.4, fec0::1234:5678:9abc:def0)
457 specifies a dual-stack host with both an A record and an AAAA record.
459 CAVEAT: The backward-compatible IPv6 address syntax with ":v.w.x.y" at the end
460 is not supported. All other syntaxes and quirks hopefully are.
465 NSC knows the basics of DNSSEC. It does not handle key management (you need to
466 schedule generation and retirement of your keys by other means), but once the
467 keys are in place, it uses them for signing zones.
469 === Key management ===
471 Keys live in keys/<zone>/*.(key|private) and they are stored in the usual BIND
472 format. To generate a zone-signing key, you can use the following command after
473 writing at least rudimentary cf/<zone>:
477 If you want a key-signing key, use:
479 bin/key-gen <zone> -f KSK
481 (Generally, you can add arbitrary arguments for BIND's dnssec-keygen. Default
482 keygen options can be set in cf/config, see section 4.)
484 To detect key changes, NSC keeps a hash of all keys for each domain.
485 If you edit the keys manually (e.g., to delete a key), you need to recalculate
488 bin/key-update <zone>
490 (or without a zone to update all hashes).
492 === Domain signing ===
494 All domains whose declarations in cf/domains are wrapped by DNSSEC(`...')
495 are automatically signed using all set up keys. If you specify key validity
496 period when generating the key, it is respected, but the domains are not
497 re-signed automatically when a key becomes valid / ceases to be. If you
498 want to modify dnssec-signzone arguments, you can do so in cf/config.
500 Beware that all signatures have a limited lifetime (even if the keys do not
501 expire). The default lifetime is 365 days, so you need to re-sign your zones
502 at least once in a year. The recommended solution is to set up a cron job,
503 which touches keys/resign-stamp. A change of timestamp of this file forces
504 a re-sign on the next run of make.
508 If you want to delegate a signed sub-domain, you need to include DS records
509 in the parent zone. Add a DS() macro after declaration of the sub-domain
510 in the parent. It loads DS records from dss/<child>.
512 If the sub-domain is also maintained by NSC, you can generate the DS record
513 set automatically by:
515 bin/key-delegate <zone>
517 === Reverse zones ===
519 Unlike primary/secondary zones, reverse zones have file names which differ
520 from the full domain name. In such cases, keys are named after the file name
521 and NSC constructs the full name whenever necessary.
523 There is one exception where automatic construction is not available:
524 delegation of sub-domain keys. In such cases, you need to pass the file
525 name of the sub-zone to the DS macro.
528 9. Interaction with M4
529 ~~~~~~~~~~~~~~~~~~~~~~
530 All config files are fully-fledged M4 scripts, so you can use any M4 features
531 you need, the most helpful one being definition of your own macros by
533 define(`macro_name', `expansion')
535 However, there is a couple of things you need to care about:
537 o The comment character is redefined to `;'. I.e., wherever a semicolon
538 occurs, the rest of the line is a comment which is copied verbatim
539 to the output file (if the output is not suppressed like in case
540 of the cf/domains file).
542 o Names starting with 'nsc_' or spelled in all caps are reserved
543 for the NSC itself and unless documented, messing with them can
544 bring surprising results. If you need to use such a name in your
545 zone file (maybe you like to shout in your host names :-) ),
546 quote it like `this'.
548 o Don't use commas, quotes nor parentheses in your record names.
553 convert A simple Perl script for conversion of zone files to NSC
554 domain files. Requires the Net::DNS module (available from
555 CPAN at ftp.cpan.org; present in recent versions of Perl).
556 Keep in mind that the script is very simple and its craft
557 is of a very limited kind, so check its output carefully.
559 chkdel A simple Perl script for checking of domain delegations --
560 it checks all PRIMARY and SECONDARY records in cf/domains
561 against NS records. Requires the Net::DNS module and also
562 some tweaking of parameters at the top of the script.
projects / nsc-5.git / blob