CHIARK-NAMED-CONF(8) | chiark utilities | CHIARK-NAMED-CONF(8) |
chiark-named-conf - check and generate nameserver configuration
chiark-named-conf [options]
-n|-y|-f
chiark-named-conf [options] zone ...
chiark-named-conf is a tool for managing nameserver configurations and checking for suspected DNS problems. Its main functions are to check that delegations are appropriate and working, that secondary zones are slaved from the right places, and to generate a configuration for BIND, from its own input file.
By default, for each zone, in addition to any warnings, the output lists the zone's configuration type. If the zone is checked, the serial number at each of the nameservers is shown, with any unpublished primary having * after the serial number.
If one of the options -n, -y, or -f is supplied then chiark-named-conf will read its main configuration file for the list of relevant zones. It will then check the configuration and delegation for each zone and/or generate and install a new configuration file for the nameserver:
Alternatively, one or more zone names may be supplied as arguments, in which case their delegations will be checked, and compared with the data for that zone in the main configuration (if any). In this case no new configuration file for the nameserver will be made.
The special group foreign is used for zones which don't appear in the configuration file.
The file /etc/bind/chiark-conf-gen.zones (or other file specified with the -C option) contains a sequence of directives, one per line. Blank lines are permitted. Leading and trailing whitespace on each line is ignored. Comments are lines starting with #. Ending a line with a joins it to the next line, so that long directives can be split across several physical lines.
These directives specify general configuration details. They should appear before directives specifying zones, as each will affect only later zone directives. Foreign zones (zones explicitly specified on the command line but not mentioned in the configuration) use the configuration settings prevailing at the end of the config file.
To avoid indefinitely long or even circularly glueless referrals (which delay or prevent lookups) it is necessary for all sites to effectively implement similar conventions; currently the author believes that only the reverse lookup namespaces are conventionally devoid of (glueless) nameservers, and therefore fine to provide glueless referrals for. See GLUELESSNESS below.
This supports to common configuration style where DNS operator(s) set up all of their nameservers with names within a small subsection of the DNS (the portions under nameserver-superdomains), and provide glueless referrals naming these nameservers for all other zones. This provides at most one level of missing glue.
Note that if the DNS administrators collectively able to influence the service for some zone (including the admins for its superzones, the zones containing its nameservers, and their superzones and so forth) are not in sufficiently close communication do not all agree on the proper set of nameserver-superdomain then they might still set up circular glue and chiark-named-conf would not necessarily be able to detect this even if it was run on every relevant nameserver.
These directives specify one or more zones.
If /subfile is specified, then instead of looking for files, we search for directories containing subfile; directories which do not contain the subfile are simply skipped.
If directory[/prefix] exists as specified and is a directory then it is interpreted as directory with an empty prefix; otherwise the final path component is assumed to be the prefix. If no suffix/subfile is specified then the default is _db.
Each of the zone directives may optionally be followed by one or more of the following characters (each at most once):
chiark-named-conf makes the following checks:
Delegations: Each delegation from a server for the superzone should contain the same set of nameservers. None of the delegations should lack glue. The glue addresses should be the same in each delegation, and agree with the local default nameserver.
Delegated servers: Each server mentioned in the delegation should have the same SOA record (and obviously, should be authoritative).
All published nameservers - including delegated servers and servers named in the zone's nameserver set: All nameservers for the zone should supply the same list of nameservers for the zone, and none of this authority information should be glueless. All the glue should always give the same addresses.
Origin server's data: The set of nameservers in the origin server's version of the zone should be a superset of those in the delegations.
Our zone configuration: For primary zones, the SOA origin should be one of the names specified with self-soa (or self). For published zones, the address should be that of the SOA origin. For stealth zones, the address should be that of the SOA origin or one of the published nameservers.
Glue is the name given for the addresses of nameservers which are often supplied in a referral. In fact, it turns out that it is important for the reliability and performance of the DNS that referrals, in general, always come with glue.
Firstly, glueless referrals usually cause extra delays looking up names. BIND 8, when it receives a completely glueless referral and does not have the nameservers' addresses in its cache, will start queries for the nameserver addresses; but it will throw the original client's question away, so that when these queries arrive, it won't restart the query from where it left off. This means that the client won't get its answer until it retries, typically at least 1 second later - longer if you have more than one nameserver listed. Worse, if the nameserver to which the glueless referral points is itself under another glueless referral, another retry will be required.
Even for better resolvers than BIND 8, long chains of glueless referrals can cause performance and reliability problems, turning a simple two or three query exchange into something needing more than a dozen queries.
Even worse, one might accidentally create a set of circularly
glueless referrals such as
example.com NS ns0.example.net.uk
example.com NS ns1.example.net.uk
example.net.uk NS ns0.example.com
example.net.uk NS ns1.example.com
Here it is impossible to look up anything in either example.com or
example.net.uk.
There are, as far as the author is aware, no generally agreed conventions or standards for avoiding unreasonably long glueless chains, or even circular glueless situations. The only way to guarantee that things will work properly is therefore to always supply glue.
However, the situation is further complicated by the fact that many implementations (including BIND 8.2.3, and many registry systems), will refuse to accept glue RRs for delegations in a parent zonefile unless they are under the parent's zone apex. In these cases it can be necessary to create names for the child's nameservers which are underneath the child's apex, so that the glue records are both in the parent's bailiwick and obviously necessary.
In the past, the `shared registry system' managing .com, .net and .org did not allow a single IPv4 address to be used for more than one nameserver name. However, at the time of writing (October 2002) this problem seems to have been fixed, and the workaround I previously recommended (creating a single name for your nameserver somewhere in .com, .net or .org, and using that for all the delegations from .com, .net and .org) should now be avoided.
Finally, a note about `reverse' zones, such as those in in-addr.arpa: It does not seem at all common practice to create nameservers in in-addr.arpa zones (ie, no NS RRs seem to point into in-addr.arpa, even those for in-addr.arpa zones). Current practice seems to be to always use nameservers for in-addr.arpa which are in the normal, forward, address space. If everyone sticks to the rule of always publishing nameservers names in the `main' part of the namespace, and publishing glue for them, there is no chance of anything longer than a 1-step glueless chain might occur for a in-addr.arpa zone. It is probably best to maintain this as the status quo, despite the performance problem this implies for BIND 8 caches. This is what the serverless-glueless directive is for.
Dan Bernstein has some information and examples about this at http://cr.yp.to/djbdns/notes.html#gluelessness but be warned that it is rather opinionated.
I recommend that every nameserver should have its own name in
every forward zone that it serves. For example:
zone.example.com NS servus.ns.example.com
servus.ns.example.com A 127.0.0.2
2.0.0.127.in-addr.arpa PTR servus.example.net
servus.example.net A 127.0.0.2
Domain names in in-addr.arpa should not be used in the right hand side of NS records.
chiark-named-conf is supposed to be resistant to malicious data in the DNS. It is not resistant to malicious data in its own options, configuration file or environment. It is not supposed to read its stdin, but is not guaranteed to be safe if stdin is dangerous.
Killing chiark-named-conf suddenly should be safe, even with -y or -f (though of course it may not complete its task if killed), provided that only one invocation is made at once.
Slow remote nameservers will cause chiark-named-conf to take excessively long.
Setting variables used by dig(1) and adnshost(1) will affect the operation of chiark-named-conf. Avoid messing with these if possible.
PATH is used to find subprograms such as dig and adnshost.
The determination of the parent zone for each zone to be checked, and its nameservers, is done simply using the system default nameserver.
The processing of output from dig is not very reliable or robust, but this is mainly the fault of dig. This can lead to somewhat unhelpful error reporting for lookup failures.
chiark-named-conf and this manpage were written by Ian Jackson <ian@chiark.greenend.org.uk>. They are Copyright 2002 Ian Jackson.
chiark-named-conf and this manpage are free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.
This is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, consult the Free Software Foundation's website at www.fsf.org, or the GNU Project website at www.gnu.org.
12th January 2002 | Greenend |