17.1 Configuring a Master Name Server

     

17.1 Configuring a Master Name Server

At the heart of the DNS are the resource records (RR) contained in the DNS database file (db files). Initially, we need to set up the database files either by hand or convert our /etc/ hosts file using the utility hosts_to_named . Most administrators on HP-UX will use hosts_to_named because the format of the db files is less than straightforward. The db files will be referenced in a configuration file that will identify our status in the DNS. The first server we set up will be our master server . Before we start looking at this configuration, let's clear up a little misunderstanding that I have come across with some administrators. From BIND 8.1.2 onward, we now refer to a master server . Prior to BIND 8.1.2, a master server was referred to as a primary server . When reading other documentation, a primary server is now a master server and a secondary server is now a slave server . A caching-only server has not changed its name. The steps to set up a master server can be summarized as follows :

  1. Decide on and register (if necessary) a DNS domain name.

  2. Update your /etc/hosts file with all known hostnames and IP addresses. Update the hostnames to be Fully Qualified Domain Names (FQDN). Use the old hostname as an alias.

  3. Create a working directory for the DNS database files.

  4. Create the DNS database files using the hosts_to_named utility.

  5. Set up the rndc configuration file.

  6. Start the named daemon.

  7. Set up the resolver configuration files.

  8. Test DNS functionality.

Let's see if we can get a master server up and running.

17.1.1 Decide on and register (if necessary) a DNS domain name

The Internet Corporation for Assigned Names and Numbers (ICANN) is the non-profit organization responsible for coordinating certain Internet technical functions, including managing the registering of domain names in the DNS. To register a domain name, you go through a process with an organization known as an official registrar who will ask for contact and technical information that forms part of the registration. The registration of domainnames usually carries an annual fee. A list of official registrars can be found at http://www.internic.net/regist.html. I have registered a number of domain names in my time using a UK-based registrar known as Easyspace (http://www.easyspace.net). The process takes a few days, after which you are the official owner of a domain name. The domain name I will use in this demonstration is a real domain name: maabof.com . There's a prize for anyone who can guess what it stands for.

17.1.2 Update your/etc/hosts file

I need to ensure that all hostnames are now Fully Qualified Domain Names (FDQN). I will use the original hostname as an alias. At this stage, all machines belong to the same domain and the same zone:

 

 root@hpeos004[]  more /etc/hosts  # @(#)B.11.11_LRhosts $Revision: 1.9.214.1 $ $Date: 96/10/08 13:20:01 $ # # The form for each entry is: # <internet address>    <official hostname> <aliases> # # For example: # 192.1.2.34    hpfcrm  loghost # # See the hosts(4) manual page for more information. # Note: The entries cannot be preceded by a space. #       The format described in this file is the correct format. #       The original Berkeley manual page contains an error in #       the format description. # 192.168.0.67    hpeos001.maabof.com     hpeos001 192.168.0.34    hpeos002.maabof.com     hpeos002 192.168.0.65    hpeos003.maabof.com     hpeos003 hp003_lan1 192.168.0.33    hpeos003.maabof.com     hpeos003 hp003_lan0 192.168.0.35    hpeos004.maabof.com     hpeos004 hp004_lan0 192.168.0.66    hpeos004.maabof.com     hpeos004 hp004_lan1 fec0:0:0:1::3   hpeos001.maabof.com     hpeos001 hp1v6 root@hpeos004[] 

This task in itself can take considerable time when you have hundreds of machines in your network. I have purposefully left out all DHCP entries because we demonstrate dynamic DNS updates later. One thing to note is the hosts_to_nam ed will create a mail exchanger (MX) record for each hostname referencing itself as its own mail hub; in other words, it will receive emails directly to the machine itself. This is unlikely to be the case; most sites use a central server as a mail hub. If you append the comment " [no smtp] " to each line in /etc/hosts , hosts_to_named , it will not make the self-referencing MX record:

 

 root@hpeos004[dns]  more /etc/hosts  # @(#)B.11.11_LRhosts $Revision: 1.9.214.1 $ $Date: 96/10/08 13:20:01 $ # # The form for each entry is: # <internet address>    <official hostname> <aliases> # # For example: # 192.1.2.34    hpfcrm  loghost # # See the hosts(4) manual page for more information. # Note: The entries cannot be preceded by a space. #       The format described in this file is the correct format. #       The original Berkeley manual page contains an error in #       the format description. # 192.168.0.67    hpeos001.maabof.com     hpeos001   #[no smtp] 192.168.0.34    hpeos002.maabof.com     hpeos002   #[no smtp] 192.168.0.65    hpeos003.maabof.com     hpeos003 hp003_lan1  #[no smtp] 192.168.0.33    hpeos003.maabof.com     hpeos003 hp003_lan0  #[no smtp] 192.168.0.35    hpeos004.maabof.com     hpeos004 hp004_lan0  #[no smtp] 192.168.0.66    hpeos004.maabof.com     hpeos004 hp004_lan1  #[no smtp] fec0:0:0:1::3   hpeos001.maabof.com     hpeos001 hp1v6  #[no smtp] root@hpeos004[dns] 

17.1.3 Create a working directory for the DNS database files

This is not really a technical requirement, but it makes life much easier if we have a separate directory containing all of our DNS database files:

 

 root@hpeos004[]  mkdir /etc/dns  root@hpeos004[]  cd /etc/dns  root@hpeos004[dns]  pwd  /etc/dns root@hpeos004[dns] 

The challenge is to ensure that you are in this directory whenever you run the next command, hosts_to_named , because it will create DNS database files in your current working directory.

17.1.4 Create the DNS database files using the hosts_to_named utility

Before running the command, we can create a file containing all the parameters we want to include on the command line. Whenever we come to rerun this command, it will be much easier if we have a preconfigured parameter file . Here is the file I created:

 

 root@hpeos004[dns]  cat param.conf  -d maabof.com -n 192.168.0.32:255.255.255.224 -n 192.168.0.64:255.255.255.224 -n 192.168.0.96:255.255.255.224 -n 192.168.0.128:255.255.255.224 -n 192.168.0.160:255.255.255.224 -Z 192.168.0.35 -Z 192.168.0.66 -z 192.168.0.35 -z 192.168.0.66 -m 10:hpeos003 -b /etc/named.conf root@hpeos004[dns] 

The following options are specified:

-d maabof.com: Resource records for this domain (maabof.com) will be created. If I had multiple domain names listed in /etc/hosts , this is used to segregate and filter out the relevant address (A) records.

-n 192.168.0.32:255.255.255.224: I have included this entry even though I am fairly confident it won't work. I am specifying the network numbers used in my network along with the relevant subnet mask. Individual database files will be created for the relevant pointer (PTR) records for each network number. I could simply have used 192.168.0.0, which would have created a single database file with all IP addresses listed in it. This is less efficient for lookup performance.

-zZ 192.168.0.3566: I am creating the necessary boot files for a slave server with local disk storage (-z) as well as a slave server that will not store the resource records on disk (-Z). Because I am a multi- homed machine, I have listed both IP addresses.

-m 10:hpeos003: I am going to create an MX record referencing my mail hub (node hpeos003 ). This is necessary because I used the [no smtp] comment in my /etc/hosts file. The weight (preference) for the mail hub is set to 10.

-b /etc/named.conf: This specifies the name of the boot file. If I don't specify the actual file name and location, it will be created in the current directory. Any reference to the filename named.boot refers to the old name of this configuration file.

Now let's run the hosts_to_named command itself:

 

 root@hpeos004[dns]  hosts_to_named -f param.conf  hosts_to_named: Network number should have less than four bytes root@hpeos004[dns] 

As expected hosts_to_named doesn't like the network addresses I used in the parameter file. It's unfortunate, but that's life. Here's my modified parameter file:

 

 root@hpeos004[dns]  cat param.conf  -d maabof.com -n 192.168 -Z 192.168.0.35 -Z 192.168.0.66 -z 192.168.0.35 -z 192.168.0.66 -m 10:hpeos003 -b /etc/named.conf root@hpeos004[dns] 

Now to try again

 

 root@hpeos004[dns]  hosts_to_named -f param.conf  Translating /etc/hosts to lower case ... Collecting network data ...         192.168 Creating list of multi-homed hosts ... Creating "A" data (name to address mapping) for net 192.168 ... Creating "PTR" data (address to name mapping) for net 192.168 ... Creating "MX" (mail exchanger) data ... Building default named.boot file ... Building default db.cache file ... WARNING: db.cache must be filled in with          the name(s) and address(es) of the          rootserver(s) Building default boot.sec.save for secondary servers ... Building default boot.sec for secondary servers ... Building default boot.cacheonly for caching only servers ... done root@hpeos004[dns] 

Here are the files created:

 

 root@hpeos004[dns]  ll  total 44 -rw-rw-r--   1 root       sys            146 Oct 21 13:25 boot.cacheonly -rw-rw-r--   1 root       sys            296 Oct 21 13:25 boot.sec -rw-rw-r--   1 root       sys            328 Oct 21 13:25 boot.sec.save -rw-rw-r--   1 root       sys            180 Oct 21 13:25 conf.cacheonly -rw-rw-r--   1 root       sys            457 Oct 21 13:25 conf.sec -rw-rw-r--   1 root       sys            498 Oct 21 13:25 conf.sec.save -rw-rw-r--   1 root       sys            277 Oct 21 13:25 db.127.0.0 -rw-rw-r--   1 root       sys           2138 Oct 21 13:25 db.192.168 -rw-rw-r--   1 root       sys           1361 Oct 21 13:25 db.IP6.INT -rw-rw-r--   1 root       sys            134 Oct 21 13:25 db.cache -rw-rw-r--   1 root       sys           6884 Oct 21 13:25 db.maabof -rw-rw-r--   1 root       sys            247 Oct 21 13:25 named.boot -rw-rw-r--   1 root       sys            108 Oct 21 13:22 param.conf root@hpeos004[dns] 

By default, hosts_to_nam ed does not update my boot file with the directive listen-on-v6 , which is required to support any IPv6 interfaces. The default behavior for named is to listen on all IPV4 interfaces (I explicitly included the option listen-on { any; }; just for completeness). If you have only IPv4 interfaces but have IPv6 installed, you may come across some problems. We see this later when I try to start up the named daemon. Here's my modified boot file:

 

 root@hpeos004[dns]  cat /etc/named.conf  # # type domain source file # options {         directory "/etc/dns";         listen-on { any; };         listen-on-v6 { any; };         random-device "/dev/random"; }; zone "0.0.127.IN-ADDR.ARPA" {         type master;         file "db.127.0.0"; }; zone "IP6.INT" {         type master;         file "db.IP6.INT"; }; zone "maabof.com" {         type master;         file "db.maabof"; }; zone "168.192.IN-ADDR.ARPA" {         type master;         file "db.192.168"; }; zone "." {         type hint;         file "db.cache"; }; root@hpeos004[dns] 

As you can see, I am categorized as a master server for all the zones listed. We see later the difference for a slave server.

NOTE : I have included a random-device specification. This requires the HP-UX Strong Random Number Generator software, which is available as a free download from http://software.hp.com Security and Manageability. We use this later as a source of entropy (a measure of disorder in a system) when we utilize Transaction Signatures.

The structure of the individual database files is the same as previous versions of BIND:

 

 root@hpeos004[dns]  more db.maabof  $TTL    86400 @       IN      SOA     hpeos004.maabof.com. root.hpeos004.maabof.com. (                                         1       ; Serial                                         10800   ; Refresh every 3 hours                                         3600    ; Retry every hour                                         604800  ; Expire after a week                                         86400 ) ; Minimum ttl of 1 day         IN      NS      hpeos004.maabof.com. localhost       IN      A       127.0.0.1 hpeos001        IN      A       192.168.0.67 hpeos002        IN      A       192.168.0.34 hpeos003        IN      A       192.168.0.65 hp003_lan1      IN      A       192.168.0.65 hpeos003        IN      A       192.168.0.33 hp003_lan0      IN      A       192.168.0.33 hpeos004        IN      A       192.168.0.35 hp004_lan0      IN      A       192.168.0.35 hpeos004        IN      A       192.168.0.66 hp004_lan1      IN      A       192.168.0.66 ckpc2           IN      A       192.168.0.70 ckhome1         IN      A       192.168.0.1 ntpdc1          IN      A       192.168.0.10 ... hpeos004        IN      A6      0       fe80::230:6eff:fe5c:4f4f hp4v6           IN      AAAA    fe80::230:6eff:fe5c:4f4f hp4v6_lan0      IN      AAAA    fe80::230:6eff:fe5c:4f4f acctg081        IN      MX      10      hpeos003.maabof.com. acctg082        IN      MX      10      hpeos003.maabof.com. acctg083        IN      MX      10      hpeos003.maabof.com. acctg084        IN      MX      10      hpeos003.maabof.com. ... root@hpeos004[dns] 

We can see the Start-Of-Authority record at the top of the file indicating that this name server is the best source of information for the data within this domain.

Serial: This is the serial number of this database file. If this is a lower value on a slave server, the slave server will request a zone transfer, i.e., transfer this database file. Every time we modify a database file, this value needs to be incremented.

Refresh: This is the frequency with which a slave server will refresh the data in its cache. This is to ensure that the data is up to date.

Retry: This is the frequency with which a slave server will retry to refresh its data if the master server was not available.

Expire: This is when the slave server will flush all its resource records because it has not been able to refresh them from the master server.

TTL: There has been much confusion with the TTL field. Originally, it was used to specify a minimum time-to-live value for all resource records in the zone. This has now been dropped (see RFC 2308: Negative Caching of DNS Queries, at http://www.ietf.org/rfc/rfc2308.txt). One of its uses is to specify a time-to-live for resource records that don't explicitly include a TTL, and have the TTL set to that given in the SOA record. Utilities such as hosts_to_named , as well as lots of system documentation, still refer to the old "minimum value" behavior even though this behavior has been dropped. I won't bore you with all the details of what it is used for now, but here's a relevant extract from RFC 2308 that deals with this:

"The SOA minimum field has been overloaded in the past to have three different meanings, the minimum TTL value of all RRs in a zone, the default TTL of RRs which did not contain a TTL value, and the TTL of negative responses.

Despite being the original defined meaning, the first of these, the minimum TTL value of all RRs in a zone, has never in practice been used and is hereby deprecated.

The second, the default TTL of RRs which contain no explicit TTL in the master zone file, is relevant only at the primary server. After a zone transfer, all RRs have explicit TTLs and it is impossible to determine whether the TTL for a record was explicitly set or derived from the default after a zone transfer. Where a server does not require RRs to include the TTL value explicitly, it should provide a mechanism, not being the value of the MINIMUM field of the SOA record, from which the missing TTL values are obtained. How this is done is implementation dependent.

The Master File format [ RFC 1035 Section 5] is extended to include the following directive:

$TTL <TTL> [comment]

All resource records appearing after the directive, and which do not explicitly include a TTL value, have their TTL set to the TTL given in the $TTL directive. SIG records without an explicit TTL get their TTL from the "original TTL" of the SIG record [ RFC 2065 Section 4.5].

The remaining of the current meanings, of being the TTL to be used for negative responses, is the new defined meaning of the SOA minimum field."

We can see that the NS (name server) record explicitly lists this machine as the name server for this zone.

Notice that we have IPv6 resource records as well as our MX record referencing our mail hub.

Also notice that, at the bottom of the file, the hints file is listed where the named daemon will obtain hints of which servers to query when it cannot resolve hostnames/IP addresses itself. This file details the names and addresses of root name servers. This file contains very little by default:

 

 root@hpeos004[dns]  cat db.cache  ; ; FILL IN THE NAMES AND ADDRESSES OF THE ROOT SERVERS ; ; .             99999999        IN      NS      root.server. ; root.server.  99999999        IN      A       ??.??.??.?? ; root@hpeos004[dns] 

On HP-UX, there is a file listing some of the root name servers, which we can use to get us started:

 

 root@hpeos004[] #  cat /usr/examples/bind/db.cache  ; ;       This file holds the information on root name servers needed to ;       initialize cache of Internet domain name servers ;       (e.g., reference this file in the "cache  .  <file>" ;       configuration file of BIND domain name servers). ; ;       This file is made available by InterNIC registration services ;       under anonymous FTP as ;           file                /domain/named.root ;           on server           FTP.RS.INTERNIC.NET ;       -OR- under Gopher at    RS.INTERNIC.NET ;           under menu          InterNIC Registration Services (NSI) ;              submenu          InterNIC Registration Archives ;           file                named.root ; ; @(#)B.11.11_LR ;       last update:    Oct 5, 1994 ;       related version of root zone:   94100500 ; .                        99999999 IN  NS    NS.INTERNIC.NET. NS.INTERNIC.NET.         99999999     A     198.41.0.4 .                        99999999     NS    NS1.ISI.EDU. NS1.ISI.EDU.             99999999     A     128.9.0.107 .                        99999999     NS    C.PSI.NET. C.PSI.NET.               99999999     A     192.33.4.12 .                        99999999     NS    TERP.UMD.EDU. TERP.UMD.EDU.            99999999     A     128.8.10.90 .                        99999999     NS    NS.NASA.GOV. NS.NASA.GOV.             99999999     A     128.102.16.10                          99999999     A     192.52.195.10 .                        99999999     NS    NS.ISC.ORG. NS.ISC.ORG.              99999999     A     192.5.5.241 .                        99999999     NS    NS.NIC.DDN.MIL. NS.NIC.DDN.MIL.          99999999     A     192.112.36.4 .                        99999999     NS    AOS.ARL.ARMY.MIL. AOS.ARL.ARMY.MIL.        99999999     A     128.63.4.82                          99999999     A     192.5.25.82 .                        99999999     NS    NIC.NORDU.NET. NIC.NORDU.NET.           99999999     A     192.36.148.17 ; End of File root@hpeos004[] # 

Unfortunately, when you install BIND version 9.2.0, the contents of the /usr/examples/bind directory are destroyed and linked to files under /usr/ contrib /bind/usr/examples/bind . You could keep a copy of the file listed above before installing the new version of the BIND software. As you can see from the above file, you can get a copy using anonymous FTP. I downloaded the most recent version of the file from InterNIC:

 

 root@hpeos004[dns]  cat db.cache  ;       This file holds the information on root name servers needed to ;       initialize cache of Internet domain name servers ;       (e.g., reference this file in the "cache  .  <file>" ;       configuration file of BIND domain name servers). ; ;       This file is made available by InterNIC ;       under anonymous FTP as ;           file                /domain/named.root ;           on server           FTP.INTERNIC.NET ; ;       last update:    Nov 5, 2002 ;       related version of root zone:   2002110501 ; ; ; formerly NS.INTERNIC.NET ; .                        3600000  IN  NS    A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4 ; ; formerly NS1.ISI.EDU ; .                        3600000      NS    B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107 ; ; formerly C.PSI.NET ; .                        3600000      NS    C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12 ; ; formerly TERP.UMD.EDU ; .                        3600000      NS    D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90 ; ; formerly NS.NASA.GOV ; .                        3600000      NS    E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10 ; ; formerly NS.ISC.ORG ; .                        3600000      NS    F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241 ; ; formerly NS.NIC.DDN.MIL ; .                        3600000      NS    G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4 ; ; formerly AOS.ARL.ARMY.MIL ; .                        3600000      NS    H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53 ; ; formerly NIC.NORDU.NET ; .                        3600000      NS    I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17 ; ; operated by VeriSign, Inc. ; .                        3600000      NS    J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30 ; ; housed in LINX, operated by RIPE NCC ; .                        3600000      NS    K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129 ; ; operated by IANA ; .                        3600000      NS    L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12 ; ; housed in Japan, operated by WIDE ; .                        3600000      NS    M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33 ; End of File root@hpeos004[dns] 

Alternately, if you are not connected directly to the Internet, you could have used the “r option in your parameter file for hosts_to_named to make your machine the root name server. In such a situation, we get a db.root file (instead of a db.cache hints file) that references ourselves as the master server for the . (root) domain.

17.1.5 Set up the rndc configuration file

In BIND version 9, rndc is the utility we use to communicate with the named process. In previous versions of BIND, we would use commands like sig_named dump to dump the in-memory cache from the named process. While sig_named is still available, the majority of its functionality has been replaced and superseded by rndc . Unfortunately, rndc needs a configuration file because it uses secure, encrypted communications to query and interrogate name servers (known as TSIG or Transaction Signatures). The configuration file requires a secret key. We can use either the utility rndc-confgen to create a key file ( /etc/rndc.key ) or the utility dnssec-keygen to generate the key. I prefer dnssec-keygen because it guarantees to create TSIG keys that conform to RFC2845: Secret Key Transaction Authentication for DNS (TSIG). Here, I am using the largest key possible for the hmac-md5 encryption algorithm (this is secure but will affect performance or the rndc utility):

 

 root@hpeos004[]  dnssec-keygen -a hmac-md5 -b 512 -n user -r /dev/random rndc  Krndc.+157+65409 root@hpeos004[]  ll Krndc*  -rw-------   1 root       sys       111 Oct 21 15:26 Krndc.+157+65409.key -rw-------   1 root       sys       145 Oct 21 15:26 Krndc.+157+65409.private root@hpeos004[] root@hpeos004[]  cat Krndc.+157+65409.private  Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: L4Et2wOlxj6CYKIf8g2AbOjBaa+DSDhmGoDOARdsx4WfBbkbiwyKT+BFZ5dFBNrPY7XBDa/uSluKmfyB3kUPeQ== root@hpeos004[] 

I extract the key from either the .key or the .private file and enter it in the rndc configuration file:

 

 root@hpeos004[dns]  cat /etc/rndc.conf  options {         default-server  localhost;         default-key     TSIGkey;         }; server localhost {         key TSIGkey;         }; key TSIGkey {         algorithm hmac-md5;         secret "L4Et2wOlxj6CYKIf8g2AbOjBaa+DSDhmGoDOARdsx4WfBbkbiwyKT+BFZ5dFBNrP Y7XBDa/uSluKmfyB3kUPeQ==";         }; root@hpeos004[dns] 

I would keep the .key or the .private file for use later with the nsupdate command. I need to set up the key definition in the /etc/named.conf file before starting up the daemon. The rndc utility also requires a controls directive in /etc/named.conf to establish the secure communications channel with the rndc utility. Here's my resulting configuration file:

 

 root@hpeos004[]  cat /etc/named.conf  # # type domain source file # options {         directory "/etc/dns";         listen-on { any; };         listen-on-v6 { any; };         random-device "/dev/random"; }; key TSIGkey {         algorithm hmac-md5;         secret "L4Et2wOlxj6CYKIf8g2AbOjBaa+DSDhmGoDOARdsx4WfBbkbiwyKT+BFZ5dFBNrP Y7XBDa/uSluKmfyB3kUPeQ==";         }; controls {         inet 127.0.0.1 allow { 127.0.0.1; } keys { TSIGkey; };         }; zone "0.0.127.IN-ADDR.ARPA" {         type master;         file "db.127.0.0"; }; zone "IP6.INT" {         type master;         file "db.IP6.INT"; }; zone "maabof.com" {         type master;         file "db.maabof"; }; zone "168.192.IN-ADDR.ARPA" {         type master;         file "db.192.168"; }; zone "." {         type hint;         file "db.cache"; }; root@hpeos004[] root@hpeos004[]  named-checkconf  root@hpeos004[] 

If you are going to use rndc , you may want to keep a copy of /etc/named.conf in case running hosts_to_named accidentally destroys the changes you have just made.

17.1.6 Start the named daemon

We are now ready to start the named daemon. Before we do so, we may want to configure the namesvrs file to indicate that we want to start the daemon after every reboot:

 

 root@hpeos004[dns]  vi /etc/rc.config.d/namesvrs  unset UNIX95 PRE_U95=true;export PRE_U95; ############################################## # named (BIND) configuration. See named(1m). # ############################################## # #  Name server using the Domain Name System (DNS) protocol (RFC 1034/1035) # # @(#)B.11.11_LR # # NAMED:      Set to 1 to start nameserver daemon. # NAMED_ARGS: Arguments to the nameserver daemon # #  Configuration of a named boot file (e.g., /etc/named.boot) is needed for #  successful operation of the name server. #   NAMED=1   NAMED_ARGS="" ########################################################## # NIS (YP) configuration.  See domainname(1), ypserv(1m) # root@hpeos004[dns] 

To start the daemon, we can simply run the named program itself or use the startup script:

 

 root@hpeos004[dns]  /sbin/init.d/named start  named  root@hpeos004[dns] root@hpeos004[dns] 

Just to make sure that basic functionality is up and running, we can use the rndc utility:

 

 root@hpeos004[dns]  rndc status  number of zones: 6 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF server is up and running root@hpeos004[dns] 

It's always worth checking the daemon messages from syslog to ensure that all is working as you expect. In my configuration, syslog is sending daemon messages to a file called netdaemon.log :

 

 root@hpeos004[dns]  more /etc/syslog.conf  # @(#)B.11.11_LR # # syslogd configuration file. # # See syslogd(1M) for information about the format of this file. # daemon.debug            /var/adm/syslog/netdaemon.log mail.debug              /var/adm/syslog/mail.log *.info;mail.none;daemon.none    /var/adm/syslog/syslog.log auth.debug              /var/adm/syslog/auth_debug.log *.alert                 /dev/console *.alert                 root *.emerg                 * root@hpeos004[dns] 

I want to check the netdaemon.log file to ensure that the named daemon is up and running and that there are no untoward messages. Here is an extract:

 

 root@hpeos004[dns]  more /var/adm/syslog/netdaemon.log  ... Oct 21 15:58:33 hpeos004 named[5264]: starting BIND 9.2.0 Oct 21 15:58:33 hpeos004 named[5264]: using 1 CPU Oct 21 15:58:33 hpeos004 named[5264]: loading configuration from '/etc/named.conf'   Oct 21 15:58:33 hpeos004 named[5264]: listening on IPv6 interfaces, port 53     Oct 21 15:58:33 hpeos004 named[5264]: could not listen on UDP socket: address in use     Oct 21 15:58:33 hpeos004 named[5264]: listening on IPv6 interfaces failed     Oct 21 15:58:33 hpeos004 named[5264]: not listening on any interfaces   Oct 21 15:58:33 hpeos004 named[5264]: command channel listening on 127.0.0.1#953 Oct 21 15:58:33 hpeos004 named[5264]: zone 0.0.127.IN-ADDR.ARPA/IN: loaded serial 1 Oct 21 15:58:33 hpeos004 named[5264]: zone 168.192.IN-ADDR.ARPA/IN: loaded serial 1 Oct 21 15:58:33 hpeos004 named[5264]: zone maabof.com/IN: loaded serial 2 Oct 21 15:58:33 hpeos004 named[5264]: zone IP6.INT/IN: loaded serial 1 Oct 21 15:58:33 hpeos004 named[5264]: running 

There appears to be a problem with named listening on any interface. I tried adding the line listen-on { any; }; into my /etc/named.conf file to no avail. Normally, this error means that another program has port 53 open (possibly an old named process). I have used various tools ( lsof , a contributed utility) to check whether this port is open. It isn't. After much digging around, at the time of this writing, there appears to be a problem with named and a device /dev/ip6 . I tried loading all the current ARPA/Streams patches, but still the problem persists. I checked the various HP Web sites, but there doesn't seem to be a fix for it at present. Throughout this book, I have always worked through my examples to ensure that what I am telling you works. At this point, I am going to have to introduce a workaround for this problem. I am sure that, by the time you read this, there will be a fix for this problem. Here's the workaround. I rename the device /dev/ip6 .

 

 root@hpeos004[dns]  mv /dev/ip6 /dev/ip6.old  root@hpeos004[dns] 

This will have an impact on the functioning of my IPv6 stack. I am willing to take that hit at the moment. Can I now start up named ?

 

 root@hpeos004[dns]  /sbin/init.d/named start  named  root@hpeos004[dns] root@hpeos004[dns]  more /var/adm/syslog/netdaemon.log  ... Oct 21 19:32:01 hpeos004 named[17641]: starting BIND 9.2.0 Oct 21 19:32:01 hpeos004 named[17641]: using 1 CPU Oct 21 19:32:01 hpeos004 named[17641]: loading configuration from '/etc/named.conf'   Oct 21 19:32:01 hpeos004 named[17641]: no IPv6 interfaces found     Oct 21 19:32:01 hpeos004 named[17641]: listening on IPv4 interface lan1, 192.168.0.66#53     Oct 21 19:32:01 hpeos004 named[17641]: listening on IPv4 interface lan0, 192.168.0.35#53     Oct 21 19:32:01 hpeos004 named[17641]: listening on IPv4 interface lo0, 127.0.0.1#53   Oct 21 19:32:01 hpeos004 named[17641]: command channel listening on 127.0.0.1#953 Oct 21 19:32:01 hpeos004 named[17641]: zone 0.0.127.IN-ADDR.ARPA/IN: loaded serial 1 Oct 21 19:32:01 hpeos004 named[17641]: zone 168.192.IN-ADDR.ARPA/IN: loaded serial 2 Oct 21 19:32:01 hpeos004 named[17641]: zone maabof.com/IN: loaded serial 2 Oct 21 19:32:01 hpeos004 named[17641]: zone IP6.INT/IN: loaded serial 2 Oct 21 19:32:01 hpeos004 named[17641]: running Oct 21 19:32:01 hpeos004 named[17641]: zone 0.0.127.IN-ADDR.ARPA/IN: sending notifies graphics/ccc.gif (serial 1) Oct 21 19:32:01 hpeos004 named[17641]: zone IP6.INT/IN: sending notifies (serial 2) Oct 21 19:32:01 hpeos004 named[17641]: zone maabof.com/IN: sending notifies (serial 2) Oct 21 19:32:01 hpeos004 named[17641]: zone 168.192.IN-ADDR.ARPA/IN: sending notifies graphics/ccc.gif (serial 2) root@hpeos004[dns] 

This appears to be okay now and underscores the importance of checking the output from syslog . If I had not made sure that all was working properly, my slave servers would not have received any updates because named wasn't listening on any of my network interfaces for requests for updates to the DNS resource records. I can now proceed with setting up the resolver configuration files.

17.1.7 Set up the resolver configuration files

The resolver configuration files are /etc/nsswitch.conf and /etc/resolv.conf . Only the /etc/resolv.conf file is required because the /etc/nsswitch.conf file has a default behavior whereby a DNS server will be queried if available. Here is my /etc/resolv.conf file:

 

 root@hpeos004[dns]  cat /etc/resolv.conf  domain maabof.com search maabof.com nameserver 192.168.0.35 root@hpeos004[dns] 

Notice that I have used the domain and the search keyword. I like to mention both because it reminds me that I can modify the commonly searched domains for a particular hostname (the searchlist ). This can be useful for users who communicate with machines in different domains while only specifying the hostname component of the FQDN. I always specify the domain keyword at least, because there are some utilities (HP's Service Control Manager, for example) that complain if they cannot determine the DNS domain name.

Notice also that I have only listed one name server IP address. I could have listed both of my IP addresses, but because the maximum number of listed name servers is only three, I will not use up an entry for a machine that is multi-homed.

I decided to set up my /etc/nsswitch.conf file because I do not have NIS and hence do not want to reference it in any way:

 

 root@hpeos004[dns]  cat /etc/nsswitch.conf  ipnodes: dns [ NOTFOUND=continue ] files hosts: dns [ NOTFOUND=continue ] files root@hpeos004[dns] 

The ipnodes entry is required to resolve IPv6 addresses.

17.1.8 Test DNS functionality

We can still use commands like nslookup and nsquery to test that DNS is functioning as required:

 

 root@hpeos004[dns]  nslookup -type=AAAA hpeos004  Name Server:  hpeos004.maabof.com Address:  192.168.0.35 Trying DNS Name:    hpeos004.maabof.com Addresses:  fe80::230:6eff:fe5c:4f4f, fe80::a00:9ff:febb:bbbb, fec0:0:0:1::2, fec0:0:0:2::2 root@hpeos004[dns] 

However, there is a new command, dig (Domain Information Groper), that supports all the new address formats ( AAAA records are the old format for a IPv6 address; the new format is an A6 record) and does not have any of the behavioral peculiarities that nslookup exhibited ( nslookup doesn't know what an A6 record is):

 

 root@hpeos004[dns]  dig hpeos004.maabof.com a6  ; <<>> DiG named 9.2.0 <<>> hpeos004.maabof.com a6 ;; global options:  printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33475 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 6 ;; QUESTION SECTION: ;hpeos004.maabof.com.           IN      A6 ;; ANSWER SECTION: hpeos004.maabof.com.    86400   IN      A6      0 fec0:0:0:2::2 hpeos004.maabof.com.    86400   IN      A6      0 fe80::230:6eff:fe5c:4f4f hpeos004.maabof.com.    86400   IN      A6      0 fe80::a00:9ff:febb:bbbb hpeos004.maabof.com.    86400   IN      A6      0 fec0:0:0:1::2 ;; AUTHORITY SECTION: maabof.com.             86400   IN      NS      hpeos004.maabof.com. ;; ADDITIONAL SECTION: hpeos004.maabof.com.    86400   IN      A       192.168.0.66 hpeos004.maabof.com.    86400   IN      A       192.168.0.35 hpeos004.maabof.com.    86400   IN      AAAA    fec0:0:0:1::2 hpeos004.maabof.com.    86400   IN      AAAA    fec0:0:0:2::2 hpeos004.maabof.com.    86400   IN      AAAA    fe80::230:6eff:fe5c:4f4f hpeos004.maabof.com.    86400   IN      AAAA    fe80::a00:9ff:febb:bbbb ;; Query time: 2 msec ;; SERVER: 192.168.0.35#53(192.168.0.35) ;; WHEN: Mon Oct 21 19:53:45 2003 ;; MSG SIZE  rcvd: 311 root@hpeos004[dns] 

You don't need to supply a record type on the command line if you don't want to because it will default to a record type A=Address:

 

 root@hpeos004[dns]  dig hpeos004.maabof.com  ; <<>> DiG named 9.2.0 <<>> hpeos004.maabof.com ;; global options:  printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 353 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 8 ;; QUESTION SECTION: ;hpeos004.maabof.com.           IN      A ;; ANSWER SECTION: hpeos004.maabof.com.    86400   IN      A       192.168.0.66 hpeos004.maabof.com.    86400   IN      A       192.168.0.35 ;; AUTHORITY SECTION: maabof.com.             86400   IN      NS      hpeos004.maabof.com. ;; ADDITIONAL SECTION: hpeos004.maabof.com.    86400   IN      A6      0 fec0:0:0:1::2 hpeos004.maabof.com.    86400   IN      A6      0 fec0:0:0:2::2 hpeos004.maabof.com.    86400   IN      A6      0 fe80::230:6eff:fe5c:4f4f hpeos004.maabof.com.    86400   IN      A6      0 fe80::a00:9ff:febb:bbbb hpeos004.maabof.com.    86400   IN      AAAA    fe80::230:6eff:fe5c:4f4f hpeos004.maabof.com.    86400   IN      AAAA    fe80::a00:9ff:febb:bbbb hpeos004.maabof.com.    86400   IN      AAAA    fec0:0:0:1::2 hpeos004.maabof.com.    86400   IN      AAAA    fec0:0:0:2::2 ;; Query time: 70 msec ;; SERVER: 192.168.0.35#53(192.168.0.35) ;; WHEN: Mon Oct 21 19:54:29 2003 ;; MSG SIZE  rcvd: 311 root@hpeos004[dns] 

It is a powerful tool, but some of the more esoteric features do take a little bit of getting used to.

As we can see, regardless of which tool we use, hostname lookup via DNS seems to be working as expected. We would now set up the resolver configuration files on all of our network clients to reference our new name server .

IMPORTANT

We must remember to update all configuration files specifying old non-FQDN names, e.g., /etc/hosts.equiv , /etc/X0.hosts , /var/adm/inetd.sec , $HOME/.rhosts , $HOME/. netrc , /etc/mail/sendmail.cf , /etc/mail/sendmail.cw, /etc/ntp.conf , to name a few (to now use the FQDN hostnames).


Finally, let me make a quick mention of the rndc utility again. The sig_named command allowed us to extract statistics and dump the name server cache using options like stats and dump . The rndc utility has similar functionality. I won't bore you with all the details except to direct you to the man pages and to point out that rndc will create appropriately named files in the running directory ( /etc/dns in our case), as specified in the / etc/named.conf file.

 

 root@hpeos004[dns]  rndc stats  root@hpeos004[dns]  ll named.stats  -rw-r--r--   1 root       root           140 Oct 21 19:55 named.stats root@hpeos004[dns]  more named.stats  +++ Statistics Dump +++ (1066722959) success 406 referral 0 nxrrset 2 nxdomain 1 recursion 4 failure 4 --- Statistics Dump --- (1066722959) root@hpeos004[dns] 



HP-UX CSE(c) Official Study Guide and Desk Reference
HP-UX CSE(c) Official Study Guide and Desk Reference
ISBN: N/A
EAN: N/A
Year: 2006
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net