1 .\" Hey, Emacs! This is an -*- nroff -*- source file.
2 .TH CHIARK\-NAMED\-CONF 8 "30th December 2001" "Greenend" "chiark utilities"
4 chiark\-named\-conf \- check and generate nameserver configuration
6 .BR chiark\-named\-conf " [\fIoptions\fP] " \-n | \-y | \-f
8 \fBchiark\-named\-conf\fP [\fIoptions\fP] \fIzone ...\fP
10 .B chiark\-named\-conf
11 is a tool for managing nameserver configurations and checking for
12 suspected DNS problems. Its main functions are to check that
13 delegations are appropriate and working, and to generate a
16 from its own input file.
18 By default, for each zone, in addition to any warnings, the output
19 lists the zone's configuration type. If the zone is checked, the
20 serial number at each of the nameservers is shown, with any
21 unpublished primary having
23 after the serial number.
28 .BR -n ", " -y ", or " -f
29 is supplied then chiark-named-conf will read its main configuration
30 file for the list of relevant zones. It will then check the
31 configuration and delegation for each zone
32 and/or generate and install a new configuration file for
36 Generate and install new nameserver config, as well as checking
37 configuration, for all listed zones.
40 Check configuration, for all listed zones, but
41 do not generate new nameserver config.
44 Generate and install new nameserver config, without doing any
45 configuration cross-checking. (Syntax errors in our input
46 configuration will still abort this operation.)
48 Alternatively, one or more zone names may be supplied as arguments, in
49 which case their delegations will be checked, and compared with the
50 data for that zone in the main configuration (if any). In this case
51 no new configuration file for the nameserver will be made.
53 .SS ADDITIONAL OPTIONS
56 Checks even zones known to be broken. Ie, ignores the
58 zone style modifier in the configuration.
60 .BR \-C | \-\-config " \fIconfig\-file\fP"
64 .BR /etc/bind/chiark-conf-gen.zones .
65 Also changes the default directory.
68 Enables debugging. Useful for debugging chiark\-named\-conf, but
69 probably not useful for debugging your DNS configuration. Repeat to
70 increase the debugging level. (Maximum is
73 .BR \-g | \-\-glueless
74 Do not warn about glueless referrals. Not recommended. Note that
75 glueless referrals usually cause extra delays looking up names, and
76 can make lookups fail even if in theory they could succeed. There is
77 no generally agreed convention or standard for avoiding circular
78 glueless situations such as
80 .B example.com NS ns0.example.net.uk
82 .B example.com NS ns1.example.net.uk
84 .B example.net.uk NS ns0.example.com
86 .B example.net.uk NS ns1.example.com
88 where gluelessness would completely prevent lookups inside
89 example.net.uk and example.com. The best way to be sure to avoid this
90 is to avoid gluelessness.
93 Only checks for mistakes which are the responsibility of the local
94 administrator (to fix or get fixed). This means that for published
95 and stealth zones we only check that we're slaving from the right
96 place and that any names and addresses for ourself are right. For
97 primary zones all checks are still done. It is a mistake to specify
99 with foreign zones (zones supplied explictly on the command line but
100 not relevant to the local server); doing so produces a warning.
103 Suppress the usual report of the list of nameservers for each zone and
104 the serial number from each. When specified twice, do not print any
105 information except warnings.
108 When a problem is detected, warn for all sources of the same imperfect
109 data, rather than only the first we come across
111 .BR \-v | \-\-verbose
112 Print additional information about what is being checked, as we go
116 .B /etc/bind/chiark-conf-gen.zones
117 (or other file specified with the
119 option) contains a sequence of directives, one per line. Blank lines
120 are permitted. Leading and trailing whitespace on each line is
121 ignored. Comments are lines starting with
125 joins it to the next line, so that long directives can be split across
126 several physical lines.
127 .SS GENERAL DIRECTIVES
128 These directives specify general configuration details. They should
129 appear before directives specifying zones, as each will affect only
130 later zone directives.
132 \fBdefault\-dir\fP \fIdirectory\fP
135 be the default directory (which affects the interpretation of
136 relative filenames). The default is the directory containing
137 the main configuration file, ie
143 \fBforbid\-addr\fP [\fIip-address ...\fP]
144 Specifies the list of addresses that are forbidden as any nameserver
145 for any zone. The default is no such addresses.
147 \fBserverless\-glueless\fP \fIdomain ...\fP
148 Specifies a list of domains under which we do not expect to find any
149 nameservers; for these zones it is OK to find glueless referrals.
150 Each domain listed names a complete subtree of the DNS, starting at
151 the named point. The default is
152 .BR "in\-addr.arpa ip6.arpa ip6.int" .
154 To avoid indefinitely long or even circularly glueless referrals
155 (which delay or prevent lookups) it is necessary for all sites to
156 effectively implement similar conventions; currently the author
157 believes that only the reverse lookup namespaces are conventionally
158 devoid of nameservers, and therefore fine to provide glueless
161 \fBoutput\fP \fIformat\fP \fIfilename\fP [\fIformat\fP \fIfilename ...\fP]
164 will be overwritten when
166 are used; its new contents will be configuration
167 directives for the zones which follow for the
168 nameserver in question. Currently the only
172 which indicates new-style BIND 8. If no zones follow, then each
173 file will still be overwritten, by an effectively empty file.
174 Default: if there is no
176 directive in the configuration then the default is to use
177 .BR bind8 " " chiark-conf-gen.bind8 ;
178 otherwise it is an error for there to be any zones in the
179 configuration before the first
183 \fBself\-addr\fP \fIip-address ...\fP
184 Specifies the list of addresses that this server may be known by in
185 A records. There is no default.
187 \fBself\-ns\fP \fIfqdn ...\fP
188 Specifies the list of names that this server may be known by in NS
189 records. There is no default.
191 \fBself\-soa\fP \fIfqdn ...\fP
192 Specifies the list of names that this server may be known by in
193 the ORIGIN field of SOA records. There is no default.
197 .B self\-ns " and " self\-soa
198 with the same set of names.
200 \fBslave\-dir\fP \fIdirectory\fP [[\fIprefix\fP] \fIsuffix\fP]
201 Specifies the directory in which slave (published and stealth)
202 zonefiles should be placed. The default
205 .BR /var/cache/bind/chiark-slave .
207 .IR suffix " and " prefix
208 are empty; they also will be reset to these defaults by a
210 directive which does not specify them.
212 These directives specify one or more zones.
214 .BR primary [ * | ? "] \fIzone filename\fP"
215 Specifies that this server is supposed to be the primary nameserver
218 and that the zone data is to be found in
221 .BR primary\-dir [ * | ? "] \fIdirectory\fP[" / "\fIprefix\fP] [\fIsuffix\fP[" / \fIsubfile\fP]]
224 for files whose names start with
228 Each such file is taken to represent a zone file for which this server
229 is supposed to be the primary; the part of the filename between
230 .IR prefix " and " suffix
231 is the name of the zone.
235 is specified, then instead of looking for files, we search for
236 directories containing
238 directories which do not contain the subfile are simply skipped.
241 .IR directory [\fB/\fP prefix ]
242 exists as specified and is a directory then it is interpreted as
244 with an empty prefix; otherwise the final path component is assumed to
247 is specified then the default is
250 .BR published [ * | ? "] \fIzone origin\-addr\fP"
251 Specifies that this server is supposed to be a published slave
252 nameserver for the zone in question.
254 .BR stealth [ * | ? "] \fIzone server\-addr ...\fP"
255 Specifies that this server is supposed to be an unpublished secondary
256 (aka stealth secondary) for the zone in question.
257 .SS ZONE DIRECTIVE STYLE MODIFIERS
258 Each of the zone directives may optionally be followed by one of the
259 following characters:
262 Indicates that the zone is unofficial, ie that it is not delegated as
263 part of the global Internet DNS and that no attempt should be made to
264 find the superzone and check delegations. Note that unofficial, local
265 zones should be created with caution. They should be in parts of the
266 namespace which are reserved for private use, or belong to the actual
270 Indicates that the zone is known to be broken and no checks should be
271 carried out on it, unless the
276 \fBinclude\fP \fIfile\fP
279 as if it were included here.
282 Ends processing of this file; any data beyond this point is ignored.
284 chiark\-named\-conf makes the following checks:
286 Delegations: Each delegation from a server for the superzone should
287 contain the same set of nameservers. None of the delegations should
288 lack glue. The glue addresses should be the same in each delegation,
289 and agree with the local default nameserver.
291 Delegated servers: Each server mentioned in the delegation should have
292 the same SOA record (and obviously, should be authoritative).
294 All published nameservers - including delegated servers and servers
295 named in the zone's nameserver set: All nameservers for the zone
296 should supply the same list of nameservers for the zone, and none of
297 this authority information should be glueless. All the glue should
298 always give the same addresses.
300 Origin server's data: The set of nameservers in the origin server's
301 version of the zone should be a superset of those in the delegations.
303 Our zone configuration: For primary zones, the SOA origin should be
304 one of the names specified with
305 .BR self\-soa " (or " self ).
306 For published zones, the address should be that of the SOA origin.
307 For stealth zones, the address should be that of the SOA origin or one
308 of the published nameservers.
310 chiark\-named\-conf is supposed to be resistant to malicious data in
311 the DNS. It is not resistant to malicious data in its own options,
312 configuration file or environment. It is not supposed to read its
313 stdin, but is not guaranteed to be safe if stdin is dangerous.
315 Killing chiark-named-conf suddenly should be safe, even with
317 (though of course it may not complete its task if killed), provided
318 that only one invocation is made at once.
320 Slow remote nameservers will cause chiark-named-conf to take
325 All went well and there were no warnings.
328 There were warnings or errors.
331 .B /etc/bind/chiark-conf-gen.zones
332 Default input configuration file. (Override with
336 Default directory. (Override with
337 .BR -C " or " default\-dir .)
339 .IB dir /chiark-conf-gen.bind8
342 .B /var/cache/bind/chiark-slave
343 Default location for slave zones.
346 Setting variables used by
350 will affect the operation of chiark\-named\-conf.
351 Avoid messing with these if possible.
354 is used to find subprograms such as
355 .BR dig " and " adnshost .
357 The determination of the parent zone for each zone to be checked, and
358 its nameservers, is done simply using the system default nameserver.
360 The processing of output from
362 is not very reliable or robust, but this is mainly the fault of dig.
363 This can lead to somewhat unhelpful error reporting for lookup
366 .B chiark\-named\-conf
367 and this manpage were written by Ian Jackson <ian@chiark.greenend.org.uk>.