.TH CHIARK\-NAMED\-CONF 8 "30th December 2001" "Greenend" "chiark utilities"
.SH NAME
chiark\-named\-conf \- check and generate nameserver configuration
-
.SH SYNOPSIS
-.B chiark\-named\-conf [\fIoptions\fP] \-n|\-y|\-f
+.BR chiark\-named\-conf " [\fIoptions\fP] " \-n | \-y | \-f
.br
-.B chiark\-named\-conf [\fIoptions\fP] \fIzone ...\fP
-
+\fBchiark\-named\-conf\fP [\fIoptions\fP] \fIzone ...\fP
.SH DESCRIPTION
.B chiark\-named\-conf
is a tool for managing nameserver configurations and checking for
suspected DNS problems. Its main functions are to check that
-delegations are appropriate and working, optionally from the root zone
-down, and to generate a configuration for
+delegations are appropriate and working, and to generate a
+configuration for
.BR BIND ,
from its own input file.
-
.SH OPTIONS
+
.SS MODE OPTIONS
If one of the options
.BR -n ", " -y ", or " -f
.I config\-file
instead of
.BR /etc/bind/chiark-conf-gen.zones .
+Also changes the default directory.
+.TP
+.BR \-D
+Enables debugging. Useful for debugging chiark\-named\-conf, but
+probably not useful for debugging your DNS configuration. Repeat to
+increase the debugging level. (Maximum is
+.BR -DD .)
+.TP
+.BR \-g | \-\-glueless
+Warn only once about a glueless referral for each zone and server,
+rather than once for each parent which gave out a referral without
+glue.
+
+When repeated, do not warn about glueless referrals at all. Not
+recommended. Note that glueless referrals usually cause extra delays
+looking up names, and can make lookups fail even if in theory they
+could succeed. There is no generally agreed convention or standard
+for avoiding circular glueless situations such as
+.br
+.B example.com NS ns0.example.net.uk
+.br
+.B example.com NS ns1.example.net.uk
+.br
+.B example.net.uk NS ns0.example.com
+.br
+.B example.net.uk NS ns1.example.com
+.br
+where gluelessness would completely prevent lookups inside
+example.net.uk and example.com. The best way to be sure to avoid this
+is to avoid gluelessness.
+.TP
+.BR \-l | \-\-local
+Only checks for mistakes which are the responsibility of the local
+administrator. This means that for secondary and stealth zones we
+only check that we're slaving from the right place. For primary zones
+all checks are still done. It is a mistake to specify
+.B \-l
+with foreign zones (zones supplied explictly on the command line but
+not relevant to the local server); doing so produces a warning.
.TP
.BR \-q | \-\-quiet
Do not print any information about zone(s) which do not have warnings.
.TP
.BR \-v | \-\-verbose
Print additional information about each zone.
-.TP
-.BR \-r | \-\-root
-Check the delegation all the way to the root zone. By default,
-checks are only carried out on the delegations supplied by (all) the
-nameservers for the immediate superzone.
-.SH CONFIGURATION
+.SH USAGE
The file
.B /etc/bind/chiark-conf-gen.zones
(or other file specified with the
Specifies the list of names that this server may be known by in
the ORIGIN field of SOA records. There is no default.
.TP
-\fBself\fP \fIfqdn ...\fP
+.BI self " fqdn ..."
Equivalent to both
-.BR self\-ns " and " self-\soa
+.B self\-ns " and " self\-soa
with the same set of names.
.TP
\fBslave\-dir\fP \fIdirectory\fP [[\fIprefix\fP] \fIsuffix\fP]
Delegated servers: Each server mentioned in the delegation should have
the same SOA record (and obviously, should be authoritative).
-Origin server's data: The set of nameservers in the origin server's
-version of the zone should be a superset of those in the delegations.
-(The addresses of any additional servers will be acquired from the
-local default nameserver at this point.)
-
All published nameservers - including delegated servers and servers
named in the zone's nameserver set: All nameservers for the zone
-should supply the same list of nameservers for the zone as the origin
-server does, and none of this authority information should be
-glueless. All the glue should always give the same addresses.
+should supply the same list of nameservers for the zone, and none of
+this authority information should be glueless. All the glue should
+always give the same addresses.
+
+Origin server's data: The set of nameservers in the origin server's
+version of the zone should be a superset of those in the delegations.
Our zone configuration: For
.B primary
.B stealth
zones, the address should be that of the SOA origin or one of the
published nameservers.
+.SH SECURITY
+chiark\-named\-conf is supposed to be resistant to malicious data in
+the DNS. It is not resistant to malicious data in its own options,
+configuration file or environment. It is not supposed to read its
+stdin, but is not guaranteed to be safe if stdin is dangerous.
+.LP
+Killing chiark-named-conf suddenly should be safe, even with
+.BR -y " or " -f
+(though of course it may not complete its task if killed), provided
+that only one invocation is made at once.
+.LP
+Slow remote nameservers will cause chiark-named-conf to take
+excessively long.
+.SH EXIT STATUS
+.TP
+.B 0
+All went well and there were no warnings.
+.TP
+any other
+There were warnings or errors.
.SH FILES
.TP
.B /etc/bind/chiark-conf-gen.zones
.TP
.B /var/cache/bind/chiark-slave
Default location for slave zones.
+.SH ENVIRONMENT
+.LP
+Setting variables used by
+.BR dig (1)
+and
+.BR adnshost (1)
+will affect the operation of chiark\-named\-conf.
+Avoid messing with these if possible.
+.LP
+.B PATH
+Used to find subprograms such as
+.BR dig " and " adnshost .
+.SH BUGS
+The determination of the parent zone for each zone to be checked, and
+its nameservers, is done simply using the system default nameserver.
+
+The processing of output from
+.B dig
+is not very reliable or robust, but this is mainly the fault of dig.
+This can lead to somewhat unhelpful error reporting for lookup
+failures.
.SH AUTHOR
.B chiark\-named\-conf
and this manpage were written by Ian Jackson <ian@chiark.greenend.org.uk>.
~ian / chiark-utils.git / blobdiff