X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=blobdiff_plain;f=scripts%2Fnamed-conf.8;h=b1547fe93e2c440e5f7e011271243227009b3ef2;hp=85d93982daaf29494fe48a41b45fe9e02c9d5b30;hb=18188d730fc2337a9b2caec8f46a65387c9a05c4;hpb=5065bee2ccdc8e017c763b4ede7102b4c20f8836 diff --git a/scripts/named-conf.8 b/scripts/named-conf.8 index 85d9398..b1547fe 100644 --- a/scripts/named-conf.8 +++ b/scripts/named-conf.8 @@ -58,6 +58,12 @@ and store the results; \-\-mail\-final also sends a mail to the zone SOA MNAME or local administrator, if too many of the calls had errors or warnings (calls before the most recent \-\-mail\-first being ignored). +.TP +.B \-mail\-final\-test +just like \-\-mail\-final except that it always sends mail to the +local server admin and never to remote zone contacts, adding +.B (testing!) +to the start of the To: field. .LP Alternatively, one or more zone names may be supplied as arguments, in which case their delegations will be checked, and compared with the @@ -85,8 +91,10 @@ increase the debugging level. (Maximum is .BR -DD .) .TP .BR \-g | \-\-glueless -Do not warn about glueless referrals. Not recommended - see -the section GLUELESSNESS, below. +Do not warn about glueless referrals (strictly, makes the zone style +modifier +.B ~ +the default). Not recommended - see the section GLUELESSNESS, below. .TP .BR \-l | \-\-local Only checks for mistakes which are the responsibility of the local @@ -98,6 +106,24 @@ primary zones all checks are still done. It is a mistake to specify with foreign zones (zones supplied explictly on the command line but not relevant to the local server); doing so produces a warning. .TP +.BI \-m group !*$@~? +Overrides a +.B modifiers +directive in the configuration file. The modifiers specified in the +directive are completely replaced by those specified in this command +line option. (Note that modifiers specified in per-zone directives +still override these per-group settings.) If more than one +.B modifiers +directive specifies the same group, they are all affected. +.B modifiers +directives which don't specify a group cannot be affected. It is an +error if the group does not appear in the config file. See ZONE STYLE +MODIFIERS, below. +.PP +The special group +.B foreign +is used for zones which don't appear in the configuration file. +.TP .BR \-q | \-\-quiet Suppress the usual report of the list of nameservers for each zone and the serial number from each. When specified twice, do not print any @@ -176,6 +202,27 @@ had warnings or errors more than of the times \-\-mail\-* was used (since the last \-\-mail\-first). The default is 50%. .TP +.BR modifiers " " !*$@~? "] [\fIgroup\fP]" +Applies the specified zone style modifiers (see below) to subsequently +declared zones (until the next +.B modifiers +directive), as if the modifiers specified were written out for +each zone. You must specify at least one character for the modifiers; +if you want to reset everything to the default, just say +.BR ! . +If style modifiers specified in the zone directive +conflict with the +.B modifiers +directive, those specified in the zone directive take effect. +.I group +may contain alphanumerics and underscores, and is used for the +.B -m +command-line option. +.TP +\fBself\-addr\fP \fIip-address ...\fP +Specifies the list of addresses that this server may be known by in +A records. There is no default. +.TP \fBoutput\fP \fIformat\fP \fIfilename\fP [\fIformat\fP \fIfilename ...\fP] Arranges that each .I filename @@ -198,10 +245,6 @@ configuration before the first .B output directive. .TP -\fBself\-addr\fP \fIip-address ...\fP -Specifies the list of addresses that this server may be known by in -A records. There is no default. -.TP \fBself\-ns\fP \fIfqdn ...\fP Specifies the list of names that this server may be known by in NS records. There is no default. Any trailing * is replaced by the name @@ -236,14 +279,14 @@ directive which does not specify them. .SS ZONE DIRECTIVES These directives specify one or more zones. .TP -.BR primary [ * | ? | @ | @@ | ~ "] \fIzone filename\fP" +.BR primary [ !*$@~? "] \fIzone filename\fP" Specifies that this server is supposed to be the primary nameserver for .I zone and that the zone data is to be found in .IR filename . .TP -.BR primary\-dir [ * | ? | @ | @@ | ~ "] \fIdirectory\fP[" / "\fIprefix\fP] [\fIsuffix\fP[" / \fIsubfile\fP]] +.BR primary\-dir [ !*$@~? "] \fIdirectory\fP[" / "\fIprefix\fP] [\fIsuffix\fP[" / \fIsubfile\fP]] Search .I directory for files whose names start with @@ -272,16 +315,27 @@ be the prefix. If no is specified then the default is .BR _db . .TP -.BR published [ * | ? | @ | @@ | ~ "] \fIzone origin\-addr\fP" +.BR published [ !*$@~? "] \fIzone origin\-addr\fP" Specifies that this server is supposed to be a published slave nameserver for the zone in question. .TP -.BR stealth [ * | ? | @ | @@ | ~ "] \fIzone server\-addr ...\fP" +.BR stealth [ !*$@~? "] \fIzone server\-addr ...\fP" Specifies that this server is supposed to be an unpublished secondary (aka stealth secondary) for the zone in question. -.SS ZONE DIRECTIVE STYLE MODIFIERS +.SS ZONE STYLE MODIFIERS Each of the zone directives may optionally be followed by one or more -of the following characters: +of the following characters (each at most once): +.TP +.B ! +Reverses the meaning of all style modifiers after the +.BR ! . +Only one +.BR ! +must appear in the modifier list. In this list, other modifiers which +default to `enabled' are described by describing the effect of their +inverse - see the description for +.B !@ +below. .TP .B * Indicates that the zone is unofficial, ie that it is not delegated as @@ -291,12 +345,12 @@ zones should be created with caution. They should be in parts of the namespace which are reserved for private use, or belong to the actual zone maintainer. .TP -.B @ -Indicates that mails should be sent about the zone to the nameserver -admin rather than to the zone SOA MNAME. This is always done for -stealth zones. +.B $ +Indicates that any mails should be sent about the zone to the +nameserver admin rather than to the zone SOA MNAME. This is the +default unless we are supposedly a published server for the zone. .TP -.B @@ +.B !@ Indicates that no mails should be sent about the zone to anyone. .TP .B ~ @@ -394,14 +448,13 @@ be necessary to create names for the child's nameservers which are underneath the child's apex, so that the glue records are both in the parent's bailiwick and obviously necessary. -Even worse, the horrid `shared registry system' managing .com, .net -and .org does not allow a single IPv4 address to be used for more than -one nameserver name! It does, however, give out glue for any -nameserver properly registered in the system. I therefore recommend -that you create a single name for your nameserver somewhere -in .com, .net or .org, and use that for all the delegations -from .com, .net and .org. At the time of writing (January 2002) this -seems to produce correct and glueful referrals. +In the past, the `shared registry system' managing .com, .net and .org +did not allow a single IPv4 address to be used for more than one +nameserver name. However, at the time of writing (October 2002) this +problem seems to have been fixed, and the workaround I previously +recommended (creating a single name for your nameserver somewhere +in .com, .net or .org, and using that for all the delegations +from .com, .net and .org) should now be avoided. Finally, a note about `reverse' zones, such as those in in-addr.arpa: It does not seem at all common practice to create nameservers in @@ -421,6 +474,22 @@ Dan Bernstein has some information and examples about this at http://cr.yp.to/djbdns/notes.html#gluelessness .UE but be warned that it is rather opinionated. +.SS GLUELESSNESS SUMMARY + +I recommend that every nameserver should have its own name in every +forward zone that it serves. For example: +.br +.B zone.example.com NS servus.ns.example.com +.br +.B servus.ns.example.com A 127.0.0.2 +.br +.B 2.0.0.127.in-addr.arpa PTR servus.example.net +.br +.B servus.example.net A 127.0.0.2 +.LP +Domain names in +.B in-addr.arpa +should not be used in the right hand side of NS records. .SH SECURITY chiark\-named\-conf is supposed to be resistant to malicious data in the DNS. It is not resistant to malicious data in its own options,