dns - the LCFG DNS component
This component starts the DNS service. It generates the DNS client configuration (/etc/resolv.conf). If the resource dns.type is set to server it also generates the server configuration (/etc/named.conf) and starts the server. The update method schedules immediate zone maintenance for some or all of a server's configured zones.
The component implements a nagios translator. See below for monitoring instructions.
This documentation refers to lcfg-dns version 6.4.1 schema 4.
The type of DNS service. Valid options are client (the default) and server.
This resource does not actually affect the operation of the component, but instead is included in some of its messages. Setting it to some lcfg context-specific value might therefore be useful to the user.
This resource defines the name of a log file, which will be processed when the logrotate method is called.
These resources provide a means for systems' SRV requirements to be communicated to a zone master. Because of the limitations of the LCFG spanning maps, srv entries have to be packaged up like so: service.proto[.name[@domain]];port[;priority[;weight]]. srvDomain will default to the value of ourdomain.
What domain do we live in? (We can't rely on hostname or domainname or dnsdomainname or the like for this, as they're likely to try to do some kind of address lookup and we can't rely on that working!)
A list of servers to place in the /etc/resolv.conf file. The order of servers in the list can be randomized. If type is set to server then servers will default to 127.0.0.1. Note that while the object will translate names to the addresses required in the configuration file, this will be done using the /etc/resolv.conf file's previous contents. It might therefore be thought better for this resource to contain explicit addresses rather than names.
This resource, if set to yes, will randomize the dns.servers list.
A list of servers to be used in extremis if servers happens not to be set for some reason. Dotted-quads would probably be a good idea here. The order of these won't be randomised.
A list of resolv.conf options.
A list of domains for the resolv.conf "search" list.
Sortlists to be included in the /etc/resolv.conf file. "local" entries come first, followed by the machine's attached wires, with the "global" entries coming last.
A netmask to be applied to the machine's attached interfaces when constructing the sortlist.
If set, only the explicit sortlist resources are used when constructing the resover sortlist. The implicit list derived by the component from the configured interfaces is not used.
Do we manage the /etc/gai.conf file at all? If this is null then we ignore the file completely. If it's non-null then the value will say whether to start with the default entries ("default") or completely blank ("blank").
A tag-list of additional entries to add to the /etc/gai.conf file. For each entry in the list there must be a corresponding gaiConfAddr_... and gaiConfPrecedence_... and there can also be an optional gaiConfLabel_.... See the man-page for gai.conf for the meanings of these.
The addresses of forwarders which should be queried for unknown names before going out onto the Internet at large.
If forwarders are set, use them exclusively to answer for unknown names and don't ever ask on the Internet at large.
If set, limits the number of concurrent inbound or outbound zone transfers. If not set the compiled-in version-dependent default is used.
If defined, set an upper bound on the number of files which the server is allowed to have open at any one time. Usually this is set high as a back-stop.
Tell all the NS-listed nameservers when a zone is changed. They'll still eventually find out anyway through the usual zone-maintenance mechanisms, but this speeds things on a little. Note that it is also possible to specify this on a per-zone basis.
Contains a list of addresses of stealt-secondary nameservers which should be notified when a master zone changes.
What should the source address of queries made by the nameserver look like? (Normally this is used to fix the source port for firewalling; the default is to use an unspecified anonymous one.)
Specify the source address and/or port to be used for zone transfer requests. If not specified the default is to use any arbitrary port>1024.
Time (in seconds) which the component should sleep for after starting or stopping the nameserver daemon.
Specify the user and/or group which the server should run as so as to limit any security exposure which might arise. The component will attempt to chown any files and directories as necessary.
The umask which the component should use, and which will be inherited by any processes it starts.
The name of a file into which the nameserver's pid is written at startup.
How should the server answer "version.bind txt chaos" queries? If this is blank then the compiled-in default (usually the software version) is used. If it's "RCS" then the dns component's RCS (actually svn!) ID is used. Anything else is used verbatim.
If set, contains a list of interface addresses on which named will listen for requests. (127.0.0.1 is the most likely value for this resource to be set to.)
If set, causes normal zone maintenance to happen only at heartbeat intervals. This can avoid bringing up dialup lines or making large zone transfers over slow links.
How often to do "dialup" zone maintance. The compiled-in default is 60 (minutes). Setting this to zero disables automatic zone maintenance, so updates are only done after an explicit request.
How often should named scan for new or departing interfaces? The compiled-in default is usually reasonble.
Define the logging done by the nameserver.
channels contains a list of channel tags. For each tag there's a corresponding channel_whatever resource that contains the body of the clause to be written to the configuration. Likewise, categories contains a list of tags for category_whatever.
zones contains a list of zone tags for the zones carried in the default view on this server For each tag in zones there are corresponding type_..., file_... and masters_... resources. The component applies "reasonable" rules as to whether these are required or not. Each zone also has required zone_... and optional znotify_..., zAllowNotify_..., zAllowTransfer_... and zAllowRecursion_... resources. viewZones should be used to define zones which will be added to views other than the default; it takes exactly the same set of additional resources as zones.
We may want the Configure() method to pre-populate (some of) the zone files, to ensure that they're there and ready when named starts up. If so, add the corresponding zone tags to the preloadZones list.
updates contains a list of all the defined update-sets. For each entry there's a corresponding update_thing which contains a list of zone tags. The first entry in updates is used by default if no user-supplied parameter is passed to the Update() method.
acls contains a list of tags specifying which access control list entries to configure in to the /etc/named.conf file. For each tag there is a corresponding acl_... resource containing a list of values, in one of bind's acceptable formats, defining the contents of the acl entry. The tag value is used as the name of the acl itself.
Contains a list of networks or acl-names, in standard bind format, which are allowed to query this nameserver. An empty list means no restriction.
Contains a list of networks or acl-names, in standard bind format, which are allowed to do zone-transfers from this nameserver. An empty list means no restriction.
Contains a list of networks or acl-names, in standard bind format, which are allowed to make recursive queries through this nameserver. An empty list means no restriction.
Contains a list of networks or acl-names, in standard bind format, which are allowed to send notify messages to this nameserver. An empty list means no restriction.
Enable or disable the nameserver from answering recursively at all.
Control how the "additional data" section in responses is filled in. See the bind documentation (ARM) for details.
Control how DNSSEC is performed. See the bind documentation (ARM) for details.
Where to look for the named binary itself.
Where to look for the rndc control program.
A list of IN-class files in named.conf format, to be included in the generated server configuration file. The pending method will rotate any new versions of the files on this list into place. How those new versions get there is outwith the scope of this component, though an example expect script is distributed with it.
Used to limit the number of outstanding SOA queries during zone maintenance. The value is in queries/second.
Set to enable per-zone statistics.
Specifies the name of the file into which the server will dump its statistics on request.
Specifies the name of the file into which the server will dump its internal database on request.
Enable lightweight resolver support in the server.
The "match" rules which should apply to the default IN-class view which the component generates in the /etc/named.conf file.
Allows for the creation of additional views. This is a tag-list with the following associated resources:
A list of tags giving the zones which should be added to this view. These tags MUST be listed in the viewZones tag-list and its associated resources.
The name to be given to the view in the /etc/named.conf file.
The zone's class, if not "IN".
The view's "match-clients" and "match-destinations" definitions respectively. See the BIND ARM for details of what can go in here.
A tag-list of keys which should be defined. (Note that the component will automatically generate its own additional key for rndc control, regardless of whether any keys are explicitly defined here.)
The key-id by which the key will be known in the /etc/named.conf file.
The algorithm to use for the key. See the BIND ARM for details of acceptable algorithms.
The "secret" material to use for the key. Formats and lengths will depend on the algorithm used.
A tag list of definitions to be used to create "server" entries in the /etc/named.conf file.
The address of the server to which this clause applies.
Keys (see above) which should be used for this server.
The following resources are used only by the component's Install() method, and therefore do not have any effect in during normal operation.
A list of servers to use in addition to any passed in as parameters to the Install() method.
The sortlist, if any, to be defined in the install-time /etc/resolv.conf file.
The name of the interface whose address and netmask should be used to compute the sortlist for the install-time /etc/resolv.conf file if one is not specified explicitly.
The following resources should not normally have their values changed from the installation defaults. They define where the component's various helper programs have been installed, or to provide compatibility hooks. Setting them incorrectly may result in the component not functioning correctly. Refer to the component source itself for details as to their various functions.
The component implements some additional methods:
Reset all the permissions and ownerships of the directories and files under the control of the component. Typically this can be necessary after a system upgrade, as packages may not respect existing settings. It may be useful to call this method nightly from a cron job, for example.
Roll in a new list of zones. See also the description of the pending server resource.
Schedule a zone maintenance update, which will usually result in new versions being fetched.
The component implements a nagios translator, allowing nameservers to be monitored. In addition to the usual nagios_client resources, this requires that the check-lcfg-dns RR exists in the domain set as the value of the ourdomain resource, with A value "127.0.0.2".
Scientific Linux 5, Fedora 13, Scientific Linux 6. (Previous versions also ran on Solaris and various RedHat and Fedora systems.)