This is the reference guide for BIND 10 version 20120712.
Copyright © 2010-2012 Internet Systems Consortium, Inc.
Abstract
BIND 10 is a framework that features Domain Name System (DNS) suite and Dynamic Host Configuration Protocol (DHCP) servers with development managed by Internet Systems Consortium (ISC). It includes DNS libraries, modular components for controlling authoritative and recursive DNS servers, and experimental DHCPv4 and DHCPv6 servers.
This is the reference guide for BIND 10 version 20120712. The most up-to-date version of this document (in PDF, HTML, and plain text formats), along with other documents for BIND 10, can be found at http://bind10.isc.org/docs.
Table of Contents
List of Tables
Table of Contents
ISC would like to acknowledge generous support for BIND 10 development of DHCPv4 and DHCPv6 components provided by Comcast.
Table of Contents
BIND is the popular implementation of a DNS server, developer interfaces, and DNS tools. BIND 10 is a rewrite of BIND 9 and ISC DHCP. BIND 10 is written in C++ and Python and provides a modular environment for serving, maintaining, and developing DNS and DHCP. BIND 10 provides a EDNS0- and DNSSEC-capable authoritative DNS server and a caching recursive name server which also provides forwarding. It also provides experimental DHCPv4 and DHCPv6 servers.
This guide covers the experimental prototype of BIND 10 version 20120712.
BIND 10 builds have been tested on (in no particular order) Debian GNU/Linux 6 and unstable, Ubuntu 9.10, NetBSD 5, Solaris 10 and 11, FreeBSD 7 and 8, CentOS Linux 5.3, MacOS 10.6 and 10.7, and OpenBSD 5.1. It has been tested on Sparc, i386, and amd64 hardware platforms. It is planned for BIND 10 to build, install and run on Windows and standard Unix-type platforms.
Running BIND 10 uses various extra software which may not be provided in some operating systems' default installations nor standard packages collections. You may need to install this required software separately. (For the build requirements, also see Section 2.3, “Building Requirements”.)
BIND 10 requires at least Python 3.1 (http://www.python.org/). It also works with Python 3.2.
BIND 10 uses the Botan crypto library for C++ (http://botan.randombit.net/). It requires at least Botan version 1.8.
BIND 10 uses the log4cplus C++ logging library (http://log4cplus.sourceforge.net/). It requires at least log4cplus version 1.0.3.
The authoritative DNS server uses SQLite3 (http://www.sqlite.org/). It needs at least SQLite version 3.3.9.
The b10-ddns, b10-xfrin, b10-xfrout, and b10-zonemgr components require the libpython3 library and the Python _sqlite3.so module (which is included with Python). Python modules need to be built for the corresponding Python 3.
BIND 10 is modular. Part of this modularity is accomplished using multiple cooperating processes which, together, provide the server functionality. This is a change from the previous generation of BIND software, which used a single process.
At first, running many different processes may seem confusing. However, these processes are started, stopped, and maintained by a single command, bind10. This command starts a master process which will start other processes as needed. The processes started by the bind10 command have names starting with "b10-", including:
These are ran by bind10 and do not need to be manually started independently.
Once BIND 10 is running, a few commands are used to interact directly with the system:
The tools and modules are covered in full detail in this guide. In addition, manual pages are also provided in the default installation.
BIND 10 also provides libraries and programmer interfaces for C++ and Python for the message bus, configuration backend, and, of course, DNS. These include detailed developer documentation and code examples.
Table of Contents
Some operating systems or softare package vendors may provide ready-to-use, pre-built software packages for the BIND 10 suite. Installing a pre-built package means you do not need to install build-only prerequisites and do not need to make the software.
FreeBSD ports, NetBSD pkgsrc, and Debian testing package collections provide all the prerequisite packages.
The following is the standard, common layout of the complete BIND 10 installation:
bin/ —
general tools and diagnostic clients.
etc/bind10-devel/ —
configuration files.
lib/ —
libraries and python modules.
libexec/bind10-devel/ —
executables that a user wouldn't normally run directly and
are not run independently.
These are the BIND 10 modules which are daemons started by
the bind10 tool.
sbin/ —
commands used by the system administrator.
share/bind10-devel/ —
configuration specifications.
share/doc/bind10-devel/ —
this guide and other supplementary documentation.
share/man/ —
manual pages (online documentation).
var/bind10-devel/ —
data source and configuration databases.
In addition to the run-time requirements (listed in Section 1.2, “Required Software at Run-time”), building BIND 10 from source code requires various development include headers and program development tools.
Some operating systems have split their distribution packages into a run-time and a development package. You will need to install the development package versions, which include header files and libraries, to build BIND 10 from source code.
Building from source code requires the Boost build-time headers (http://www.boost.org/). At least Boost version 1.35 is required.
To build BIND 10, also install the Botan (at least version 1.8) and the log4cplus (at least version 1.0.3) development include headers.
Building BIND 10 also requires a C++ compiler and standard development headers, make, and pkg-config. BIND 10 builds have been tested with GCC g++ 3.4.3, 4.1.2, 4.1.3, 4.2.1, 4.3.2, and 4.4.1; Clang++ 2.8; and Sun C++ 5.10.
Visit the user-contributed wiki at http://bind10.isc.org/wiki/SystemSpecificNotes for system-specific installation tips.
This quickly covers the standard steps for installing and deploying BIND 10 as an authoritative name server using its defaults. For troubleshooting, full customizations and further details, see the respective chapters in the BIND 10 guide.
To quickly get started with BIND 10, follow these steps.
Extract the tar file:
$ gzcat bind10-VERSION.tar.gz | tar -xvf -
Go into the source and run configure:
$cd bind10-$VERSION./configure
Build it:
$ make
Install it (to default /usr/local):
$ make install
Start the server:
$ /usr/local/sbin/bind10
Test it; for example:
$ dig @127.0.0.1 -c CH -t TXT authors.bind
Load desired zone file(s), for example:
$ b10-loadzone your.zone.example.org
BIND 10 is open source software written in C++ and Python. It is freely available in source code form from ISC as a downloadable tar file or via BIND 10's Git code revision control service. (It may also be available in pre-compiled ready-to-use packages from operating system vendors.)
Downloading a release tar file is the recommended method to obtain the source code.
The BIND 10 releases are available as tar file downloads from ftp://ftp.isc.org/isc/bind10/. Periodic development snapshots may also be available.
Downloading this "bleeding edge" code is recommended only for developers or advanced users. Using development code in a production environment is not recommended.
When using source code retrieved via Git, additional software will be required: automake (v1.11 or newer), libtoolize, and autoconf (2.59 or newer). These may need to be installed.
The latest development code (and temporary experiments and un-reviewed code) is available via the BIND 10 code revision control system. This is powered by Git and all the BIND 10 development is public. The leading development is done in the “master” branch.
The code can be checked out from
git://git.bind10.isc.org/bind10;
for example:
$ git clone git://git.bind10.isc.org/bind10
When checking out the code from
the code version control system, it doesn't include the
generated configure script, Makefile.in files, nor their
related build files.
They can be created by running autoreconf
with the --install switch.
This will run autoconf,
aclocal,
libtoolize,
autoheader,
automake,
and related commands.
BIND 10 uses the GNU Build System to discover build environment details. To generate the makefiles using the defaults, simply run:
$ ./configure
Run ./configure with the --help
switch to view the different options. Some commonly-used options are:
/usr/local/).
For example, the following configures it to find the Boost headers, find the Python interpreter, and sets the installation location:
$ ./configure \
--with-boost-include=/usr/pkg/include \
--with-pythonpath=/usr/pkg/bin/python3.1 \
--prefix=/opt/bind10
If the configure fails, it may be due to missing or old dependencies.
After the configure step is complete, to build the executables from the C++ code and prepare the Python scripts, run:
$ make
Table of Contents
BIND 10 provides the bind10 command which starts up the required processes. bind10 will also restart some processes that exit unexpectedly. This is the only command needed to start the BIND 10 system.
After starting the b10-msgq communications channel, bind10 connects to it, runs the configuration manager, and reads its own configuration. Then it starts the other modules.
The b10-sockcreator, b10-msgq and b10-cfgmgr services make up the core. The b10-msgq daemon provides the communication channel between every part of the system. The b10-cfgmgr daemon is always needed by every module, if only to send information about themselves somewhere, but more importantly to ask about their own settings, and about other modules. The b10-sockcreator daemon helps allocate Internet addresses and ports as needed for BIND 10 network services.
In its default configuration, the bind10 master process will also start up b10-cmdctl for administration tools to communicate with the system, and b10-stats for statistics collection.
To start the BIND 10 service, simply run bind10.
Run it with the --verbose switch to
get additional debugging or diagnostic output.
If the setproctitle Python module is detected at start up, the process names for the Python-based daemons will be renamed to better identify them instead of just “python”. This is not needed on some operating systems.
The processes to be used can be configured for
bind10 to start, with the exception
of the required b10-sockcreator,
b10-msgq and b10-cfgmgr
components.
The configuration is in the Boss/components
section. Each element represents one component, which is
an abstraction of a process.
To add a process to the set, let's say the resolver (which is not started by default), you would do this:
>config add Boss/components b10-resolver>config set Boss/components/b10-resolver/special resolver>config set Boss/components/b10-resolver/kind needed>config set Boss/components/b10-resolver/priority 10>config commit
Now, what it means. We add an entry called “b10-resolver”. It is both a name used to reference this component in the configuration and the name of the process to start. Then we set some parameters on how to start it.
The special setting is for components
that need some kind of special care during startup or
shutdown. Unless specified, the component is started in a
usual way. This is the list of components that need to be
started in a special way, with the value of special used
for them:
Table 3.1. Special startup components
| Component | Special | Description |
|---|---|---|
| b10-auth | auth | Authoritative DNS server |
| b10-resolver | resolver | DNS resolver |
| b10-cmdctl | cmdctl | Command control (remote control interface) |
The kind specifies how a failure of the
component should be handled. If it is set to
“dispensable” (the default unless you set
something else), it will get started again if it fails. If
it is set to “needed” and it fails at startup,
the whole bind10 shuts down and exits
with an error exit code. But if it fails some time later, it
is just started again. If you set it to “core”,
you indicate that the system is not usable without the
component and if such component fails, the system shuts
down no matter when the failure happened. This is the
behaviour of the core components (the ones you can't turn
off), but you can declare any other components as core as
well if you wish (but you can turn these off, they just
can't fail).
The priority defines order in which the
components should start. The ones with higher numbers are
started sooner than the ones with lower ones. If you don't
set it, 0 (zero) is used as the priority. Usually, leaving
it at the default is enough.
There are other parameters we didn't use in our example.
One of them is address. It is the address
used by the component on the b10-msgq
message bus. The special components already know their
address, but the usual ones don't. The address is by
convention the thing after b10-, with
the first letter capitalized (eg. b10-stats
would have “Stats” as its address).
The last one is process. It is the name
of the process to be started. It defaults to the name of
the component if not set, but you can use this to override
it. (The special components also already know their
executable name.)
The configuration is quite powerful, but that includes a lot of space for mistakes. You could turn off the b10-cmdctl, but then you couldn't change it back the usual way, as it would require it to be running (you would have to find and edit the configuration directly). Also, some modules might have dependencies: b10-stats-httpd needs b10-stats, b10-xfrout needs b10-auth to be running, etc.
In short, you should think twice before disabling something here.
It is possible to start some components multiple times (currently b10-auth and b10-resolver). You might want to do that to gain more performance (each one uses only single core). Just put multiple entries under different names, like this, with the same config:
>config add Boss/components b10-resolver-2>config set Boss/components/b10-resolver-2/special resolver>config set Boss/components/b10-resolver-2/kind needed>config commit
However, this is work in progress and the support is not yet complete. For example, each resolver will have its own cache, each authoritative server will keep its own copy of in-memory data and there could be problems with locking the sqlite database, if used. The configuration might be changed to something more convenient in future. Other components don't expect such a situation, so it would probably not do what you want. Such support is yet to be implemented.
The BIND 10 components use the b10-msgq message routing daemon to communicate with other BIND 10 components. The b10-msgq implements what is called the “Command Channel”. Processes intercommunicate by sending messages on the command channel. Example messages include shutdown, get configurations, and set configurations. This Command Channel is not used for DNS message passing. It is used only to control and monitor the BIND 10 system.
Administrators do not communicate directly with the
b10-msgq daemon.
By default, BIND 10 uses a UNIX domain socket file named
/usr/local/var/bind10-devel/msg_socket
for this interprocess communication.
The configuration manager, b10-cfgmgr, handles all BIND 10 system configuration. It provides persistent storage for configuration, and notifies running modules of configuration changes.
The b10-auth and b10-xfrin daemons and other components receive their configurations from the configuration manager over the b10-msgq command channel.
The administrator doesn't connect to it directly, but uses a user interface to communicate with the configuration manager via b10-cmdctl's REST-ful interface. b10-cmdctl is covered in Chapter 6, Remote control daemon.
The development prototype release only provides bindctl as a user interface to b10-cmdctl. Upcoming releases will provide another interactive command-line interface and a web-based interface.
The b10-cfgmgr daemon can send all specifications and all current settings to the bindctl client (via b10-cmdctl). b10-cfgmgr relays configurations received from b10-cmdctl to the appropriate modules.
The stored configuration file is at
/usr/local/var/bind10-devel/b10-config.db.
(The directory is what was defined at build configure time for
--localstatedir.
The default is /usr/local/var/.)
The format is loosely based on JSON and is directly parseable
python, but this may change in a future version.
This configuration data file is not manually edited by the
administrator.
The configuration manager does not have any command line arguments. Normally it is not started manually, but is automatically started using the bind10 master process (as covered in Chapter 3, Starting BIND10 with bind10).
Table of Contents
b10-cmdctl is the gateway between administrators and the BIND 10 system. It is a HTTPS server that uses standard HTTP Digest Authentication for username and password validation. It provides a REST-ful interface for accessing and controlling BIND 10.
When b10-cmdctl starts, it firsts asks b10-cfgmgr about what modules are running and what their configuration is (over the b10-msgq channel). Then it will start listening on HTTPS for clients — the user interface — such as bindctl.
b10-cmdctl directly sends commands (received from the user interface) to the specified component. Configuration changes are actually commands to b10-cfgmgr so are sent there.
The HTTPS server requires a private key,
such as a RSA PRIVATE KEY.
The default location is at
/usr/local/etc/bind10-devel/cmdctl-keyfile.pem.
(A sample key is at
/usr/local/share/bind10-devel/cmdctl-keyfile.pem.)
It also uses a certificate located at
/usr/local/etc/bind10-devel/cmdctl-certfile.pem.
(A sample certificate is at
/usr/local/share/bind10-devel/cmdctl-certfile.pem.)
This may be a self-signed certificate or purchased from a
certification authority.
The HTTPS server doesn't support a certificate request from a client (at this time). The b10-cmdctl daemon does not provide a public service. If any client wants to control BIND 10, then a certificate needs to be first received from the BIND 10 administrator. The BIND 10 installation provides a sample PEM bundle that matches the sample key and certificate.
The b10-cmdctl daemon also requires
the user account file located at
/usr/local/etc/bind10-devel/cmdctl-accounts.csv.
This comma-delimited file lists the accounts with a user name,
hashed password, and salt.
(A sample file is at
/usr/local/share/bind10-devel/cmdctl-accounts.csv.
It contains the user named “root” with the password
“bind10”.)
The administrator may create a user account with the b10-cmdctl-usermgr tool.
By default the HTTPS server listens on the localhost port 8080.
The port can be set by using the --port command line option.
The address to listen on can be set using the --address command
line argument.
Each HTTPS connection is stateless and times out in 1200 seconds
by default. This can be
redefined by using the --idle-timeout command line argument.
The configuration items for b10-cmdctl are:
accounts_file which defines the path to the
user accounts database (the default is
/usr/local/etc/bind10-devel/cmdctl-accounts.csv);
cert_file which defines the path to the
PEM certificate file (the default is
/usr/local/etc/bind10-devel/cmdctl-certfile.pem);
and
key_file which defines the path to the
PEM private key file (the default is
/usr/local/etc/bind10-devel/cmdctl-keyfile.pem).
For this development prototype release, bindctl is the only user interface. It is expected that upcoming releases will provide another interactive command-line interface and a web-based interface for controlling and configuring BIND 10.
The bindctl tool provides an interactive prompt for configuring, controlling, and querying the BIND 10 components. It communicates directly with a REST-ful interface over HTTPS provided by b10-cmdctl. It doesn't communicate to any other components directly.
Configuration changes are actually commands to b10-cfgmgr. So when bindctl sends a configuration, it is sent to b10-cmdctl (over a HTTPS connection); then b10-cmdctl sends the command (over a b10-msgq command channel) to b10-cfgmgr which then stores the details and relays (over a b10-msgq command channel) the configuration on to the specified module.
Table of Contents
The b10-auth is the authoritative DNS server. It supports EDNS0, DNSSEC, IPv6, and SQLite3 and in-memory zone data backends. Normally it is started by the bind10 master process.
b10-auth is configured via the b10-cfgmgr configuration manager. The module name is “Auth”. The configuration data items are:
datasources configures data sources.
The list items include:
type to define the required data source type
(such as “memory”);
class to optionally select the class
(it defaults to “IN”);
and
zones to define
the file path name,
the filetype (“sqlite3” to load
from a SQLite3 database file or “text” to
load from a master text file),
and the origin (default domain).
By default, this is empty.
In this development version, currently this is only used for the memory data source. Only the IN class is supported at this time. By default, the memory data source is disabled. Also, currently the zone file must be canonical such as generated by named-compilezone -D, or must be an SQLite3 database.
listen_on is a list of addresses and ports for
b10-auth to listen on.
The list items are the address string
and port number.
By default, b10-auth listens on port 53
on the IPv6 (::) and IPv4 (0.0.0.0) wildcard addresses.
The default configuration is currently not appropriate for a multi-homed host. In case you have multiple public IP addresses, it is possible the query UDP packet comes through one interface and the answer goes out through another. The answer will probably be dropped by the client, as it has a different source address than the one it sent the query to. The client would fallback on TCP after several attempts, which works well in this situation, but is clearly not ideal.
There are plans to solve the problem such that the server handles it by itself. But until it is actually implemented, it is recommended to alter the configuration — remove the wildcard addresses and list all addresses explicitly. Then the server will answer on the same interface the request came on, preserving the correct address.
statistics-interval is the timer interval
in seconds for b10-auth to share its
statistics information to
b10-stats(8).
Statistics updates can be disabled by setting this to 0.
The default is 60.
The configuration commands are:
class which optionally defines the class
(it defaults to “IN”);
origin is the domain name of the zone;
and
datasrc optionally defines the type of datasource
(it defaults to “memory”).
In this development version, currently this only supports the IN class and the memory data source.
pid argument to
select the process ID to stop.
(Note that the BIND 10 boss process may restart this service
if configured.)
Bind 10 has the concept of data sources. A data source is a place where authoritative zone data reside and where they can be served from. This can be a master file, a database or something completely different.
Once a query arrives, b10-auth goes through a configured list of data sources and finds the one containing a best matching zone. From the equally good ones, the first one is taken. This data source is then used to answer the query.
In the development prototype release, b10-auth can serve data from a SQLite3 data source backend and from master files. Upcoming versions will be able to use multiple different data sources, such as MySQL and Berkeley DB.
The configuration is located in data_sources/classes. Each item there
represents one RR class and a list used to answer queries for that
class. The default contains two classes. The CH class contains a static
data source — one that serves things like
“AUTHORS.BIND.”. The IN class contains single SQLite3
data source with database file located at
/usr/local/var/bind10-devel/zone.sqlite3.
Each data source has several options. The first one is
type, which specifies the type of data source to
use. Valid types include the ones listed below, but bind10 uses
dynamically loaded modules for them, so there may be more in your
case. This option is mandatory.
Another option is params. This option is type
specific; it holds different data depending on the type
above. Also, depending on the type, it could be possible to omit it.
There are two options related to the so-called cache. If you enable
cache, zone data from the data source are loaded into memory.
Then, when answering a query, b10-auth looks
into the memory only instead of the data source, which speeds
answering up. The first option is cache-enable,
a boolean value turning the cache on and off (off is the default).
The second one, cache-zones, is a list of zone
origins to load into in-memory. Remember that zones in the data source
not listed here will not be loaded and will not be available at all.
As mentioned, the type used by default is “sqlite3”.
It has single configuration option inside params
— database_file, which contains the path
to the sqlite3 file containing the data.
Another type is called “MasterFiles”. This one is
slightly special. The data are stored in RFC1034 master files.
Because answering directly from them would be impractical,
this type mandates the cache to be enabled. Also, the list of
zones (cache-zones) should be omitted. The
params is a dictionary mapping from zone
origins to the files they reside in.
As this is one of the more complex configurations of Bind10, we show some examples. They all assume they start with default configuration.
First, let's disable the static data source (“VERSION.BIND” and friends). As it is the only data source in the CH class, we can remove the whole class.
>config remove data_sources/classes CH>config commit
Another one, let's say our default data source contains zones “example.org.” and “example.net.”. We want them to be served from memory to make the answering faster.
>config set data_sources/classes/IN[0]/cache-enable true>config add data_sources/classes/IN[0]/cache-zones example.org.>config add data_sources/classes/IN[0]/cache-zones example.net.>config commit
Now every time the zone in the data source is changed by the operator, Bind10 needs to be told to reload it, by
> Auth loadzone example.orgYou don't need to do this when the zone is modified by XfrIn, it does so automatically.
Now, the last example is when there are master files we want to serve in addition to whatever is inside the sqlite3 database.
>config add data_sources/classes/IN>config set data_sources/classes/IN[1]/type MasterFiles>config set data_sources/classes/IN[1]/cache-enable true>config set data_sources/classes/IN[1]/params { "example.org": "/path/to/example.org", "example.com": "/path/to/example.com" }>config commit
Initially, a map value has to be set, but this value may be an empty map. After that, key/value pairs can be added with 'config add' and keys can be removed with 'config remove'. The initial value may be an empty map, but it has to be set before zones are added or removed.
>config set data_sources/classes/IN[1]/params {}>config add data_sources/classes/IN[1]/params another.example.org /path/to/another.example.org>config add data_sources/classes/IN[1]/params another.example.com /path/to/another.example.com>config remove data_sources/classes/IN[1]/params another.example.org
bindctl. To reload a zone, you the same command as above.
There's also Auth/database_file configuration
variable, pointing to a sqlite3 database file. This is no longer
used by b10-auth, but it is left in place for
now, since other modules use it. Once b10-xfrin,
b10-xfrout and b10-ddns
are ported to the new configuration, this will disappear. But for
now, make sure that if you use any of these modules, the new
and old configuration correspond. The defaults are consistent, so
unless you tweaked either the new or the old configuration, you're
good.
RFC 1035 style DNS master zone files may imported into a BIND 10 SQLite3 data source by using the b10-loadzone utility.
b10-loadzone supports the following special directives (control entries):
The -o argument may be used to define the
default origin for loaded zone file records.
In the development prototype release, only the SQLite3 back
end is used by b10-loadzone.
By default, it stores the zone data in
/usr/local/var/bind10-devel/zone.sqlite3
unless the -d switch is used to set the
database filename.
Multiple zones are stored in a single SQLite3 zone database.
If you reload a zone already existing in the database, all records from that prior zone disappear and a whole new set appears.
Table of Contents
Incoming zones are transferred using the b10-xfrin process which is started by bind10. When received, the zone is stored in the corresponding BIND 10 data source, and its records can be served by b10-auth. In combination with b10-zonemgr (for automated SOA checks), this allows the BIND 10 server to provide secondary service.
The b10-xfrin process supports both AXFR and IXFR. Due to some implementation limitations of the current development release, however, it only tries AXFR by default, and care should be taken to enable IXFR.
In practice, you need to specify a list of secondary zones to enable incoming zone transfers for these zones (you can still trigger a zone transfer manually, without a prior configuration (see below)).
For example, to enable zone transfers for a zone named "example.com" (whose master address is assumed to be 2001:db8::53 here), run the following at the bindctl prompt:
>config add Xfrin/zones>config set Xfrin/zones[0]/name ">example.com"config set Xfrin/zones[0]/master_addr ">2001:db8::53"config commit
(We assume there has been no zone configuration before).
As noted above, b10-xfrin uses AXFR for
zone transfers by default. To enable IXFR for zone transfers
for a particular zone, set the use_ixfr
configuration parameter to true.
In the above example of configuration sequence, you'll need
to add the following before performing commit:
> config set Xfrin/zones[0]/use_ixfr true
One reason why IXFR is disabled by default in the current release is because it does not support automatic fallback from IXFR to AXFR when it encounters a primary server that doesn't support outbound IXFR (and, not many existing implementations support it). Another, related reason is that it does not use AXFR even if it has no knowledge about the zone (like at the very first time the secondary server is set up). IXFR requires the "current version" of the zone, so obviously it doesn't work in this situation and AXFR is the only workable choice. The current release of b10-xfrin does not make this selection automatically. These features will be implemented in a near future version, at which point we will enable IXFR by default.
The b10-zonemgr process is started by bind10. It keeps track of SOA refresh, retry, and expire timers and other details for BIND 10 to perform as a slave. When the b10-auth authoritative DNS server receives a NOTIFY message, b10-zonemgr may tell b10-xfrin to do a refresh to start an inbound zone transfer. The secondary manager resets its counters when a new zone is transferred in.
Access control (such as allowing notifies) is not yet provided. The primary/secondary service is not yet complete.
The following example shows using bindctl to configure the server to be a secondary for the example zone:
>config add Zonemgr/secondary_zones>config set Zonemgr/secondary_zones[0]/name ">example.com"config commit
If the zone does not exist in the data source already (i.e. no SOA record for it), b10-zonemgr will automatically tell b10-xfrin to transfer the zone in.
To manually trigger a zone transfer to retrieve a remote zone, you may use the bindctl utility. For example, at the bindctl prompt run:
> Xfrin retransfer zone_name="foo.example.org" master=192.0.2.99
In the case of an incoming zone transfer, the received zone is
first stored in the corresponding BIND 10 datasource. In
case the secondary zone is served by an in-memory datasource
with an SQLite3 backend, b10-auth is
automatically sent a loadzone command to
reload the corresponding zone into memory from the backend.
The administrator doesn't have to do anything for b10-auth to serve the new version of the zone, except for the configuration such as the one described in Section 8.2, “Data Source Backends”.
The b10-xfrout process is started by bind10. When the b10-auth authoritative DNS server receives an AXFR or IXFR request, b10-auth internally forwards the request to b10-xfrout, which handles the rest of this request processing. This is used to provide primary DNS service to share zones to secondary name servers. The b10-xfrout is also used to send NOTIFY messages to secondary servers.
A global or per zone transfer_acl configuration
can be used to control accessibility of the outbound zone
transfer service.
By default, b10-xfrout allows any clients to
perform zone transfers for any zones:
> config show Xfrout/transfer_acl
Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)You can change this to, for example, rejecting all transfer requests by default while allowing requests for the transfer of zone "example.com" from 192.0.2.1 and 2001:db8::1 as follows:
>config set Xfrout/transfer_acl[0] {"action": "REJECT"}>config add Xfrout/zone_config>config set Xfrout/zone_config[0]/origin "example.com">config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "192.0.2.1"},{"action": "ACCEPT", "from": "2001:db8::1"}]>config commit
In the above example the lines
for transfer_acl were divided for
readability. In the actual input it must be in a single line.
If you want to require TSIG in access control, a system wide TSIG "key ring" must be configured. For example, to change the previous example to allowing requests from 192.0.2.1 signed by a TSIG with a key name of "key.example", you'll need to do this:
>config set tsig_keys/keys ["key.example:<base64-key>"]>config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "192.0.2.1", "key": "key.example"}]>config commit
Both b10-xfrout and b10-auth will use the system wide keyring to check TSIGs in the incoming messages and to sign responses.
The way to specify zone specific configuration (ACLs, etc) is likely to be changed.
Table of Contents
BIND 10 supports the server side of the Dynamic DNS Update (DDNS) protocol as defined in RFC 2136. This service is provided by the b10-ddns component, which is started by the bind10 process if configured so.
When the b10-auth authoritative DNS server receives an UPDATE request, it internally forwards the request to b10-ddns, which handles the rest of this request processing. When the processing is completed, b10-ddns will send a response to the client as specified in RFC 2136 (NOERROR for successful update, REFUSED if rejected due to ACL check, etc). If the zone has been changed as a result, it will internally notify b10-xfrout so that other secondary servers will be notified via the DNS NOTIFY protocol. In addition, if b10-auth serves the updated zone (as described in Section 8.2, “Data Source Backends”), b10-ddns will also notify b10-auth so that b10-auth will re-cache the updated zone content if necessary.
The b10-ddns component supports requests over both UDP and TCP, and both IPv6 and IPv4; for TCP requests, however, it terminates the TCP connection immediately after each single request has been processed. Clients cannot reuse the same TCP connection for multiple requests. (This is a current implementation limitation of b10-ddns. While RFC 2136 doesn't specify anything about such reuse of TCP connection, there is no reason for disallowing it as RFC 1035 generally allows multiple requests sent over a single TCP connection. BIND 9 supports such reuse.)
As of this writing b10-ddns does not support update forwarding for secondary zones. If it receives an update request for a secondary zone, it will immediately return a “not implemented” response.
For feature completeness, update forwarding should be eventually supported. But currently it's considered a lower priority task and there is no specific plan of implementing this feature.
First off, it must be made sure that a few components on which b10-ddns depends are configured to run, which are b10-auth and b10-zonemgr. In addition, b10-xfrout should also be configured to run; otherwise the notification after an update (see above) will fail with a timeout, suspending the DDNS service while b10-ddns waits for the response (see the description of the DDNS_UPDATE_NOTIFY_FAIL log message for further details). If BIND 10 is already configured to provide authoritative DNS service they should normally be configured to run already.
Second, for the obvious reason dynamic update requires that the
underlying data source storing the zone data be writable.
In the current implementation this means the zone must be stored
in an SQLite3-based data source.
Also, in this development version, the b10-ddns
component configures itself with the data source referring to the
database_file configuration parameter of
b10-auth.
So this information must be configured correctly before starting
b10-ddns.
The way to configure data sources is now being revised. Configuration on the data source for DDNS will be very likely to be changed in a backward incompatible manner in a near future version.
In general, if something goes wrong regarding the dependency described above, b10-ddns will log the related event at the warning or error level. It's advisable to check the log message when you first enable DDNS or if it doesn't work as you expect to see if there's any warning or error log message.
Next, to enable the DDNS service, b10-ddns needs to be explicitly configured to run. It can be done by using the bindctl utility. For example:
>config add Boss/components b10-ddns>config set Boss/components/b10-ddns/address DDNS>config set Boss/components/b10-ddns/kind dispensable>config commit
In theory kind could be omitted because
"dispensable" is its default.
But there's some peculiar behavior (which should be a
bug and should be fixed eventually; see Trac ticket #2064)
with bindctl and you'll still need to
specify that explicitly. Likewise, address
may look unnecessary because b10-ddns
would start and work without specifying it. But for it
to shutdown gracefully this parameter should also be
specified.
By default, b10-ddns rejects any update
requests from any clients by returning a REFUSED response.
To allow updates to take effect, an access control rule
(called update ACL) with a policy allowing updates must explicitly be
configured.
Update ACL must be configured per zone basis in the
zones configuration parameter of
b10-ddns.
This is a list of per-zone configurations regarding DDNS.
Each list element consists of the following parameters:
The syntax of the ACL is the same as ACLs for other components. Specific examples are given below.
In general, an update ACL rule that allows an update request should be configured with a TSIG key. This is an example update ACL that allows updates to the zone named “example.org” (of default RR class “IN”) from clients that send requests signed with a TSIG whose key name is "key.example.org" (and refuses all others):
>config add DDNS/zones>config set DDNS/zones[0]/origin example.org>config add DDNS/zones[0]/update_acl {"action": "ACCEPT", "key": "key.example.org"}>config commit
The TSIG key must be configured system wide (see Chapter 10, Outbound Zone Transfers.)
Multiple rules can be specified in the ACL, and an ACL rule can consist of multiple constraints, such as a combination of IP address and TSIG. The following configuration sequence will add a new rule to the ACL created in the above example. This additional rule allows update requests sent from a client using TSIG key name of "key.example" (different from the key used in the previous example) and has an IPv6 address of ::1.
>config add DDNS/zones[0]/update_acl {"action": "ACCEPT", "from": "::1", "key": "key.example"}>config show DDNS/zones[0]/update_aclDDNS/zones[0]/update_acl[0] {"action": "ACCEPT", "key": "key.example.org"} any (modified) DDNS/zones[0]/update_acl[1] {"action": "ACCEPT", "from": "::1", "key": "key.example"} any (modified) >config commit
(Note the "add" in the first line. Before this sequence, we
have had only entry in zones[0]/update_acl.
The add command with a value (rule) adds
a new entry and sets it to the given rule.
Due to a limitation of the current implementation, it doesn't
work if you first try to just add a new entry and then set it to
a given rule.)
The b10-ddns component accepts an ACL rule that just allows updates from a specific IP address (i.e., without requiring TSIG), but this is highly discouraged (remember that requests can be made over UDP and spoofing the source address of a UDP packet is often pretty easy). Unless you know what you are doing and that you can accept its consequence, any update ACL rule that allows updates should have a TSIG key in its constraints.
The ACL rules will be checked in the listed order, and the first matching one will apply. If none of the rules matches, the default rule will apply, which is rejecting any requests in the case of b10-ddns.
Other actions than "ACCEPT", namely "REJECT" and "DROP", can be used, too. See Chapter 12, Recursive Name Server about their effects.
Currently update ACL can only control updates per zone basis; it's not possible to specify access control with higher granularity such as for particular domain names or specific types of RRs.
Contrary to what RFC 2136 (literally) specifies, b10-ddns checks the update ACL before checking the prerequisites of the update request. This is a deliberate implementation decision. This counter intuitive specification has been repeatedly discussed among implementers and in the IETF, and it is now widely agreed that it does not make sense to strictly follow that part of RFC. One known specific bad result of following the RFC is that it could leak information about which name or record exists or does not exist in the zone as a result of prerequisite checks even if a zone is somehow configured to reject normal queries from arbitrary clients. There have been other troubles that could have been avoided if the ACL could be checked before the prerequisite check.
Unlike BIND 9, BIND 10 currently does not support automatic re-signing of DNSSEC-signed zone when it's updated via DDNS. It could be possible to re-sign the updated zone afterwards or make sure the update request also updates related DNSSEC records, but that will be pretty error-prone operation. In general, it's not advisable to allow DDNS for a signed zone at this moment.
Also unlike BIND 9, it's currently not possible to “freeze” a zone temporarily in order to suspend DDNS while you manually update the zone. If you need to make manual updates to a dynamic zone, you'll need to temporarily reject any updates to the zone via the update ACLs.
Dynamic updates are only applicable to primary zones. In order to avoid updating secondary zones via DDNS requests, b10-ddns refers to the “secondary_zones” configuration of b10-zonemgr. Zones listed in “secondary_zones” will never be updated via DDNS regardless of the update ACL configuration; b10-ddns will return a NOTAUTH (server not authoritative for the zone) response. If you have a "conceptual" secondary zone whose content is a copy of some external source but is not updated via the standard zone transfers and therefore not listed in “secondary_zones”, be careful not to allow DDNS for the zone; it would be quite likely to lead to inconsistent state between different servers. Normally this should not be a problem because the default update ACL rejects any update requests, but you may want to take an extra care about the configuration if you have such type of secondary zones.
The difference of two versions of a zone, before and after a DDNS transaction, is automatically recorded in the underlying data source, and can be retrieved in the form of outbound IXFR. This is done automatically; it does not require specific configuration to make this possible.
Table of Contents
The b10-resolver process is started by bind10.
The main bind10 process can be configured to select to run either the authoritative or resolver or both. By default, it doesn't start either one. You may change this using bindctl, for example:
>config add Boss/components b10-resolver>config set Boss/components/b10-resolver/special resolver>config set Boss/components/b10-resolver/kind needed>config set Boss/components/b10-resolver/priority 10>config commit
The master bind10 will stop and start the desired services.
By default, the resolver listens on port 53 for 127.0.0.1 and ::1. The following example shows how it can be configured to listen on an additional address (and port):
>config add Resolver/listen_on>config set Resolver/listen_on[>2]/address "192.168.1.1"config set Resolver/listen_on[>2]/port 53config commit
(Replace the “2”
as needed; run “config show
Resolver/listen_on” if needed.)
By default, the b10-resolver daemon only accepts
DNS queries from the localhost (127.0.0.1 and ::1).
The Resolver/query_acl configuration may
be used to reject, drop, or allow specific IPs or networks.
This configuration list is first match.
The configuration's action item may be
set to “ACCEPT” to allow the incoming query,
“REJECT” to respond with a DNS REFUSED return
code, or “DROP” to ignore the query without
any response (such as a blackhole). For more information,
see the respective debugging messages: RESOLVER_QUERY_ACCEPTED,
RESOLVER_QUERY_REJECTED,
and RESOLVER_QUERY_DROPPED.
The required configuration's from item is set
to an IPv4 or IPv6 address, addresses with an network mask, or to
the special lowercase keywords “any6” (for
any IPv6 address) or “any4” (for any IPv4
address).
For example to allow the 192.168.1.0/24
network to use your recursive name server, at the
bindctl prompt run:
>config add Resolver/query_acl>config set Resolver/query_acl[>2]/action "ACCEPT"config set Resolver/query_acl[>2]/from "192.168.1.0/24"config commit
(Replace the “2”
as needed; run “config show
Resolver/query_acl” if needed.)
This prototype access control configuration syntax may be changed.
To enable forwarding, the upstream address and port must be configured to forward queries to, such as:
>config set Resolver/forward_addresses [{ "address": ">192.168.1.1", "port": 53 }]config commit
(Replace 192.168.1.1 to point to your
full resolver.)
Normal iterative name service can be re-enabled by clearing the forwarding address(es); for example:
>config set Resolver/forward_addresses []>config commit
Table of Contents
Dynamic Host Configuration Protocol for IPv4 (DHCP or DHCPv4) and Dynamic Host Configuration Protocol for IPv6 (DHCPv6) are protocols that allow one node (server) to provision configuration parameters to many hosts and devices (clients). To ease deployment in larger networks, additional nodes (relays) may be deployed that facilitate communication between servers and clients. Even though principles of both DHCPv4 and DHCPv6 are somewhat similar, these are two radically different protocols. BIND10 offers server implementations for both DHCPv4 and DHCPv6. This chapter is about DHCP for IPv4. For a description of the DHCPv6 server, see Chapter 14, DHCPv6 Server.
The DHCPv4 server component is currently under intense development. You may want to check out BIND10 DHCP (Kea) wiki and recent posts on BIND10 developers mailing list.
The DHCPv4 and DHCPv6 components in BIND10 architecture are internally code named “Kea”.
As of December 2011, both DHCPv4 and DHCPv6 components are skeleton servers. That means that while they are capable of performing DHCP configuration, they are not fully functional yet. In particular, neither has functional lease databases. This means that they will assign the same, fixed, hardcoded addresses to any client that will ask. See Section 13.4, “DHCPv4 Server Limitations” and Section 14.4, “DHCPv6 Server Limitations” for detailed description.
BIND10 provides the DHCPv4 server component since December 2011. It is a skeleton server and can be described as an early prototype that is not fully functional yet. It is mature enough to conduct first tests in lab environment, but it has significant limitations. See Section 13.4, “DHCPv4 Server Limitations” for details.
b10-dhcp4 is a BIND10 component and is being run under BIND10 framework. To add a DHCPv4 process to the set of running BIND10 services, you can use following commands in bindctl:
>config add Boss/components b10-dhcp4>config set Boss/components/b10-dhcp4/kind dispensable>config commit
To shutdown running b10-dhcp4, please use the following command:
> Dhcp4 shutdownor
>config remove Boss/components b10-dhcp4>config commit
During start-up the server will detect available network interfaces and will attempt to open UDP sockets on all interfaces that are up, running, are not loopback, and have IPv4 address assigned. The server will then listen to incoming traffic. Currently supported client messages are DISCOVER and REQUEST. The server will respond to them with OFFER and ACK, respectively. Since the DHCPv4 server opens privileged ports, it requires root access. Make sure you run this daemon as root.
The DHCPv4 server does not have a lease database implemented yet nor any support for configuration, so every time the same set of configuration options (including the same fixed address) will be assigned every time.
At this stage of development, the only way to alter the server configuration is to tweak its source code. To do so, please edit src/bin/dhcp4/dhcp4_srv.cc file and modify following parameters and recompile:
const std::string HARDCODED_LEASE = "192.0.2.222"; // assigned lease const std::string HARDCODED_NETMASK = "255.255.255.0"; const uint32_t HARDCODED_LEASE_TIME = 60; // in seconds const std::string HARDCODED_GATEWAY = "192.0.2.1"; const std::string HARDCODED_DNS_SERVER = "192.0.2.2"; const std::string HARDCODED_DOMAIN_NAME = "isc.example.com"; const std::string HARDCODED_SERVER_ID = "192.0.2.1";
Lease database and configuration support is planned for 2012.
The following standards and draft standards are currently supported:
These are the current limitations of the DHCPv4 server software. Most of them are reflections of the early stage of development and should be treated as “not implemented yet”, rather than actual limitations.
Table of Contents
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is specified in RFC3315. BIND10 provides DHCPv6 server implementation that is described in this chapter. For a description of the DHCPv4 server implementation, see Chapter 13, DHCPv4 Server.
The DHCPv6 server component is currently under intense development. You may want to check out BIND10 DHCP (Kea) wiki and recent posts on BIND10 developers mailing list.
The DHCPv4 and DHCPv6 components in BIND10 architecture are internally code named “Kea”.
As of December 2011, both DHCPv4 and DHCPv6 components are skeleton servers. That means that while they are capable of performing DHCP configuration, they are not fully functional yet. In particular, neither has functional lease databases. This means that they will assign the same, fixed, hardcoded addresses to any client that will ask. See Section 13.4, “DHCPv4 Server Limitations” and Section 14.4, “DHCPv6 Server Limitations” for detailed description.
BIND10 provides the DHCPv6 server component since September 2011. It is a skeleton server and can be described as an early prototype that is not fully functional yet. It is mature enough to conduct first tests in lab environment, but it has significant limitations. See Section 14.4, “DHCPv6 Server Limitations” for details.
b10-dhcp6 is a BIND10 component and is being run under BIND10 framework. To add a DHCPv6 process to the set of running BIND10 services, you can use following commands in bindctl:
>config add Boss/components b10-dhcp6>config set Boss/components/b10-dhcp6/kind dispensable>config commit
To shutdown running b10-dhcp6, please use the following command:
> Dhcp6 shutdownor
>config remove Boss/components b10-dhcp6>config commit
During start-up the server will detect available network interfaces and will attempt to open UDP sockets on all interfaces that are up, running, are not loopback, are multicast-capable, and have IPv6 address assigned. The server will then listen to incoming traffic. Currently supported client messages are SOLICIT and REQUEST. The server will respond to them with ADVERTISE and REPLY, respectively. Since the DHCPv6 server opens privileged ports, it requires root access. Make sure you run this daemon as root.
The DHCPv6 server does not have lease database implemented yet or any support for configuration, so every time the same set of configuration options (including the same fixed address) will be assigned every time.
At this stage of development, the only way to alter server configuration is to tweak its source code. To do so, please edit src/bin/dhcp6/dhcp6_srv.cc file, modify the following parameters and recompile:
const std::string HARDCODED_LEASE = "2001:db8:1::1234:abcd"; const uint32_t HARDCODED_T1 = 1500; // in seconds const uint32_t HARDCODED_T2 = 2600; // in seconds const uint32_t HARDCODED_PREFERRED_LIFETIME = 3600; // in seconds const uint32_t HARDCODED_VALID_LIFETIME = 7200; // in seconds const std::string HARDCODED_DNS_SERVER = "2001:db8:1::1";
Lease database and configuration support is planned for 2012.
The following standards and draft standards are currently supported:
These are the current limitations of the DHCPv6 server software. Most of them are reflections of the early stage of development and should be treated as “not implemented yet”, rather than actual limitations.
Table of Contents
libdhcp++ is a common library written in C++ that handles many DHCP-related tasks, like DHCPv4 and DHCPv6 packets parsing, manipulation and assembly, option parsing, manipulation and assembly, network interface detection and socket operations, like socket creations, data transmission and reception and socket closing.
While this library is currently used by b10-dhcp4 and b10-dhcp6 only, it is designed to be portable, universal library useful for any kind of DHCP-related software.
Both DHCPv4 and DHCPv6 components share network interface detection routines. Interface detection is currently only supported on Linux systems.
For non-Linux systems, there is currently stub implementation provided. Interface manager detects loopback interfaces only as their name (lo or lo0) can be easily predicted. Please contact BIND10 development team if you are interested in running DHCP components on systems other than Linux.
The b10-stats process is started by bind10. It periodically collects statistics data from various modules and aggregates it.
This stats daemon provides commands to identify if it is running, show specified or all statistics data, show specified or all statistics data schema, and set specified statistics data. For example, using bindctl:
> Stats show
{
"Auth": {
"opcode.iquery": 0,
"opcode.notify": 10,
"opcode.query": 869617,
...
"queries.tcp": 1749,
"queries.udp": 867868
},
"Boss": {
"boot_time": "2011-01-20T16:59:03Z"
},
"Stats": {
"boot_time": "2011-01-20T16:59:05Z",
"last_update_time": "2011-01-20T17:04:05Z",
"lname": "4d3869d9_a@jreed.example.net",
"report_time": "2011-01-20T17:04:06Z",
"timestamp": 1295543046.823504
}
}
Table of Contents
The logging system in BIND 10 is configured through the Logging module. All BIND 10 modules will look at the configuration in Logging to see what should be logged and to where.
Within BIND 10, a message is logged through a component called a "logger". Different parts of BIND 10 log messages through different loggers, and each logger can be configured independently of one another.
In the Logging module, you can specify the configuration for zero or more loggers; any that are not specified will take appropriate default values.
The three most important elements of a logger configuration
are the name (the component that is
generating the messages), the severity
(what to log), and the output_options
(where to log).
Each logger in the system has a name, the name being that of the component using it to log messages. For instance, if you want to configure logging for the resolver module, you add an entry for a logger named “Resolver”. This configuration will then be used by the loggers in the Resolver module, and all the libraries used by it.
If you want to specify logging for one specific library
within the module, you set the name to
module.library. For example, the
logger used by the nameserver address store component
has the full name of “Resolver.nsas”. If
there is no entry in Logging for a particular library,
it will use the configuration given for the module.
To illustrate this, suppose you want the cache library to log messages of severity DEBUG, and the rest of the resolver code to log messages of severity INFO. To achieve this you specify two loggers, one with the name “Resolver” and severity INFO, and one with the name “Resolver.cache” with severity DEBUG. As there are no entries for other libraries (e.g. the nsas), they will use the configuration for the module (“Resolver”), so giving the desired behavior.
One special case is that of a module name of “*” (asterisks), which is interpreted as any module. You can set global logging options by using this, including setting the logging configuration for a library that is used by multiple modules (e.g. “*.config” specifies the configuration library code in whatever module is using it).
If there are multiple logger specifications in the configuration that might match a particular logger, the specification with the more specific logger name takes precedence. For example, if there are entries for for both “*” and “Resolver”, the resolver module — and all libraries it uses — will log messages according to the configuration in the second entry (“Resolver”). All other modules will use the configuration of the first entry (“*”). If there was also a configuration entry for “Resolver.cache”, the cache library within the resolver would use that in preference to the entry for “Resolver”.
One final note about the naming. When specifying the module name within a logger, use the name of the module as specified in bindctl, e.g. “Resolver” for the resolver module, “Xfrout” for the xfrout module, etc. When the message is logged, the message will include the name of the logger generating the message, but with the module name replaced by the name of the process implementing the module (so for example, a message generated by the “Auth.cache” logger will appear in the output with a logger name of “b10-auth.cache”).
This specifies the category of messages logged. Each message is logged with an associated severity which may be one of the following (in descending order of severity):
When the severity of a logger is set to one of these values, it will only log messages of that severity, and the severities above it. The severity may also be set to NONE, in which case all messages from that logger are inhibited.
Each logger can have zero or more
output_options. These specify where log
messages are sent to. These are explained in detail below.
The other options for a logger are:
When a logger's severity is set to DEBUG, this value specifies what debug messages should be printed. It ranges from 0 (least verbose) to 99 (most verbose).
If severity for the logger is not DEBUG, this value is ignored.
If this is true, the output_options from
the parent will be used. For example, if there are two
loggers configured; “Resolver” and
“Resolver.cache”, and additive
is true in the second, it will write the log messages
not only to the destinations specified for
“Resolver.cache”, but also to the destinations
as specified in the output_options in
the logger named “Resolver”.
The main settings for an output option are the
destination and a value called
output, the meaning of which depends on
the destination that is set.
The destination is the type of output. It can be one of:
Depending on what is set as the output destination, this value is interpreted as follows:
destination is “console”The value of output must be one of “stdout” (messages printed to standard output) or “stderr” (messages printed to standard error).
Note: if output is set to “stderr” and a lot of messages are produced in a short time (e.g. if the logging level is set to DEBUG), you may occasionally see some messages jumbled up together. This is due to a combination of the way that messages are written to the screen and the unbuffered nature of the standard error stream. If this occurs, it is recommended that output be set to “stdout”.
destination is “file”The value of output is interpreted as a file name; log messages will be appended to this file.
destination is “syslog”The value of output is interpreted as the syslog facility (e.g. local0) that should be used for log messages.
The other options for output_options are:
Flush buffers after each log message. Doing this will reduce performance but will ensure that if the program terminates abnormally, all messages up to the point of termination are output.
Only relevant when destination is file, this is maximum file size of output files in bytes. When the maximum size is reached, the file is renamed and a new file opened. (For example, a ".1" is appended to the name — if a ".1" file exists, it is renamed ".2", etc.)
If this is 0, no maximum file size is used.
In this example we want to set the global logging to
write to the file /var/log/my_bind10.log,
at severity WARN. We want the authoritative server to
log at DEBUG with debuglevel 40, to a different file
(/tmp/debug_messages).
Start bindctl.
["login success "]
> config show Logging
Logging/loggers [] list
By default, no specific loggers are configured, in which case the severity defaults to INFO and the output is written to stderr.
Let's first add a default logger:
> config add Logging/loggers>config show LoggingLogging/loggers/ list (modified)
The loggers value line changed to indicate that it is no longer an empty list:
> config show Logging/loggers
Logging/loggers[0]/name "" string (default)
Logging/loggers[0]/severity "INFO" string (default)
Logging/loggers[0]/debuglevel 0 integer (default)
Logging/loggers[0]/additive false boolean (default)
Logging/loggers[0]/output_options [] list (default)
The name is mandatory, so we must set it. We will also change the severity as well. Let's start with the global logger.
>config set Logging/loggers[0]/name *>config set Logging/loggers[0]/severity WARN>config show Logging/loggersLogging/loggers[0]/name "*" string (modified) Logging/loggers[0]/severity "WARN" string (modified) Logging/loggers[0]/debuglevel 0 integer (default) Logging/loggers[0]/additive false boolean (default) Logging/loggers[0]/output_options [] list (default)
Of course, we need to specify where we want the log messages to go, so we add an entry for an output option.
>config add Logging/loggers[0]/output_options>config show Logging/loggers[0]/output_optionsLogging/loggers[0]/output_options[0]/destination "console" string (default) Logging/loggers[0]/output_options[0]/output "stdout" string (default) Logging/loggers[0]/output_options[0]/flush false boolean (default) Logging/loggers[0]/output_options[0]/maxsize 0 integer (default) Logging/loggers[0]/output_options[0]/maxver 0 integer (default)
These aren't the values we are looking for.
>config set Logging/loggers[0]/output_options[0]/destination file>config set Logging/loggers[0]/output_options[0]/output /var/log/bind10.log>config set Logging/loggers[0]/output_options[0]/maxsize 204800>config set Logging/loggers[0]/output_options[0]/maxver 8
Which would make the entire configuration for this logger look like:
> config show all Logging/loggers
Logging/loggers[0]/name "*" string (modified)
Logging/loggers[0]/severity "WARN" string (modified)
Logging/loggers[0]/debuglevel 0 integer (default)
Logging/loggers[0]/additive false boolean (default)
Logging/loggers[0]/output_options[0]/destination "file" string (modified)
Logging/loggers[0]/output_options[0]/output "/var/log/bind10.log" string (modified)
Logging/loggers[0]/output_options[0]/flush false boolean (default)
Logging/loggers[0]/output_options[0]/maxsize 204800 integer (modified)
Logging/loggers[0]/output_options[0]/maxver 8 integer (modified)
That looks OK, so let's commit it before we add the configuration for the authoritative server's logger.
> config commit
Now that we have set it, and checked each value along the way, adding a second entry is quite similar.
>config add Logging/loggers>config set Logging/loggers[1]/name Auth>config set Logging/loggers[1]/severity DEBUG>config set Logging/loggers[1]/debuglevel 40>config add Logging/loggers[1]/output_options>config set Logging/loggers[1]/output_options[0]/destination file>config set Logging/loggers[1]/output_options[0]/output /tmp/auth_debug.log>config commit
And that's it. Once we have found whatever it was we needed the debug messages for, we can simply remove the second logger to let the authoritative server use the same settings as the rest.
>config remove Logging/loggers[1]>config commit
And every module will now be using the values from the logger named “*”.
Each message written by BIND 10 to the configured logging destinations comprises a number of components that identify the origin of the message and, if the message indicates a problem, information about the problem that may be useful in fixing it.
Consider the message below logged to a file:
2011-06-15 13:48:22.034 ERROR [b10-resolver.asiolink]
ASIODNS_OPENSOCK error 111 opening TCP socket to 127.0.0.1(53)
Note: the layout of messages written to the system logging file (syslog) may be slightly different. This message has been split across two lines here for display reasons; in the logging file, it will appear on one line.)
The log message comprises a number of components:
The date and time at which the message was generated.
The severity of the message.
The source of the message. This comprises two components: the BIND 10 process generating the message (in this case, b10-resolver) and the module within the program from which the message originated (which in the example is the asynchronous I/O link module, asiolink).
The message identification. Every message in BIND 10 has a unique identification, which can be used as an index into the BIND 10 Messages Manual (http://bind10.isc.org/docs/bind10-messages.html) from which more information can be obtained.
A brief description of the cause of the problem. Within this text, information relating to the condition that caused the message to be logged will be included. In this example, error number 111 (an operating system-specific error number) was encountered when trying to open a TCP connection to port 53 on the local system (address 127.0.0.1). The next step would be to find out the reason for the failure by consulting your system's documentation to identify what error number 111 means.