version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1597224805 host=38.87.162.8 name=Openbsd.Nsd rev=36 targets=Openbsd.Delphinusdnsd,Openbsd.Tcpip,Openbsd.IPv4,Openbsd.IPv6,Openbsd.Dns,Openbsd.Resourcerecords,Openbsd.Dnszones,Openbsd.Sockets,Openbsd.Ifconfig,Openbsd.Hostnameif0,Openbsd.Buyvm,Openbsd.Vmminstall,Openbsd.Domains,Openbsd.Host,Openbsd.Dig,Openbsd.FQDN text=(:redirect nsd/configure:)%0a(:title Configuring nsd:)%0a%0ansd is an authoritative name server. nsd comes as part of openbsd base so no installation will be necessary.%0a%0aAdvantages of nsd:%0a%0a# Audited by the OpenBSD team%0a# Simpler than BIND%0a%0aDisadvantages of nsd:%0a%0a# More difficult to fork compared to [[openbsd/delphinusdnsd|delphinusdnsd]]%0a%0a'''NOTICE''': This guide assumes you have a basic understanding of [[openbsd/tcpip|TCP/IP networking]], [[openbsd/IPv4|IPv4]] and [[openbsd/IPv6|IPv6]] addressing, the [[openbsd/dns|domain name system]], [[openbsd/resourcerecords|resource records]], and [[openbsd/dnszones|zone files]].%0a%0a!! Introduction%0a%0aPlease read through the [[https://man.openbsd.org/nsd|nsd]], [[https://man.openbsd.org/nsd.conf|nsd.conf]], [[https://man.openbsd.org/nsd-checkconf|nsd-checkconf]], and [[https://man.openbsd.org/nsd-control|nsd-control]] man pages.%0a%0a!! nsd.conf%0a%0aEdit these sections in /var/nsd/etc/nsd.conf:%0a%0a[@%0aserver:%0a hide-version: yes%0a verbosity: 2%0a database: "" # disable database%0a username: _nsd%0a logfile: "/var/log/nsd.log"%0a@]%0a%0aYou'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the [[openbsd/sockets|socket]], and we want to log to /var/log/nsd.log.%0a%0a[@%0a## bind to a specific address/port%0a ip-address: 198.51.100.1%0a# ip-address: 192.0.2.53@5678%0a ip-address: 2001:db8::%0a@]%0a%0aWe bind to our public IPv4 address 198.51.100.1 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).%0a%0a'''Note''': If you forget your real public IP addresses, you can check [[openbsd/ifconfig|ifconfig]], your [[openbsd/hostnameif0|hostname.if0]], or check your [[openbsd/buyvm|BuyVM]] or [[openbsd/vmminstall|VMM install]] guides.%0a%0a[@%0aremote-control:%0a control-enable: yes%0a control-interface: /var/run/nsd.sock%0a@]%0a%0aThis will allow using [[https://man.openbsd.org/nsd-control|nsd-control]] to control the server.%0a%0a!! Master-Only Server%0a%0aThe [[openbsd/dns|DNS system]] requires you to specify master and slave servers. Internet standards require every zone to have at least two name servers, so you'll normally need to configure both a master and a slave.%0a%0aTo start off, we'll configure just a master name server. This will let us quickly test to see if our name server is working:%0a%0a[@%0a## master zone example%0azone:%0a name: "example.ircnow.org"%0a zonefile: "master/example.ircnow.org"%0a# notify: 192.0.2.1 NOKEY%0a# provide-xfr: 192.0.2.1 NOKEY%0a@]%0a%0aWe'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]]. It might look like @@username.fruit.ircnow.org@@ or it could be a domain you registered, such as @@example.com@@. The zonefile might look like "master/username.fruit.ircnow.org" or "master/example.com" if you registered your own domain.%0a%0a!! Write the Zone File%0a%0aWrite your [[openbsd/dnszones|DNS zone]] into the zone that you specified above, /var/nsd/zones/master/example.ircnow.org:%0a%0a[@%0a$ORIGIN example.ircnow.org.%0aexample.ircnow.org. 3600 SOA ns1.example.ircnow.org. admin.example.ircnow.org. (%0a 2021020301 ; serial YYYYMMDDnn%0a 1800 ; refresh%0a 3600 ; retry%0a 86400 ; expire%0a 3600 ) ; minimum TTL%0a 3600 IN MX 10 mail%0a 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0a 3600 IN NS ns1%0a 3600 IN NS ns2%0ans1 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0ans2 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0awww 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0airc 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0aimap 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0asmtp 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0amail 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0a@]%0a%0aFor an explanation of how to interpret this zone file, please see the section on [[openbsd/dnszones|DNS zones]].%0a%0a!! Start NSD and Test%0a%0aAt this point, we can start nsd:%0a%0a[@%0a$ doas rcctl enable nsd%0a$ doas rcctl start nsd%0a@]%0a%0aIf all was configured correctly, we should now be able to query our nameserver with [[openbsd/host|host]] or [[openbsd/dig|dig]]:%0a%0a[@%0a$ host www.example.ircnow.org example.ircnow.org%0aUsing domain server:%0aName: example.ircnow.org%0aAddress: 198.51.100.1#53%0aAliases: %0a%0awww.example.ircnow.org has address 198.51.100.1%0awww.example.ircnow.org has IPv6 address 2001:db8::%0a@]%0a%0aThis will query the name server example.ircnow.org for the resource records in www.example.ircnow.org.%0a%0a!! Delegate Zone%0a%0aOnce you've confirmed nsd works, you want to delegate authority for the zone to your nameserver. If you're using an ircnow.org subdomain, you'll need to ask the sysadmin in charge to finish this step. If you registered a domain elsewhere, make sure that the nameserver for the domain points to your nameserver (@@ns1.example.com@@ and @@ns2.example.com@@) and that the glue records are defined.%0a%0a!! Troubleshooting%0a%0aIf at any step you are not getting proper results, you should first check the conf and zones using these helpful tools:%0a%0a[@%0a$ doas nsd-checkconf /var/nsd/etc/nsd.conf%0a/var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error%0aread /var/nsd/etc/nsd.conf failed: 1 errors in configuration file%0a@]%0a%0aThe error is found on line 34 of /var/nsd/etc/nsd.conf:%0a%0a[@%0a#zone:%0a name: "example.ircnow.org"%0a zonefile: "master/example.ircnow.org"%0a@]%0a%0aHere we forgot to uncomment @@zone:@@. Once that is done, try again. If there are no errors, [[https://man.openbsd.org/nsd-checkconf|nsd-checkconf]] will not return any output -- no news is good news!%0a%0aYou'll also want to check if the zone is valid:%0a%0a[@%0a$ doas nsd-checkzone example.ircnow.org /var/nsd/zones/master/example.ircnow.org%0a[2021-02-02 03:49:14.921] nsd-checkzone[32265]: error: /var/nsd/zones/master/example.ircnow.org:8: out of zone data: out.of.zone.com. is outside the zone for fqdn example.ircnow.org.%0a@]%0a%0aThe error is on line 8 of /var/nsd/zones/master/example.ircnow.org:%0a%0a[@%0aout.of.zone.example.com. 3600 IN A 10.0.0.1%0a@]%0a%0aHere we specify a [[openbsd/FQDN|FQDN]] out.of.zone.example.com. which is outside of the zone for this file (example.ircnow.org). This is invalid so nsd refuses to look any further and quits. In this case, we need to delete this line (or perhaps move it to the proper zone file). Once that is done, run the test again:%0a%0a[@%0a$ doas nsd-checkzone example.ircnow.org /var/nsd/zones/master/example.ircnow.org%0azone example.ircnow.org is ok%0a@]%0a%0aYou can also run nsd in the foreground or view the logs:%0a%0a[@%0a$ doas nsd -d -V 3 %0a/var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error%0aread /var/nsd/etc/nsd.conf failed: 1 errors in configuration file%0a[2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf%0a@]%0a%0aThis is the same error message as before when we ran nsd-checkconf above.%0a%0aSuppose we had deleted /var/nsd/zones/master/example.ircnow.org. When we check /var/log/nsd.log, we see:%0a%0a[@%0a[2021-02-02 07:31:43.898] nsd[37575]: info: zonefile master/example.ircnow.org does not exist%0a@]%0a%0a'''Tip''': Whenever you encounter an error with nsd, always check /var/log/nsd.log.%0a%0a!! See Also%0a%0a[[https://www.denic.de/en/service/tools/nast/|Nameserver Check]]%0a time=1652142827 title=Configuring nsd author:1652142827=jrmu diff:1652142827:1612272859:=1d0%0a%3c (:redirect nsd/configure:)%0a196c195%0a%3c [[https://www.denic.de/en/service/tools/nast/|Nameserver Check]]%0a---%0a> [[https://www.denic.de/en/service/tools/nast/|Nameserver Check]]%0a\ No newline at end of file%0a host:1652142827=38.87.162.8 author:1612272859=jrmu diff:1612272859:1612272783:=193,195c193%0a%3c !! See Also%0a%3c %0a%3c [[https://www.denic.de/en/service/tools/nast/|Nameserver Check]]%0a\ No newline at end of file%0a---%0a> https://www.denic.de/en/service/tools/nast/%0a\ No newline at end of file%0a host:1612272859=198.251.81.119 author:1612272783=jrmu diff:1612272783:1612272062:=174,175c174,175%0a%3c You can also run nsd in the foreground or view the logs:%0a%3c %0a---%0a> either run nsd in the foreground or view the logs:%0a> %0a183,186c183,190%0a%3c This is the same error message as before when we ran nsd-checkconf above.%0a%3c %0a%3c Suppose we had deleted /var/nsd/zones/master/example.ircnow.org. When we check /var/log/nsd.log, we see:%0a%3c %0a---%0a> Here we forgot to create the zonefile /var/nsd/zones/master/example.ircnow.org.%0a> %0a> Often, hints for debugging can be found in /var/log/nsd.log.%0a> %0a> %0a> %0a> Any errors are reported, so no news are good news. You can go ahead and start NSD:%0a> %0a188c192,193%0a%3c [2021-02-02 07:31:43.898] nsd[37575]: info: zonefile master/example.ircnow.org does not exist%0a---%0a> $ doas rcctl enable nsd%0a> $ doas rcctl start nsd%0a191c196,204%0a%3c '''Tip''': Whenever you encounter an error with nsd, always check /var/log/nsd.log.%0a---%0a> If there are issues you can start nsd in debug mode%0a> %0a> [@%0a> doas nsd -d -V 3%0a> @]%0a> %0a> !! Troubleshooting%0a> %0a> Troubleshooting DNS%0a host:1612272783=198.251.81.119 author:1612272062=jrmu diff:1612272062:1612271169:=129,132d128%0a%3c %0a%3c !! Delegate Zone%0a%3c %0a%3c Once you've confirmed nsd works, you want to delegate authority for the zone to your nameserver. If you're using an ircnow.org subdomain, you'll need to ask the sysadmin in charge to finish this step. If you registered a domain elsewhere, make sure that the nameserver for the domain points to your nameserver (@@ns1.example.com@@ and @@ns2.example.com@@) and that the glue records are defined.%0a host:1612272062=198.251.81.119 author:1612271169=jrmu diff:1612271169:1612270698:=84,85c84,85%0a%3c 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a---%0a> 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a88,101c88,101%0a%3c ns1 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c ns2 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c www 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c irc 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c imap 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c smtp 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c mail 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a---%0a> ns1 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> ns2 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> www 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> irc 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> imap 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> smtp 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> mail 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a host:1612271169=198.251.81.119 author:1612270698=jrmu diff:1612270698:1612270533:=69c69%0a%3c We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]]. It might look like @@username.fruit.ircnow.org@@ or it could be a domain you registered, such as @@example.com@@. The zonefile might look like "master/username.fruit.ircnow.org" or "master/example.com" if you registered your own domain.%0a---%0a> We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]]. It might look like @@username.fruit.ircnow.org@@ or it could be a domain you registered for like @@example.com@@. The zonefile might look like "master/username.fruit.ircnow.org" or "master/example.com" if you registered your own domain.%0a host:1612270698=198.251.81.119 author:1612270533=jrmu diff:1612270533:1612268696:=54c54%0a%3c !! Master-Only Server%0a---%0a> !! Master/Slave Servers%0a host:1612270533=198.251.81.119 author:1612268696=jrmu diff:1612268696:1612267739:=33c33%0a%3c You'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the [[openbsd/sockets|socket]], and we want to log to /var/log/nsd.log.%0a---%0a> You'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the [[openbsd/tcpip|socket]], and we want to log to /var/log/nsd.log.%0a host:1612268696=198.251.81.119 author:1612267739=jrmu diff:1612267739:1612260084:= host:1612267739=198.251.81.119 author:1612260084=jrmu diff:1612260084:1612258614:=37c37%0a%3c ip-address: 198.51.100.1%0a---%0a> ip-address: 198.51.100.0%0a42,43c42,43%0a%3c We bind to our public IPv4 address 198.51.100.1 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).%0a%3c %0a---%0a> We bind to our public IPv4 address 198.51.100.0 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).%0a> %0a119,125d118%0a%3c Using domain server:%0a%3c Name: example.ircnow.org%0a%3c Address: 198.51.100.1#53%0a%3c Aliases: %0a%3c %0a%3c www.example.ircnow.org has address 198.51.100.1%0a%3c www.example.ircnow.org has IPv6 address 2001:db8::%0a128,129c121,122%0a%3c This will query the name server example.ircnow.org for the resource records in www.example.ircnow.org.%0a%3c %0a---%0a> This will query the name server example.ircnow.org for the records for www.example.ircnow.org.%0a> %0a132,133c125,126%0a%3c If at any step you are not getting proper results, you should first check the conf and zones using these helpful tools:%0a%3c %0a---%0a> If at any step you are not getting proper results, you should either run nsd in the foreground or view the logs:%0a> %0a135c128%0a%3c $ doas nsd-checkconf /var/nsd/etc/nsd.conf%0a---%0a> $ doas nsd -d -V 3 %0a137a131%0a> [2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf%0a143c137%0a%3c #zone:%0a---%0a> zone:%0a148,151c142,147%0a%3c Here we forgot to uncomment @@zone:@@. Once that is done, try again. If there are no errors, [[https://man.openbsd.org/nsd-checkconf|nsd-checkconf]] will not return any output -- no news is good news!%0a%3c %0a%3c You'll also want to check if the zone is valid:%0a%3c %0a---%0a> Here we forgot to create the zonefile /var/nsd/zones/master/example.ircnow.org.%0a> %0a> Often, hints for debugging can be found in /var/log/nsd.log.%0a> %0a> !! Master/Slave Servers%0a> %0a153,154c149,154%0a%3c $ doas nsd-checkzone example.ircnow.org /var/nsd/zones/master/example.ircnow.org%0a%3c [2021-02-02 03:49:14.921] nsd-checkzone[32265]: error: /var/nsd/zones/master/example.ircnow.org:8: out of zone data: out.of.zone.com. is outside the zone for fqdn example.ircnow.org.%0a---%0a> ## slave zone example%0a> #zone:%0a> # name: "example.net"%0a> # zonefile: "slave/example.net"%0a> # allow-notify: 192.0.2.2 tsig1.example.com.%0a> # request-xfr: 192.0.2.2 tsig1.example.com.%0a157,158d156%0a%3c The error is on line 8 of /var/nsd/zones/master/example.ircnow.org:%0a%3c %0a160c158,162%0a%3c out.of.zone.example.com. 3600 IN A 10.0.0.1%0a---%0a> ## tsig key example%0a> key:%0a> name: "example.ircnow.org"%0a> algorithm: hmac-sha256%0a> secret: "bXBjY3B3alVhaDJrYTBSRENtc01RUmNlYmlj"%0a163,164c165,171%0a%3c Here we specify a [[openbsd/FQDN|FQDN]] out.of.zone.example.com. which is outside of the zone for this file (example.ircnow.org). This is invalid so nsd refuses to look any further and quits. In this case, we need to delete this line (or perhaps move it to the proper zone file). Once that is done, run the test again:%0a%3c %0a---%0a> It's a good idea to name the key after your domain, with a final period at the end to show that it is a [[openbsd/FQDN|fully qualified domain name]]. For the secret, you must put in the [[openbsd/base64|base64 encoding]] of a random string. Make it longer for more security.%0a> %0a> %0a> !! Primary and secondary server%0a> %0a> If you need a secondary server to host the zone, you can do this as follows. Add to the block that describes your master zone, records about the secondary zone as in the example:%0a> %0a166,167c173,177%0a%3c $ doas nsd-checkzone example.ircnow.org /var/nsd/zones/master/example.ircnow.org%0a%3c zone example.ircnow.org is ok%0a---%0a> zone:%0a> name: "example.net"%0a> zonefile: "master/example.net"%0a> notify: 20.20.20.20 NOKEY%0a> provide-xfr: 20.20.20.20 NOKEY%0a170,171c180,181%0a%3c either run nsd in the foreground or view the logs:%0a%3c %0a---%0a> Create a new block in the secondary server config file, as in the example:%0a> %0a173,176c183,187%0a%3c $ doas nsd -d -V 3 %0a%3c /var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error%0a%3c read /var/nsd/etc/nsd.conf failed: 1 errors in configuration file%0a%3c [2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf%0a---%0a> zone:%0a> name: "example.net"%0a> zonefile: "slave/example.net"%0a> allow-notify: 10.10.10.10 NOKEY%0a> request-xfr: 10.10.10.10 NOKEY%0a179,189c190,223%0a%3c Here we forgot to create the zonefile /var/nsd/zones/master/example.ircnow.org.%0a%3c %0a%3c Often, hints for debugging can be found in /var/log/nsd.log.%0a%3c %0a%3c %0a%3c %0a%3c Any errors are reported, so no news are good news. You can go ahead and start NSD:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable nsd%0a%3c $ doas rcctl start nsd%0a---%0a> !! The zone file for NSD%0a> %0a> The next step is to write the zone files for NSD. First the forward lookup zone example.net:%0a> %0a> [@%0a> ; Domain file from My project%0a> %0a> example.net. 3600 SOA ns.example.net. admin.example.net. (%0a> 2020070701 ; serial YYYYMMDDnn%0a> 10800 ; refresh%0a> 3600 ; retry%0a> 604800 ; expire%0a> 86400 ) ; minimum TTL%0a> %0a> example.net. NS ns.example.net.%0a> example.net. NS ns.secondary.net.%0a> ns A 10.10.10.10%0a> example.net. A 10.10.10.10%0a> www A 10.10.10.10%0a> irc A 10.10.10.10%0a> imap A 10.10.10.10%0a> smtp A 10.10.10.10%0a> example.net. mx 10 smtp.example.net.%0a> @]%0a> %0a> Save this zone file as /var/nsd/zones/master/example.net%0a> %0a> !! Configuration check and start%0a> %0a> NSD bring along a tool to check the configuration file before you start or reload the daemon:%0a> %0a> [@%0a> $ doas nsd-checkconf /var/nsd/etc/nsd.conf%0a> @]%0a host:1612260084=198.251.81.119 author:1612258614=jrmu diff:1612258614:1612258218:=122,144d121%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If at any step you are not getting proper results, you should either run nsd in the foreground or view the logs:%0a%3c %0a%3c [@%0a%3c $ doas nsd -d -V 3 %0a%3c /var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error%0a%3c read /var/nsd/etc/nsd.conf failed: 1 errors in configuration file%0a%3c [2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf%0a%3c @]%0a%3c %0a%3c The error is found on line 34 of /var/nsd/etc/nsd.conf:%0a%3c %0a%3c [@%0a%3c zone:%0a%3c name: "example.ircnow.org"%0a%3c zonefile: "master/example.ircnow.org"%0a%3c @]%0a%3c %0a%3c Here we forgot to create the zonefile /var/nsd/zones/master/example.ircnow.org.%0a%3c %0a%3c Often, hints for debugging can be found in /var/log/nsd.log.%0a host:1612258614=198.251.81.119 author:1612258218=jrmu diff:1612258218:1612258131:=76,77c76,77%0a%3c $ORIGIN example.ircnow.org.%0a%3c example.ircnow.org. 3600 SOA ns1.example.ircnow.org. admin.example.ircnow.org. (%0a---%0a> $ORIGIN user.fruit.ircnow.org.%0a> user.fruit.ircnow.org. 3600 SOA ns1.user.fruit.ircnow.org. admin.user.fruit.ircnow.org. (%0a118c118%0a%3c $ host www.example.ircnow.org example.ircnow.org%0a---%0a> $ host www.user.fruit.ircnow.org user.fruit.ircnow.org%0a121,125c121,122%0a%3c This will query the name server example.ircnow.org for the records for www.example.ircnow.org.%0a%3c %0a%3c !! Master/Slave Servers%0a%3c %0a%3c [@%0a---%0a> This will query the name server user.fruit.ircnow.org for the records for www.user.fruit.ircnow.org.%0a> %0a host:1612258218=198.251.81.119 author:1612258131=jrmu diff:1612258131:1612257904:=104,105d103%0a%3c For an explanation of how to interpret this zone file, please see the section on [[openbsd/dnszones|DNS zones]].%0a%3c %0a118c116%0a%3c $ host www.user.fruit.ircnow.org user.fruit.ircnow.org%0a---%0a> $ host%0a120,121d117%0a%3c %0a%3c This will query the name server user.fruit.ircnow.org for the records for www.user.fruit.ircnow.org.%0a host:1612258131=198.251.81.119 author:1612257904=jrmu diff:1612257904:1612254521:=73,74c73,74%0a%3c Write your [[openbsd/dnszones|DNS zone]] into the zone that you specified above, /var/nsd/zones/master/example.ircnow.org:%0a%3c %0a---%0a> Write your DNS zone into the zone that you specified above, /var/nsd/zones/master/example.ircnow.org:%0a> %0a76,79c76,80%0a%3c $ORIGIN user.fruit.ircnow.org.%0a%3c user.fruit.ircnow.org. 3600 SOA ns1.user.fruit.ircnow.org. admin.user.fruit.ircnow.org. (%0a%3c 2021020301 ; serial YYYYMMDDnn%0a%3c 1800 ; refresh%0a---%0a> ; Domain file from My project%0a> %0a> example.net. 3600 SOA ns.example.net. admin.example.net. (%0a> 2020070701 ; serial YYYYMMDDnn%0a> 10800 ; refresh%0a81,101c82,93%0a%3c 86400 ; expire%0a%3c 3600 ) ; minimum TTL%0a%3c 3600 IN MX 10 mail%0a%3c 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c 3600 IN NS ns1%0a%3c 3600 IN NS ns2%0a%3c ns1 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c ns2 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c www 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c irc 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c imap 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c smtp 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c mail 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a---%0a> 604800 ; expire%0a> 86400 ) ; minimum TTL%0a> %0a> example.net. NS ns.example.net.%0a> example.net. NS ns.secondary.net.%0a> ns A 10.10.10.10%0a> example.net. A 10.10.10.10%0a> www A 10.10.10.10%0a> irc A 10.10.10.10%0a> imap A 10.10.10.10%0a> smtp A 10.10.10.10%0a> example.net. mx 10 smtp.example.net.%0a host:1612257904=198.251.81.119 author:1612254521=jrmu diff:1612254521:1612253975:=72,94d71%0a%3c %0a%3c Write your DNS zone into the zone that you specified above, /var/nsd/zones/master/example.ircnow.org:%0a%3c %0a%3c [@%0a%3c ; Domain file from My project%0a%3c %0a%3c example.net. 3600 SOA ns.example.net. admin.example.net. (%0a%3c 2020070701 ; serial YYYYMMDDnn%0a%3c 10800 ; refresh%0a%3c 3600 ; retry%0a%3c 604800 ; expire%0a%3c 86400 ) ; minimum TTL%0a%3c %0a%3c example.net. NS ns.example.net.%0a%3c example.net. NS ns.secondary.net.%0a%3c ns A 10.10.10.10%0a%3c example.net. A 10.10.10.10%0a%3c www A 10.10.10.10%0a%3c irc A 10.10.10.10%0a%3c imap A 10.10.10.10%0a%3c smtp A 10.10.10.10%0a%3c example.net. mx 10 smtp.example.net.%0a%3c @]%0a host:1612254521=198.251.81.119 author:1612253975=jrmu diff:1612253975:1612253728:=69,86c69,71%0a%3c We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]]. It might look like @@username.fruit.ircnow.org@@ or it could be a domain you registered for like @@example.com@@. The zonefile might look like "master/username.fruit.ircnow.org" or "master/example.com" if you registered your own domain.%0a%3c %0a%3c !! Write the Zone File%0a%3c %0a%3c !! Start NSD and Test%0a%3c %0a%3c At this point, we can start nsd:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable nsd%0a%3c $ doas rcctl start nsd%0a%3c @]%0a%3c %0a%3c If all was configured correctly, we should now be able to query our nameserver with [[openbsd/host|host]] or [[openbsd/dig|dig]]:%0a%3c %0a%3c [@%0a%3c $ host%0a%3c @]%0a---%0a> We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]].%0a> %0a> %0a host:1612253975=198.251.81.119 author:1612253728=jrmu diff:1612253728:1612248403:=54,59d53%0a%3c !! Master/Slave Servers%0a%3c %0a%3c The [[openbsd/dns|DNS system]] requires you to specify master and slave servers. Internet standards require every zone to have at least two name servers, so you'll normally need to configure both a master and a slave.%0a%3c %0a%3c To start off, we'll configure just a master name server. This will let us quickly test to see if our name server is working:%0a%3c %0a62,64c56,58%0a%3c zone:%0a%3c name: "example.ircnow.org"%0a%3c zonefile: "master/example.ircnow.org"%0a---%0a> #zone:%0a> # name: "example.com"%0a> # zonefile: "master/example.com"%0a67,71d60%0a%3c @]%0a%3c %0a%3c We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]].%0a%3c %0a%3c %0a host:1612253728=198.251.81.119 author:1612248403=jrmu diff:1612248403:1612248323:=54d53%0a%3c [@%0a68c67%0a%3c @]%0a---%0a> %0a host:1612248403=198.251.81.119 author:1612248323=jrmu diff:1612248323:1612247316:=53,78d52%0a%3c %0a%3c ## master zone example%0a%3c #zone:%0a%3c # name: "example.com"%0a%3c # zonefile: "master/example.com"%0a%3c # notify: 192.0.2.1 NOKEY%0a%3c # provide-xfr: 192.0.2.1 NOKEY%0a%3c %0a%3c ## slave zone example%0a%3c #zone:%0a%3c # name: "example.net"%0a%3c # zonefile: "slave/example.net"%0a%3c # allow-notify: 192.0.2.2 tsig1.example.com.%0a%3c # request-xfr: 192.0.2.2 tsig1.example.com.%0a%3c %0a%3c %0a%3c [@%0a%3c ## tsig key example%0a%3c key:%0a%3c name: "example.ircnow.org"%0a%3c algorithm: hmac-sha256%0a%3c secret: "bXBjY3B3alVhaDJrYTBSRENtc01RUmNlYmlj"%0a%3c @]%0a%3c %0a%3c It's a good idea to name the key after your domain, with a final period at the end to show that it is a [[openbsd/FQDN|fully qualified domain name]]. For the secret, you must put in the [[openbsd/base64|base64 encoding]] of a random string. Make it longer for more security.%0a%3c %0a host:1612248323=198.251.81.119 author:1612247316=jrmu diff:1612247316:1612246923:=22,23c22,23%0a%3c Edit these sections in /var/nsd/etc/nsd.conf:%0a%3c %0a---%0a> Edit /var/nsd/etc/nsd.conf:%0a> %0a35d34%0a%3c [@%0a37c36%0a%3c ip-address: 198.51.100.0%0a---%0a> ip-address: 38.81.163.143%0a39c38,49%0a%3c ip-address: 2001:db8::%0a---%0a> ip-address: 2001:550:3402:1:143::%0a> %0a> ## make packets as small as possible, on by default%0a> # minimal-responses: yes%0a> %0a> ## respond with truncation for ANY queries over UDP and allow ANY over TCP,%0a> ## on by default%0a> # refuse-any: yes%0a> %0a> remote-control:%0a> control-enable: yes%0a> control-interface: /var/run/nsd.sock%0a41,52d50%0a%3c %0a%3c We bind to our public IPv4 address 198.51.100.0 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).%0a%3c %0a%3c '''Note''': If you forget your real public IP addresses, you can check [[openbsd/ifconfig|ifconfig]], your [[openbsd/hostnameif0|hostname.if0]], or check your [[openbsd/buyvm|BuyVM]] or [[openbsd/vmminstall|VMM install]] guides.%0a%3c %0a%3c [@%0a%3c remote-control:%0a%3c control-enable: yes%0a%3c control-interface: /var/run/nsd.sock%0a%3c @]%0a%3c %0a%3c This will allow using [[https://man.openbsd.org/nsd-control|nsd-control]] to control the server.%0a host:1612247316=198.251.81.119 author:1612246923=jrmu diff:1612246923:1612244582:=26,30c26,43%0a%3c hide-version: yes%0a%3c verbosity: 2%0a%3c database: "" # disable database%0a%3c username: _nsd%0a%3c logfile: "/var/log/nsd.log"%0a---%0a> ip-address: 0.0.0.0%0a> ip4-only: yes%0a> identity: "DNS"%0a> hide-version: yes%0a> verbosity: 1%0a> database: ""%0a> username: _nsd%0a> logfile: "/var/log/nsd.log"%0a> pidfile: "/var/nsd/run/nsd.pid"%0a> %0a> remote-control:%0a> control-enable: yes%0a> control-interface: /var/nsd/run/nsd.sock%0a> %0a> zone:%0a> name: "example.com"%0a> zonefile: "master/example.com"%0a> %0a33,51d45%0a%3c You'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the [[openbsd/tcpip|socket]], and we want to log to /var/log/nsd.log.%0a%3c %0a%3c ## bind to a specific address/port%0a%3c ip-address: 38.81.163.143%0a%3c # ip-address: 192.0.2.53@5678%0a%3c ip-address: 2001:550:3402:1:143::%0a%3c %0a%3c ## make packets as small as possible, on by default%0a%3c # minimal-responses: yes%0a%3c %0a%3c ## respond with truncation for ANY queries over UDP and allow ANY over TCP,%0a%3c ## on by default%0a%3c # refuse-any: yes%0a%3c %0a%3c remote-control:%0a%3c control-enable: yes%0a%3c control-interface: /var/run/nsd.sock%0a%3c @]%0a%3c %0a121,124d114%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Troubleshooting DNS%0a host:1612246923=198.251.81.119 author:1612244582=jrmu diff:1612244582:1612240453:=22c22,24%0a%3c Edit /var/nsd/etc/nsd.conf:%0a---%0a> First up, you'll want to open up /var/nsd/etc/nsd.conf (main configuration file)%0a> %0a> Open up /var/nsd/etc/nsd.conf:%0a host:1612244582=198.251.81.119 author:1612240453=jrmu diff:1612240453:1612240293:=18,22c18%0a%3c Please read through the [[https://man.openbsd.org/nsd|nsd]], [[https://man.openbsd.org/nsd.conf|nsd.conf]], [[https://man.openbsd.org/nsd-checkconf|nsd-checkconf]], and [[https://man.openbsd.org/nsd-control|nsd-control]] man pages.%0a%3c %0a%3c !! nsd.conf%0a%3c %0a%3c First up, you'll want to open up /var/nsd/etc/nsd.conf (main configuration file)%0a---%0a> !! /var/nsd/etc/nsd.conf (main configuration file)%0a host:1612240453=198.251.81.119 author:1612240293=jrmu diff:1612240293:1612231276:=14c14%0a%3c '''NOTICE''': This guide assumes you have a basic understanding of [[openbsd/tcpip|TCP/IP networking]], [[openbsd/IPv4|IPv4]] and [[openbsd/IPv6|IPv6]] addressing, the [[openbsd/dns|domain name system]], [[openbsd/resourcerecords|resource records]], and [[openbsd/dnszones|zone files]].%0a---%0a> '''NOTICE''': This guide assumes you have a basic understanding of [[openbsd/tcpip|TC/IP networking]], [[openbsd/IPv4|IPv4]] and [[openbsd/IPv6|IPv6]] addressing, the domain name system, resource records, and zone files.%0a host:1612240293=198.251.81.119 author:1612231276=jrmu diff:1612231276:1612231165:=13,16d12%0a%3c %0a%3c '''NOTICE''': This guide assumes you have a basic understanding of [[openbsd/tcpip|TC/IP networking]], [[openbsd/IPv4|IPv4]] and [[openbsd/IPv6|IPv6]] addressing, the domain name system, resource records, and zone files.%0a%3c %0a%3c !! Introduction%0a host:1612231276=198.251.81.119 author:1612231165=jrmu diff:1612231165:1612230627:=12c12%0a%3c # More difficult to fork compared to [[openbsd/delphinusdnsd|delphinusdnsd]]%0a---%0a> # Not as easy to fork as [[openbsd/delphinusdnsd|delphinusdnsd]]%0a host:1612231165=198.251.81.119 author:1612230627=jrmu diff:1612230627:1609673674:=3,12c3%0a%3c nsd is an authoritative name server. nsd comes as part of openbsd base so no installation will be necessary.%0a%3c %0a%3c Advantages of nsd:%0a%3c %0a%3c # Audited by the OpenBSD team%0a%3c # Simpler than BIND%0a%3c %0a%3c Disadvantages of nsd:%0a%3c %0a%3c # Not as easy to fork as [[openbsd/delphinusdnsd|delphinusdnsd]]%0a---%0a> nsd is an authoritative name server. Because nsd comes in OpenBSD base, it is our preferred nameserver.%0a host:1612230627=198.251.81.119 author:1609673674=jrmu diff:1609673674:1609242206:=38c38%0a%3c zonefile: "master/example.net"%0a---%0a> zonefile: "master/example.net.zone"%0a48c48%0a%3c zonefile: "slave/example.net"%0a---%0a> zonefile: "slave/example.net.zone"%0a78c78%0a%3c Save this zone file as /var/nsd/zones/master/example.net%0a---%0a> Save this zone file as /var/nsd/zones/master/example.net.zone%0a host:1609673674=125.231.63.134 author:1609242206=jrmu diff:1609242206:1597966747:=68c68%0a%3c example.net. NS ns.secondary.net.%0a---%0a> example.net. NS ns.secondary.net.ua.%0a host:1609242206=198.251.81.119 author:1597966747=gry csum:1597966747=+ diff:1597966747:1597800518:=93,98d92%0a%3c @]%0a%3c %0a%3c If there are issues you can start nsd in debug mode%0a%3c %0a%3c [@%0a%3c doas nsd -d -V 3%0a host:1597966747=203.129.25.247 author:1597800518=gry csum:1597800518=clarified diff:1597800518:1597796218:=5c5%0a%3c !! /var/nsd/etc/nsd.conf (main configuration file)%0a---%0a> !! /var/nsd/etc/nsd.conf%0a host:1597800518=203.129.25.247 author:1597796218=gry csum:1597796218=+ diff:1597796218:1597796198:=32d31%0a%3c %0a53,54c52%0a%3c !! The zone file for NSD%0a%3c %0a---%0a> ====== The zone file for NSD ======%0a host:1597796218=203.129.25.247 author:1597796198=gry csum:1597796198=fmt diff:1597796198:1597245206:=34c34%0a%3c [@%0a---%0a> %3ccode>%0a40,41c40,41%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a43,44c43%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a50,51c49,50%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a55c54%0a%3c [@%0a---%0a> %3ccode>%0a74,75c73,74%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a78,79c77%0a%3c !! Configuration check and start%0a%3c %0a---%0a> ====== Configuration check and start ======%0a81,82c79%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a84,85c81,82%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a87,88c84%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a91c87%0a%3c @]%0a---%0a> %3c/code>%0a host:1597796198=203.129.25.247 author:1597245206=jrmu diff:1597245206:1597245000:=1,9c1,7%0a%3c (:title Configuring nsd:)%0a%3c %0a%3c nsd is an authoritative name server. Because nsd comes in OpenBSD base, it is our preferred nameserver.%0a%3c %0a%3c !! /var/nsd/etc/nsd.conf%0a%3c %0a%3c Open up /var/nsd/etc/nsd.conf:%0a%3c %0a%3c [@%0a---%0a> NSD is an open-source Domain Name System (DNS) server. It was developed by NLnet Labs of Amsterdam in cooperation with the RIPE NCC, from scratch as an authoritative name server. NSD is a NS that comes as a part of OpenBSD base.%0a> %0a> ====== Configuration of NSD ======%0a> The main configuration file for NSD is a file called nsd.conf located in the /var/nsd/etc/ directory.%0a> Now, open/create the new file in your text editor with root privileges. Here's a sample:%0a> %0a> %3ccode>%0a20c18,21%0a%3c %0a---%0a> difffile: "/var/nsd/db/ixfr.db"%0a> xfrdfile: "/var/nsd/db/xfrd.state"%0a> database: "/var/nsd/db/nsd.db"%0a> %0a26,31c27,33%0a%3c name: "example.com"%0a%3c zonefile: "master/example.com"%0a%3c %0a%3c @]%0a%3c %0a%3c !! Primary and secondary server%0a---%0a> name: "example.net"%0a> zonefile: "master/example.net.zone"%0a> #notify: 193.201.116.2 NOKEY%0a> #provide-xfr: 193.201.116.2 NOKEY%0a> %3c/code>%0a> %0a> ====== Primary and secondary server ======%0a host:1597245206=38.81.163.143 author:1597245000=jrmu diff:1597245000:1597224805:=89,91c89%0a%3c %3c/code>%0a%3c %0a%3c https://www.denic.de/en/service/tools/nast/%0a\ No newline at end of file%0a---%0a> %3c/code>%0a\ No newline at end of file%0a host:1597245000=38.81.163.143 author:1597224805=jrmu diff:1597224805:1597224805:=1,89d0%0a%3c NSD is an open-source Domain Name System (DNS) server. It was developed by NLnet Labs of Amsterdam in cooperation with the RIPE NCC, from scratch as an authoritative name server. NSD is a NS that comes as a part of OpenBSD base.%0a%3c %0a%3c ====== Configuration of NSD ======%0a%3c The main configuration file for NSD is a file called nsd.conf located in the /var/nsd/etc/ directory.%0a%3c Now, open/create the new file in your text editor with root privileges. Here's a sample:%0a%3c %0a%3c %3ccode>%0a%3c server:%0a%3c ip-address: 0.0.0.0%0a%3c ip4-only: yes%0a%3c identity: "DNS"%0a%3c hide-version: yes%0a%3c verbosity: 1%0a%3c database: ""%0a%3c username: _nsd%0a%3c logfile: "/var/log/nsd.log"%0a%3c pidfile: "/var/nsd/run/nsd.pid"%0a%3c difffile: "/var/nsd/db/ixfr.db"%0a%3c xfrdfile: "/var/nsd/db/xfrd.state"%0a%3c database: "/var/nsd/db/nsd.db"%0a%3c %0a%3c remote-control:%0a%3c control-enable: yes%0a%3c control-interface: /var/nsd/run/nsd.sock%0a%3c %0a%3c zone:%0a%3c name: "example.net"%0a%3c zonefile: "master/example.net.zone"%0a%3c #notify: 193.201.116.2 NOKEY%0a%3c #provide-xfr: 193.201.116.2 NOKEY%0a%3c %3c/code>%0a%3c %0a%3c ====== Primary and secondary server ======%0a%3c If you need a secondary server to host the zone, you can do this as follows. Add to the block that describes your master zone, records about the secondary zone as in the example:%0a%3c %0a%3c %3ccode>%0a%3c zone:%0a%3c name: "example.net"%0a%3c zonefile: "master/example.net.zone"%0a%3c notify: 20.20.20.20 NOKEY%0a%3c provide-xfr: 20.20.20.20 NOKEY%0a%3c %3c/code>%0a%3c %0a%3c Create a new block in the secondary server config file, as in the example:%0a%3c %3ccode>%0a%3c zone:%0a%3c name: "example.net"%0a%3c zonefile: "slave/example.net.zone"%0a%3c allow-notify: 10.10.10.10 NOKEY%0a%3c request-xfr: 10.10.10.10 NOKEY%0a%3c %3c/code>%0a%3c %0a%3c ====== The zone file for NSD ======%0a%3c The next step is to write the zone files for NSD. First the forward lookup zone example.net:%0a%3c %0a%3c %3ccode>%0a%3c ; Domain file from My project%0a%3c %0a%3c example.net. 3600 SOA ns.example.net. admin.example.net. (%0a%3c 2020070701 ; serial YYYYMMDDnn%0a%3c 10800 ; refresh%0a%3c 3600 ; retry%0a%3c 604800 ; expire%0a%3c 86400 ) ; minimum TTL%0a%3c %0a%3c example.net. NS ns.example.net.%0a%3c example.net. NS ns.secondary.net.ua.%0a%3c ns A 10.10.10.10%0a%3c example.net. A 10.10.10.10%0a%3c www A 10.10.10.10%0a%3c irc A 10.10.10.10%0a%3c imap A 10.10.10.10%0a%3c smtp A 10.10.10.10%0a%3c example.net. mx 10 smtp.example.net.%0a%3c %3c/code>%0a%3c %0a%3c Save this zone file as /var/nsd/zones/master/example.net.zone%0a%3c %0a%3c ====== Configuration check and start ======%0a%3c NSD bring along a tool to check the configuration file before you start or reload the daemon:%0a%3c %3ccode>%0a%3c $ doas nsd-checkconf /var/nsd/etc/nsd.conf%0a%3c %3c/code>%0a%3c %0a%3c Any errors are reported, so no news are good news. You can go ahead and start NSD:%0a%3c %3ccode>%0a%3c $ doas rcctl enable nsd%0a%3c $ doas rcctl start nsd%0a%3c %3c/code>%0a\ No newline at end of file%0a host:1597224805=38.81.163.143