1 5127fd58 2021-12-17 jrmu version=pmwiki-2.2.130 ordered=1 urlencoded=1
2 b4cffbe2 2022-05-10 jrmu agent=w3m/0.5.3+git20210102
4 5127fd58 2021-12-17 jrmu charset=UTF-8
6 5127fd58 2021-12-17 jrmu ctime=1597224805
7 b4cffbe2 2022-05-10 jrmu host=38.87.162.8
8 5127fd58 2021-12-17 jrmu name=Openbsd.Nsd
10 5127fd58 2021-12-17 jrmu targets=Openbsd.Delphinusdnsd,Openbsd.Tcpip,Openbsd.IPv4,Openbsd.IPv6,Openbsd.Dns,Openbsd.Resourcerecords,Openbsd.Dnszones,Openbsd.Sockets,Openbsd.Ifconfig,Openbsd.Hostnameif0,Openbsd.Buyvm,Openbsd.Vmminstall,Openbsd.Domains,Openbsd.Host,Openbsd.Dig,Openbsd.FQDN
11 b4cffbe2 2022-05-10 jrmu text=(:redirect nsd/configure:)%0a(:title Configuring nsd:)%0a%0ansd is an authoritative name server. nsd comes as part of openbsd base so no installation will be necessary.%0a%0aAdvantages of nsd:%0a%0a# Audited by the OpenBSD team%0a# Simpler than BIND%0a%0aDisadvantages of nsd:%0a%0a# More difficult to fork compared to [[openbsd/delphinusdnsd|delphinusdnsd]]%0a%0a'''NOTICE''': This guide assumes you have a basic understanding of [[openbsd/tcpip|TCP/IP networking]], [[openbsd/IPv4|IPv4]] and [[openbsd/IPv6|IPv6]] addressing, the [[openbsd/dns|domain name system]], [[openbsd/resourcerecords|resource records]], and [[openbsd/dnszones|zone files]].%0a%0a!! Introduction%0a%0aPlease read through the [[https://man.openbsd.org/nsd|nsd]], [[https://man.openbsd.org/nsd.conf|nsd.conf]], [[https://man.openbsd.org/nsd-checkconf|nsd-checkconf]], and [[https://man.openbsd.org/nsd-control|nsd-control]] man pages.%0a%0a!! nsd.conf%0a%0aEdit these sections in /var/nsd/etc/nsd.conf:%0a%0a[@%0aserver:%0a hide-version: yes%0a verbosity: 2%0a database: "" # disable database%0a username: _nsd%0a logfile: "/var/log/nsd.log"%0a@]%0a%0aYou'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the [[openbsd/sockets|socket]], and we want to log to /var/log/nsd.log.%0a%0a[@%0a## bind to a specific address/port%0a ip-address: 198.51.100.1%0a# ip-address: 192.0.2.53@5678%0a ip-address: 2001:db8::%0a@]%0a%0aWe bind to our public IPv4 address 198.51.100.1 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).%0a%0a'''Note''': If you forget your real public IP addresses, you can check [[openbsd/ifconfig|ifconfig]], your [[openbsd/hostnameif0|hostname.if0]], or check your [[openbsd/buyvm|BuyVM]] or [[openbsd/vmminstall|VMM install]] guides.%0a%0a[@%0aremote-control:%0a control-enable: yes%0a control-interface: /var/run/nsd.sock%0a@]%0a%0aThis will allow using [[https://man.openbsd.org/nsd-control|nsd-control]] to control the server.%0a%0a!! Master-Only Server%0a%0aThe [[openbsd/dns|DNS system]] requires you to specify master and slave servers. Internet standards require every zone to have at least two name servers, so you'll normally need to configure both a master and a slave.%0a%0aTo start off, we'll configure just a master name server. This will let us quickly test to see if our name server is working:%0a%0a[@%0a## master zone example%0azone:%0a name: "example.ircnow.org"%0a zonefile: "master/example.ircnow.org"%0a# notify: 192.0.2.1 NOKEY%0a# provide-xfr: 192.0.2.1 NOKEY%0a@]%0a%0aWe'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]]. It might look like @@username.fruit.ircnow.org@@ or it could be a domain you registered, such as @@example.com@@. The zonefile might look like "master/username.fruit.ircnow.org" or "master/example.com" if you registered your own domain.%0a%0a!! Write the Zone File%0a%0aWrite your [[openbsd/dnszones|DNS zone]] into the zone that you specified above, /var/nsd/zones/master/example.ircnow.org:%0a%0a[@%0a$ORIGIN example.ircnow.org.%0aexample.ircnow.org. 3600 SOA ns1.example.ircnow.org. admin.example.ircnow.org. (%0a 2021020301 ; serial YYYYMMDDnn%0a 1800 ; refresh%0a 3600 ; retry%0a 86400 ; expire%0a 3600 ) ; minimum TTL%0a 3600 IN MX 10 mail%0a 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0a 3600 IN NS ns1%0a 3600 IN NS ns2%0ans1 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0ans2 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0awww 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0airc 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0aimap 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0asmtp 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0amail 3600 IN A 198.51.100.1%0a 3600 IN AAAA 2001:db8::%0a@]%0a%0aFor an explanation of how to interpret this zone file, please see the section on [[openbsd/dnszones|DNS zones]].%0a%0a!! Start NSD and Test%0a%0aAt this point, we can start nsd:%0a%0a[@%0a$ doas rcctl enable nsd%0a$ doas rcctl start nsd%0a@]%0a%0aIf all was configured correctly, we should now be able to query our nameserver with [[openbsd/host|host]] or [[openbsd/dig|dig]]:%0a%0a[@%0a$ host www.example.ircnow.org example.ircnow.org%0aUsing domain server:%0aName: example.ircnow.org%0aAddress: 198.51.100.1#53%0aAliases: %0a%0awww.example.ircnow.org has address 198.51.100.1%0awww.example.ircnow.org has IPv6 address 2001:db8::%0a@]%0a%0aThis will query the name server example.ircnow.org for the resource records in www.example.ircnow.org.%0a%0a!! Delegate Zone%0a%0aOnce you've confirmed nsd works, you want to delegate authority for the zone to your nameserver. If you're using an ircnow.org subdomain, you'll need to ask the sysadmin in charge to finish this step. If you registered a domain elsewhere, make sure that the nameserver for the domain points to your nameserver (@@ns1.example.com@@ and @@ns2.example.com@@) and that the glue records are defined.%0a%0a!! Troubleshooting%0a%0aIf at any step you are not getting proper results, you should first check the conf and zones using these helpful tools:%0a%0a[@%0a$ doas nsd-checkconf /var/nsd/etc/nsd.conf%0a/var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error%0aread /var/nsd/etc/nsd.conf failed: 1 errors in configuration file%0a@]%0a%0aThe error is found on line 34 of /var/nsd/etc/nsd.conf:%0a%0a[@%0a#zone:%0a name: "example.ircnow.org"%0a zonefile: "master/example.ircnow.org"%0a@]%0a%0aHere we forgot to uncomment @@zone:@@. Once that is done, try again. If there are no errors, [[https://man.openbsd.org/nsd-checkconf|nsd-checkconf]] will not return any output -- no news is good news!%0a%0aYou'll also want to check if the zone is valid:%0a%0a[@%0a$ doas nsd-checkzone example.ircnow.org /var/nsd/zones/master/example.ircnow.org%0a[2021-02-02 03:49:14.921] nsd-checkzone[32265]: error: /var/nsd/zones/master/example.ircnow.org:8: out of zone data: out.of.zone.com. is outside the zone for fqdn example.ircnow.org.%0a@]%0a%0aThe error is on line 8 of /var/nsd/zones/master/example.ircnow.org:%0a%0a[@%0aout.of.zone.example.com. 3600 IN A 10.0.0.1%0a@]%0a%0aHere we specify a [[openbsd/FQDN|FQDN]] out.of.zone.example.com. which is outside of the zone for this file (example.ircnow.org). This is invalid so nsd refuses to look any further and quits. In this case, we need to delete this line (or perhaps move it to the proper zone file). Once that is done, run the test again:%0a%0a[@%0a$ doas nsd-checkzone example.ircnow.org /var/nsd/zones/master/example.ircnow.org%0azone example.ircnow.org is ok%0a@]%0a%0aYou can also run nsd in the foreground or view the logs:%0a%0a[@%0a$ doas nsd -d -V 3 %0a/var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error%0aread /var/nsd/etc/nsd.conf failed: 1 errors in configuration file%0a[2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf%0a@]%0a%0aThis is the same error message as before when we ran nsd-checkconf above.%0a%0aSuppose we had deleted /var/nsd/zones/master/example.ircnow.org. When we check /var/log/nsd.log, we see:%0a%0a[@%0a[2021-02-02 07:31:43.898] nsd[37575]: info: zonefile master/example.ircnow.org does not exist%0a@]%0a%0a'''Tip''': Whenever you encounter an error with nsd, always check /var/log/nsd.log.%0a%0a!! See Also%0a%0a[[https://www.denic.de/en/service/tools/nast/|Nameserver Check]]%0a
12 b4cffbe2 2022-05-10 jrmu time=1652142827
13 5127fd58 2021-12-17 jrmu title=Configuring nsd
14 b4cffbe2 2022-05-10 jrmu author:1652142827=jrmu
15 b4cffbe2 2022-05-10 jrmu diff:1652142827:1612272859:=1d0%0a%3c (:redirect nsd/configure:)%0a196c195%0a%3c [[https://www.denic.de/en/service/tools/nast/|Nameserver Check]]%0a---%0a> [[https://www.denic.de/en/service/tools/nast/|Nameserver Check]]%0a\ No newline at end of file%0a
16 b4cffbe2 2022-05-10 jrmu host:1652142827=38.87.162.8
17 5127fd58 2021-12-17 jrmu author:1612272859=jrmu
18 5127fd58 2021-12-17 jrmu diff:1612272859:1612272783:=193,195c193%0a%3c !! See Also%0a%3c %0a%3c [[https://www.denic.de/en/service/tools/nast/|Nameserver Check]]%0a\ No newline at end of file%0a---%0a> https://www.denic.de/en/service/tools/nast/%0a\ No newline at end of file%0a
19 5127fd58 2021-12-17 jrmu host:1612272859=198.251.81.119
20 5127fd58 2021-12-17 jrmu author:1612272783=jrmu
21 5127fd58 2021-12-17 jrmu diff:1612272783:1612272062:=174,175c174,175%0a%3c You can also run nsd in the foreground or view the logs:%0a%3c %0a---%0a> either run nsd in the foreground or view the logs:%0a> %0a183,186c183,190%0a%3c This is the same error message as before when we ran nsd-checkconf above.%0a%3c %0a%3c Suppose we had deleted /var/nsd/zones/master/example.ircnow.org. When we check /var/log/nsd.log, we see:%0a%3c %0a---%0a> Here we forgot to create the zonefile /var/nsd/zones/master/example.ircnow.org.%0a> %0a> Often, hints for debugging can be found in /var/log/nsd.log.%0a> %0a> %0a> %0a> Any errors are reported, so no news are good news. You can go ahead and start NSD:%0a> %0a188c192,193%0a%3c [2021-02-02 07:31:43.898] nsd[37575]: info: zonefile master/example.ircnow.org does not exist%0a---%0a> $ doas rcctl enable nsd%0a> $ doas rcctl start nsd%0a191c196,204%0a%3c '''Tip''': Whenever you encounter an error with nsd, always check /var/log/nsd.log.%0a---%0a> If there are issues you can start nsd in debug mode%0a> %0a> [@%0a> doas nsd -d -V 3%0a> @]%0a> %0a> !! Troubleshooting%0a> %0a> Troubleshooting DNS%0a
22 5127fd58 2021-12-17 jrmu host:1612272783=198.251.81.119
23 5127fd58 2021-12-17 jrmu author:1612272062=jrmu
24 5127fd58 2021-12-17 jrmu diff:1612272062:1612271169:=129,132d128%0a%3c %0a%3c !! Delegate Zone%0a%3c %0a%3c Once you've confirmed nsd works, you want to delegate authority for the zone to your nameserver. If you're using an ircnow.org subdomain, you'll need to ask the sysadmin in charge to finish this step. If you registered a domain elsewhere, make sure that the nameserver for the domain points to your nameserver (@@ns1.example.com@@ and @@ns2.example.com@@) and that the glue records are defined.%0a
25 5127fd58 2021-12-17 jrmu host:1612272062=198.251.81.119
26 5127fd58 2021-12-17 jrmu author:1612271169=jrmu
27 5127fd58 2021-12-17 jrmu diff:1612271169:1612270698:=84,85c84,85%0a%3c 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a---%0a> 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a88,101c88,101%0a%3c ns1 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c ns2 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c www 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c irc 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c imap 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c smtp 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a%3c mail 3600 IN A 198.51.100.1%0a%3c 3600 IN AAAA 2001:db8::%0a---%0a> ns1 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> ns2 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> www 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> irc 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> imap 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> smtp 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a> mail 3600 IN A 198.251.80.229%0a> 3600 IN AAAA 2605:6400:20:1290::%0a
28 5127fd58 2021-12-17 jrmu host:1612271169=198.251.81.119
29 5127fd58 2021-12-17 jrmu author:1612270698=jrmu
30 5127fd58 2021-12-17 jrmu diff:1612270698:1612270533:=69c69%0a%3c We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]]. It might look like @@username.fruit.ircnow.org@@ or it could be a domain you registered, such as @@example.com@@. The zonefile might look like "master/username.fruit.ircnow.org" or "master/example.com" if you registered your own domain.%0a---%0a> We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]]. It might look like @@username.fruit.ircnow.org@@ or it could be a domain you registered for like @@example.com@@. The zonefile might look like "master/username.fruit.ircnow.org" or "master/example.com" if you registered your own domain.%0a
31 5127fd58 2021-12-17 jrmu host:1612270698=198.251.81.119
32 5127fd58 2021-12-17 jrmu author:1612270533=jrmu
33 5127fd58 2021-12-17 jrmu diff:1612270533:1612268696:=54c54%0a%3c !! Master-Only Server%0a---%0a> !! Master/Slave Servers%0a
34 5127fd58 2021-12-17 jrmu host:1612270533=198.251.81.119
35 5127fd58 2021-12-17 jrmu author:1612268696=jrmu
36 5127fd58 2021-12-17 jrmu diff:1612268696:1612267739:=33c33%0a%3c You'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the [[openbsd/sockets|socket]], and we want to log to /var/log/nsd.log.%0a---%0a> You'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the [[openbsd/tcpip|socket]], and we want to log to /var/log/nsd.log.%0a
37 5127fd58 2021-12-17 jrmu host:1612268696=198.251.81.119
38 5127fd58 2021-12-17 jrmu author:1612267739=jrmu
39 5127fd58 2021-12-17 jrmu diff:1612267739:1612260084:=
40 5127fd58 2021-12-17 jrmu host:1612267739=198.251.81.119
41 5127fd58 2021-12-17 jrmu author:1612260084=jrmu
42 5127fd58 2021-12-17 jrmu diff:1612260084:1612258614:=37c37%0a%3c ip-address: 198.51.100.1%0a---%0a> ip-address: 198.51.100.0%0a42,43c42,43%0a%3c We bind to our public IPv4 address 198.51.100.1 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).%0a%3c %0a---%0a> We bind to our public IPv4 address 198.51.100.0 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).%0a> %0a119,125d118%0a%3c Using domain server:%0a%3c Name: example.ircnow.org%0a%3c Address: 198.51.100.1#53%0a%3c Aliases: %0a%3c %0a%3c www.example.ircnow.org has address 198.51.100.1%0a%3c www.example.ircnow.org has IPv6 address 2001:db8::%0a128,129c121,122%0a%3c This will query the name server example.ircnow.org for the resource records in www.example.ircnow.org.%0a%3c %0a---%0a> This will query the name server example.ircnow.org for the records for www.example.ircnow.org.%0a> %0a132,133c125,126%0a%3c If at any step you are not getting proper results, you should first check the conf and zones using these helpful tools:%0a%3c %0a---%0a> If at any step you are not getting proper results, you should either run nsd in the foreground or view the logs:%0a> %0a135c128%0a%3c $ doas nsd-checkconf /var/nsd/etc/nsd.conf%0a---%0a> $ doas nsd -d -V 3 %0a137a131%0a> [2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf%0a143c137%0a%3c #zone:%0a---%0a> zone:%0a148,151c142,147%0a%3c Here we forgot to uncomment @@zone:@@. Once that is done, try again. If there are no errors, [[https://man.openbsd.org/nsd-checkconf|nsd-checkconf]] will not return any output -- no news is good news!%0a%3c %0a%3c You'll also want to check if the zone is valid:%0a%3c %0a---%0a> Here we forgot to create the zonefile /var/nsd/zones/master/example.ircnow.org.%0a> %0a> Often, hints for debugging can be found in /var/log/nsd.log.%0a> %0a> !! Master/Slave Servers%0a> %0a153,154c149,154%0a%3c $ doas nsd-checkzone example.ircnow.org /var/nsd/zones/master/example.ircnow.org%0a%3c [2021-02-02 03:49:14.921] nsd-checkzone[32265]: error: /var/nsd/zones/master/example.ircnow.org:8: out of zone data: out.of.zone.com. is outside the zone for fqdn example.ircnow.org.%0a---%0a> ## slave zone example%0a> #zone:%0a> # name: "example.net"%0a> # zonefile: "slave/example.net"%0a> # allow-notify: 192.0.2.2 tsig1.example.com.%0a> # request-xfr: 192.0.2.2 tsig1.example.com.%0a157,158d156%0a%3c The error is on line 8 of /var/nsd/zones/master/example.ircnow.org:%0a%3c %0a160c158,162%0a%3c out.of.zone.example.com. 3600 IN A 10.0.0.1%0a---%0a> ## tsig key example%0a> key:%0a> name: "example.ircnow.org"%0a> algorithm: hmac-sha256%0a> secret: "bXBjY3B3alVhaDJrYTBSRENtc01RUmNlYmlj"%0a163,164c165,171%0a%3c Here we specify a [[openbsd/FQDN|FQDN]] out.of.zone.example.com. which is outside of the zone for this file (example.ircnow.org). This is invalid so nsd refuses to look any further and quits. In this case, we need to delete this line (or perhaps move it to the proper zone file). Once that is done, run the test again:%0a%3c %0a---%0a> It's a good idea to name the key after your domain, with a final period at the end to show that it is a [[openbsd/FQDN|fully qualified domain name]]. For the secret, you must put in the [[openbsd/base64|base64 encoding]] of a random string. Make it longer for more security.%0a> %0a> %0a> !! Primary and secondary server%0a> %0a> If you need a secondary server to host the zone, you can do this as follows. Add to the block that describes your master zone, records about the secondary zone as in the example:%0a> %0a166,167c173,177%0a%3c $ doas nsd-checkzone example.ircnow.org /var/nsd/zones/master/example.ircnow.org%0a%3c zone example.ircnow.org is ok%0a---%0a> zone:%0a> name: "example.net"%0a> zonefile: "master/example.net"%0a> notify: 20.20.20.20 NOKEY%0a> provide-xfr: 20.20.20.20 NOKEY%0a170,171c180,181%0a%3c either run nsd in the foreground or view the logs:%0a%3c %0a---%0a> Create a new block in the secondary server config file, as in the example:%0a> %0a173,176c183,187%0a%3c $ doas nsd -d -V 3 %0a%3c /var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error%0a%3c read /var/nsd/etc/nsd.conf failed: 1 errors in configuration file%0a%3c [2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf%0a---%0a> zone:%0a> name: "example.net"%0a> zonefile: "slave/example.net"%0a> allow-notify: 10.10.10.10 NOKEY%0a> request-xfr: 10.10.10.10 NOKEY%0a179,189c190,223%0a%3c Here we forgot to create the zonefile /var/nsd/zones/master/example.ircnow.org.%0a%3c %0a%3c Often, hints for debugging can be found in /var/log/nsd.log.%0a%3c %0a%3c %0a%3c %0a%3c Any errors are reported, so no news are good news. You can go ahead and start NSD:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable nsd%0a%3c $ doas rcctl start nsd%0a---%0a> !! The zone file for NSD%0a> %0a> The next step is to write the zone files for NSD. First the forward lookup zone example.net:%0a> %0a> [@%0a> ; Domain file from My project%0a> %0a> example.net. 3600 SOA ns.example.net. admin.example.net. (%0a> 2020070701 ; serial YYYYMMDDnn%0a> 10800 ; refresh%0a> 3600 ; retry%0a> 604800 ; expire%0a> 86400 ) ; minimum TTL%0a> %0a> example.net. NS ns.example.net.%0a> example.net. NS ns.secondary.net.%0a> ns A 10.10.10.10%0a> example.net. A 10.10.10.10%0a> www A 10.10.10.10%0a> irc A 10.10.10.10%0a> imap A 10.10.10.10%0a> smtp A 10.10.10.10%0a> example.net. mx 10 smtp.example.net.%0a> @]%0a> %0a> Save this zone file as /var/nsd/zones/master/example.net%0a> %0a> !! Configuration check and start%0a> %0a> NSD bring along a tool to check the configuration file before you start or reload the daemon:%0a> %0a> [@%0a> $ doas nsd-checkconf /var/nsd/etc/nsd.conf%0a> @]%0a
43 5127fd58 2021-12-17 jrmu host:1612260084=198.251.81.119
44 5127fd58 2021-12-17 jrmu author:1612258614=jrmu
45 5127fd58 2021-12-17 jrmu diff:1612258614:1612258218:=122,144d121%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If at any step you are not getting proper results, you should either run nsd in the foreground or view the logs:%0a%3c %0a%3c [@%0a%3c $ doas nsd -d -V 3 %0a%3c /var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error%0a%3c read /var/nsd/etc/nsd.conf failed: 1 errors in configuration file%0a%3c [2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf%0a%3c @]%0a%3c %0a%3c The error is found on line 34 of /var/nsd/etc/nsd.conf:%0a%3c %0a%3c [@%0a%3c zone:%0a%3c name: "example.ircnow.org"%0a%3c zonefile: "master/example.ircnow.org"%0a%3c @]%0a%3c %0a%3c Here we forgot to create the zonefile /var/nsd/zones/master/example.ircnow.org.%0a%3c %0a%3c Often, hints for debugging can be found in /var/log/nsd.log.%0a
46 5127fd58 2021-12-17 jrmu host:1612258614=198.251.81.119
47 5127fd58 2021-12-17 jrmu author:1612258218=jrmu
48 5127fd58 2021-12-17 jrmu diff:1612258218:1612258131:=76,77c76,77%0a%3c $ORIGIN example.ircnow.org.%0a%3c example.ircnow.org. 3600 SOA ns1.example.ircnow.org. admin.example.ircnow.org. (%0a---%0a> $ORIGIN user.fruit.ircnow.org.%0a> user.fruit.ircnow.org. 3600 SOA ns1.user.fruit.ircnow.org. admin.user.fruit.ircnow.org. (%0a118c118%0a%3c $ host www.example.ircnow.org example.ircnow.org%0a---%0a> $ host www.user.fruit.ircnow.org user.fruit.ircnow.org%0a121,125c121,122%0a%3c This will query the name server example.ircnow.org for the records for www.example.ircnow.org.%0a%3c %0a%3c !! Master/Slave Servers%0a%3c %0a%3c [@%0a---%0a> This will query the name server user.fruit.ircnow.org for the records for www.user.fruit.ircnow.org.%0a> %0a
49 5127fd58 2021-12-17 jrmu host:1612258218=198.251.81.119
50 5127fd58 2021-12-17 jrmu author:1612258131=jrmu
51 5127fd58 2021-12-17 jrmu diff:1612258131:1612257904:=104,105d103%0a%3c For an explanation of how to interpret this zone file, please see the section on [[openbsd/dnszones|DNS zones]].%0a%3c %0a118c116%0a%3c $ host www.user.fruit.ircnow.org user.fruit.ircnow.org%0a---%0a> $ host%0a120,121d117%0a%3c %0a%3c This will query the name server user.fruit.ircnow.org for the records for www.user.fruit.ircnow.org.%0a
52 5127fd58 2021-12-17 jrmu host:1612258131=198.251.81.119
53 5127fd58 2021-12-17 jrmu author:1612257904=jrmu
54 5127fd58 2021-12-17 jrmu diff:1612257904:1612254521:=73,74c73,74%0a%3c Write your [[openbsd/dnszones|DNS zone]] into the zone that you specified above, /var/nsd/zones/master/example.ircnow.org:%0a%3c %0a---%0a> Write your DNS zone into the zone that you specified above, /var/nsd/zones/master/example.ircnow.org:%0a> %0a76,79c76,80%0a%3c $ORIGIN user.fruit.ircnow.org.%0a%3c user.fruit.ircnow.org. 3600 SOA ns1.user.fruit.ircnow.org. admin.user.fruit.ircnow.org. (%0a%3c 2021020301 ; serial YYYYMMDDnn%0a%3c 1800 ; refresh%0a---%0a> ; Domain file from My project%0a> %0a> example.net. 3600 SOA ns.example.net. admin.example.net. (%0a> 2020070701 ; serial YYYYMMDDnn%0a> 10800 ; refresh%0a81,101c82,93%0a%3c 86400 ; expire%0a%3c 3600 ) ; minimum TTL%0a%3c 3600 IN MX 10 mail%0a%3c 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c 3600 IN NS ns1%0a%3c 3600 IN NS ns2%0a%3c ns1 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c ns2 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c www 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c irc 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c imap 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c smtp 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a%3c mail 3600 IN A 198.251.80.229%0a%3c 3600 IN AAAA 2605:6400:20:1290::%0a---%0a> 604800 ; expire%0a> 86400 ) ; minimum TTL%0a> %0a> example.net. NS ns.example.net.%0a> example.net. NS ns.secondary.net.%0a> ns A 10.10.10.10%0a> example.net. A 10.10.10.10%0a> www A 10.10.10.10%0a> irc A 10.10.10.10%0a> imap A 10.10.10.10%0a> smtp A 10.10.10.10%0a> example.net. mx 10 smtp.example.net.%0a
55 5127fd58 2021-12-17 jrmu host:1612257904=198.251.81.119
56 5127fd58 2021-12-17 jrmu author:1612254521=jrmu
57 5127fd58 2021-12-17 jrmu diff:1612254521:1612253975:=72,94d71%0a%3c %0a%3c Write your DNS zone into the zone that you specified above, /var/nsd/zones/master/example.ircnow.org:%0a%3c %0a%3c [@%0a%3c ; Domain file from My project%0a%3c %0a%3c example.net. 3600 SOA ns.example.net. admin.example.net. (%0a%3c 2020070701 ; serial YYYYMMDDnn%0a%3c 10800 ; refresh%0a%3c 3600 ; retry%0a%3c 604800 ; expire%0a%3c 86400 ) ; minimum TTL%0a%3c %0a%3c example.net. NS ns.example.net.%0a%3c example.net. NS ns.secondary.net.%0a%3c ns A 10.10.10.10%0a%3c example.net. A 10.10.10.10%0a%3c www A 10.10.10.10%0a%3c irc A 10.10.10.10%0a%3c imap A 10.10.10.10%0a%3c smtp A 10.10.10.10%0a%3c example.net. mx 10 smtp.example.net.%0a%3c @]%0a
58 5127fd58 2021-12-17 jrmu host:1612254521=198.251.81.119
59 5127fd58 2021-12-17 jrmu author:1612253975=jrmu
60 5127fd58 2021-12-17 jrmu diff:1612253975:1612253728:=69,86c69,71%0a%3c We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]]. It might look like @@username.fruit.ircnow.org@@ or it could be a domain you registered for like @@example.com@@. The zonefile might look like "master/username.fruit.ircnow.org" or "master/example.com" if you registered your own domain.%0a%3c %0a%3c !! Write the Zone File%0a%3c %0a%3c !! Start NSD and Test%0a%3c %0a%3c At this point, we can start nsd:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable nsd%0a%3c $ doas rcctl start nsd%0a%3c @]%0a%3c %0a%3c If all was configured correctly, we should now be able to query our nameserver with [[openbsd/host|host]] or [[openbsd/dig|dig]]:%0a%3c %0a%3c [@%0a%3c $ host%0a%3c @]%0a---%0a> We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]].%0a> %0a> %0a
61 5127fd58 2021-12-17 jrmu host:1612253975=198.251.81.119
62 5127fd58 2021-12-17 jrmu author:1612253728=jrmu
63 5127fd58 2021-12-17 jrmu diff:1612253728:1612248403:=54,59d53%0a%3c !! Master/Slave Servers%0a%3c %0a%3c The [[openbsd/dns|DNS system]] requires you to specify master and slave servers. Internet standards require every zone to have at least two name servers, so you'll normally need to configure both a master and a slave.%0a%3c %0a%3c To start off, we'll configure just a master name server. This will let us quickly test to see if our name server is working:%0a%3c %0a62,64c56,58%0a%3c zone:%0a%3c name: "example.ircnow.org"%0a%3c zonefile: "master/example.ircnow.org"%0a---%0a> #zone:%0a> # name: "example.com"%0a> # zonefile: "master/example.com"%0a67,71d60%0a%3c @]%0a%3c %0a%3c We'll uncomment the zone. The name is the name of our [[openbsd/domains|domain or subdomain]].%0a%3c %0a%3c %0a
64 5127fd58 2021-12-17 jrmu host:1612253728=198.251.81.119
65 5127fd58 2021-12-17 jrmu author:1612248403=jrmu
66 5127fd58 2021-12-17 jrmu diff:1612248403:1612248323:=54d53%0a%3c [@%0a68c67%0a%3c @]%0a---%0a> %0a
67 5127fd58 2021-12-17 jrmu host:1612248403=198.251.81.119
68 5127fd58 2021-12-17 jrmu author:1612248323=jrmu
69 5127fd58 2021-12-17 jrmu diff:1612248323:1612247316:=53,78d52%0a%3c %0a%3c ## master zone example%0a%3c #zone:%0a%3c # name: "example.com"%0a%3c # zonefile: "master/example.com"%0a%3c # notify: 192.0.2.1 NOKEY%0a%3c # provide-xfr: 192.0.2.1 NOKEY%0a%3c %0a%3c ## slave zone example%0a%3c #zone:%0a%3c # name: "example.net"%0a%3c # zonefile: "slave/example.net"%0a%3c # allow-notify: 192.0.2.2 tsig1.example.com.%0a%3c # request-xfr: 192.0.2.2 tsig1.example.com.%0a%3c %0a%3c %0a%3c [@%0a%3c ## tsig key example%0a%3c key:%0a%3c name: "example.ircnow.org"%0a%3c algorithm: hmac-sha256%0a%3c secret: "bXBjY3B3alVhaDJrYTBSRENtc01RUmNlYmlj"%0a%3c @]%0a%3c %0a%3c It's a good idea to name the key after your domain, with a final period at the end to show that it is a [[openbsd/FQDN|fully qualified domain name]]. For the secret, you must put in the [[openbsd/base64|base64 encoding]] of a random string. Make it longer for more security.%0a%3c %0a
70 5127fd58 2021-12-17 jrmu host:1612248323=198.251.81.119
71 5127fd58 2021-12-17 jrmu author:1612247316=jrmu
72 5127fd58 2021-12-17 jrmu diff:1612247316:1612246923:=22,23c22,23%0a%3c Edit these sections in /var/nsd/etc/nsd.conf:%0a%3c %0a---%0a> Edit /var/nsd/etc/nsd.conf:%0a> %0a35d34%0a%3c [@%0a37c36%0a%3c ip-address: 198.51.100.0%0a---%0a> ip-address: 38.81.163.143%0a39c38,49%0a%3c ip-address: 2001:db8::%0a---%0a> ip-address: 2001:550:3402:1:143::%0a> %0a> ## make packets as small as possible, on by default%0a> # minimal-responses: yes%0a> %0a> ## respond with truncation for ANY queries over UDP and allow ANY over TCP,%0a> ## on by default%0a> # refuse-any: yes%0a> %0a> remote-control:%0a> control-enable: yes%0a> control-interface: /var/run/nsd.sock%0a41,52d50%0a%3c %0a%3c We bind to our public IPv4 address 198.51.100.0 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).%0a%3c %0a%3c '''Note''': If you forget your real public IP addresses, you can check [[openbsd/ifconfig|ifconfig]], your [[openbsd/hostnameif0|hostname.if0]], or check your [[openbsd/buyvm|BuyVM]] or [[openbsd/vmminstall|VMM install]] guides.%0a%3c %0a%3c [@%0a%3c remote-control:%0a%3c control-enable: yes%0a%3c control-interface: /var/run/nsd.sock%0a%3c @]%0a%3c %0a%3c This will allow using [[https://man.openbsd.org/nsd-control|nsd-control]] to control the server.%0a
73 5127fd58 2021-12-17 jrmu host:1612247316=198.251.81.119
74 5127fd58 2021-12-17 jrmu author:1612246923=jrmu
75 5127fd58 2021-12-17 jrmu diff:1612246923:1612244582:=26,30c26,43%0a%3c hide-version: yes%0a%3c verbosity: 2%0a%3c database: "" # disable database%0a%3c username: _nsd%0a%3c logfile: "/var/log/nsd.log"%0a---%0a> ip-address: 0.0.0.0%0a> ip4-only: yes%0a> identity: "DNS"%0a> hide-version: yes%0a> verbosity: 1%0a> database: ""%0a> username: _nsd%0a> logfile: "/var/log/nsd.log"%0a> pidfile: "/var/nsd/run/nsd.pid"%0a> %0a> remote-control:%0a> control-enable: yes%0a> control-interface: /var/nsd/run/nsd.sock%0a> %0a> zone:%0a> name: "example.com"%0a> zonefile: "master/example.com"%0a> %0a33,51d45%0a%3c You'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the [[openbsd/tcpip|socket]], and we want to log to /var/log/nsd.log.%0a%3c %0a%3c ## bind to a specific address/port%0a%3c ip-address: 38.81.163.143%0a%3c # ip-address: 192.0.2.53@5678%0a%3c ip-address: 2001:550:3402:1:143::%0a%3c %0a%3c ## make packets as small as possible, on by default%0a%3c # minimal-responses: yes%0a%3c %0a%3c ## respond with truncation for ANY queries over UDP and allow ANY over TCP,%0a%3c ## on by default%0a%3c # refuse-any: yes%0a%3c %0a%3c remote-control:%0a%3c control-enable: yes%0a%3c control-interface: /var/run/nsd.sock%0a%3c @]%0a%3c %0a121,124d114%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Troubleshooting DNS%0a
76 5127fd58 2021-12-17 jrmu host:1612246923=198.251.81.119
77 5127fd58 2021-12-17 jrmu author:1612244582=jrmu
78 5127fd58 2021-12-17 jrmu diff:1612244582:1612240453:=22c22,24%0a%3c Edit /var/nsd/etc/nsd.conf:%0a---%0a> First up, you'll want to open up /var/nsd/etc/nsd.conf (main configuration file)%0a> %0a> Open up /var/nsd/etc/nsd.conf:%0a
79 5127fd58 2021-12-17 jrmu host:1612244582=198.251.81.119
80 5127fd58 2021-12-17 jrmu author:1612240453=jrmu
81 5127fd58 2021-12-17 jrmu diff:1612240453:1612240293:=18,22c18%0a%3c Please read through the [[https://man.openbsd.org/nsd|nsd]], [[https://man.openbsd.org/nsd.conf|nsd.conf]], [[https://man.openbsd.org/nsd-checkconf|nsd-checkconf]], and [[https://man.openbsd.org/nsd-control|nsd-control]] man pages.%0a%3c %0a%3c !! nsd.conf%0a%3c %0a%3c First up, you'll want to open up /var/nsd/etc/nsd.conf (main configuration file)%0a---%0a> !! /var/nsd/etc/nsd.conf (main configuration file)%0a
82 5127fd58 2021-12-17 jrmu host:1612240453=198.251.81.119
83 5127fd58 2021-12-17 jrmu author:1612240293=jrmu
84 5127fd58 2021-12-17 jrmu diff:1612240293:1612231276:=14c14%0a%3c '''NOTICE''': This guide assumes you have a basic understanding of [[openbsd/tcpip|TCP/IP networking]], [[openbsd/IPv4|IPv4]] and [[openbsd/IPv6|IPv6]] addressing, the [[openbsd/dns|domain name system]], [[openbsd/resourcerecords|resource records]], and [[openbsd/dnszones|zone files]].%0a---%0a> '''NOTICE''': This guide assumes you have a basic understanding of [[openbsd/tcpip|TC/IP networking]], [[openbsd/IPv4|IPv4]] and [[openbsd/IPv6|IPv6]] addressing, the domain name system, resource records, and zone files.%0a
85 5127fd58 2021-12-17 jrmu host:1612240293=198.251.81.119
86 5127fd58 2021-12-17 jrmu author:1612231276=jrmu
87 5127fd58 2021-12-17 jrmu diff:1612231276:1612231165:=13,16d12%0a%3c %0a%3c '''NOTICE''': This guide assumes you have a basic understanding of [[openbsd/tcpip|TC/IP networking]], [[openbsd/IPv4|IPv4]] and [[openbsd/IPv6|IPv6]] addressing, the domain name system, resource records, and zone files.%0a%3c %0a%3c !! Introduction%0a
88 5127fd58 2021-12-17 jrmu host:1612231276=198.251.81.119
89 5127fd58 2021-12-17 jrmu author:1612231165=jrmu
90 5127fd58 2021-12-17 jrmu diff:1612231165:1612230627:=12c12%0a%3c # More difficult to fork compared to [[openbsd/delphinusdnsd|delphinusdnsd]]%0a---%0a> # Not as easy to fork as [[openbsd/delphinusdnsd|delphinusdnsd]]%0a
91 5127fd58 2021-12-17 jrmu host:1612231165=198.251.81.119
92 5127fd58 2021-12-17 jrmu author:1612230627=jrmu
93 5127fd58 2021-12-17 jrmu diff:1612230627:1609673674:=3,12c3%0a%3c nsd is an authoritative name server. nsd comes as part of openbsd base so no installation will be necessary.%0a%3c %0a%3c Advantages of nsd:%0a%3c %0a%3c # Audited by the OpenBSD team%0a%3c # Simpler than BIND%0a%3c %0a%3c Disadvantages of nsd:%0a%3c %0a%3c # Not as easy to fork as [[openbsd/delphinusdnsd|delphinusdnsd]]%0a---%0a> nsd is an authoritative name server. Because nsd comes in OpenBSD base, it is our preferred nameserver.%0a
94 5127fd58 2021-12-17 jrmu host:1612230627=198.251.81.119
95 5127fd58 2021-12-17 jrmu author:1609673674=jrmu
96 5127fd58 2021-12-17 jrmu diff:1609673674:1609242206:=38c38%0a%3c zonefile: "master/example.net"%0a---%0a> zonefile: "master/example.net.zone"%0a48c48%0a%3c zonefile: "slave/example.net"%0a---%0a> zonefile: "slave/example.net.zone"%0a78c78%0a%3c Save this zone file as /var/nsd/zones/master/example.net%0a---%0a> Save this zone file as /var/nsd/zones/master/example.net.zone%0a
97 5127fd58 2021-12-17 jrmu host:1609673674=125.231.63.134
98 5127fd58 2021-12-17 jrmu author:1609242206=jrmu
99 5127fd58 2021-12-17 jrmu diff:1609242206:1597966747:=68c68%0a%3c example.net. NS ns.secondary.net.%0a---%0a> example.net. NS ns.secondary.net.ua.%0a
100 5127fd58 2021-12-17 jrmu host:1609242206=198.251.81.119
101 5127fd58 2021-12-17 jrmu author:1597966747=gry
102 5127fd58 2021-12-17 jrmu csum:1597966747=+
103 5127fd58 2021-12-17 jrmu diff:1597966747:1597800518:=93,98d92%0a%3c @]%0a%3c %0a%3c If there are issues you can start nsd in debug mode%0a%3c %0a%3c [@%0a%3c doas nsd -d -V 3%0a
104 5127fd58 2021-12-17 jrmu host:1597966747=203.129.25.247
105 5127fd58 2021-12-17 jrmu author:1597800518=gry
106 5127fd58 2021-12-17 jrmu csum:1597800518=clarified
107 5127fd58 2021-12-17 jrmu diff:1597800518:1597796218:=5c5%0a%3c !! /var/nsd/etc/nsd.conf (main configuration file)%0a---%0a> !! /var/nsd/etc/nsd.conf%0a
108 5127fd58 2021-12-17 jrmu host:1597800518=203.129.25.247
109 5127fd58 2021-12-17 jrmu author:1597796218=gry
110 5127fd58 2021-12-17 jrmu csum:1597796218=+
111 5127fd58 2021-12-17 jrmu diff:1597796218:1597796198:=32d31%0a%3c %0a53,54c52%0a%3c !! The zone file for NSD%0a%3c %0a---%0a> ====== The zone file for NSD ======%0a
112 5127fd58 2021-12-17 jrmu host:1597796218=203.129.25.247
113 5127fd58 2021-12-17 jrmu author:1597796198=gry
114 5127fd58 2021-12-17 jrmu csum:1597796198=fmt
115 5127fd58 2021-12-17 jrmu diff:1597796198:1597245206:=34c34%0a%3c [@%0a---%0a> %3ccode>%0a40,41c40,41%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a43,44c43%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a50,51c49,50%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a55c54%0a%3c [@%0a---%0a> %3ccode>%0a74,75c73,74%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a78,79c77%0a%3c !! Configuration check and start%0a%3c %0a---%0a> ====== Configuration check and start ======%0a81,82c79%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a84,85c81,82%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a87,88c84%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a91c87%0a%3c @]%0a---%0a> %3c/code>%0a
116 5127fd58 2021-12-17 jrmu host:1597796198=203.129.25.247
117 5127fd58 2021-12-17 jrmu author:1597245206=jrmu
118 5127fd58 2021-12-17 jrmu diff:1597245206:1597245000:=1,9c1,7%0a%3c (:title Configuring nsd:)%0a%3c %0a%3c nsd is an authoritative name server. Because nsd comes in OpenBSD base, it is our preferred nameserver.%0a%3c %0a%3c !! /var/nsd/etc/nsd.conf%0a%3c %0a%3c Open up /var/nsd/etc/nsd.conf:%0a%3c %0a%3c [@%0a---%0a> NSD is an open-source Domain Name System (DNS) server. It was developed by NLnet Labs of Amsterdam in cooperation with the RIPE NCC, from scratch as an authoritative name server. NSD is a NS that comes as a part of OpenBSD base.%0a> %0a> ====== Configuration of NSD ======%0a> The main configuration file for NSD is a file called nsd.conf located in the /var/nsd/etc/ directory.%0a> Now, open/create the new file in your text editor with root privileges. Here's a sample:%0a> %0a> %3ccode>%0a20c18,21%0a%3c %0a---%0a> difffile: "/var/nsd/db/ixfr.db"%0a> xfrdfile: "/var/nsd/db/xfrd.state"%0a> database: "/var/nsd/db/nsd.db"%0a> %0a26,31c27,33%0a%3c name: "example.com"%0a%3c zonefile: "master/example.com"%0a%3c %0a%3c @]%0a%3c %0a%3c !! Primary and secondary server%0a---%0a> name: "example.net"%0a> zonefile: "master/example.net.zone"%0a> #notify: 193.201.116.2 NOKEY%0a> #provide-xfr: 193.201.116.2 NOKEY%0a> %3c/code>%0a> %0a> ====== Primary and secondary server ======%0a
119 5127fd58 2021-12-17 jrmu host:1597245206=38.81.163.143
120 5127fd58 2021-12-17 jrmu author:1597245000=jrmu
121 5127fd58 2021-12-17 jrmu diff:1597245000:1597224805:=89,91c89%0a%3c %3c/code>%0a%3c %0a%3c https://www.denic.de/en/service/tools/nast/%0a\ No newline at end of file%0a---%0a> %3c/code>%0a\ No newline at end of file%0a
122 5127fd58 2021-12-17 jrmu host:1597245000=38.81.163.143
123 5127fd58 2021-12-17 jrmu author:1597224805=jrmu
124 5127fd58 2021-12-17 jrmu diff:1597224805:1597224805:=1,89d0%0a%3c NSD is an open-source Domain Name System (DNS) server. It was developed by NLnet Labs of Amsterdam in cooperation with the RIPE NCC, from scratch as an authoritative name server. NSD is a NS that comes as a part of OpenBSD base.%0a%3c %0a%3c ====== Configuration of NSD ======%0a%3c The main configuration file for NSD is a file called nsd.conf located in the /var/nsd/etc/ directory.%0a%3c Now, open/create the new file in your text editor with root privileges. Here's a sample:%0a%3c %0a%3c %3ccode>%0a%3c server:%0a%3c ip-address: 0.0.0.0%0a%3c ip4-only: yes%0a%3c identity: "DNS"%0a%3c hide-version: yes%0a%3c verbosity: 1%0a%3c database: ""%0a%3c username: _nsd%0a%3c logfile: "/var/log/nsd.log"%0a%3c pidfile: "/var/nsd/run/nsd.pid"%0a%3c difffile: "/var/nsd/db/ixfr.db"%0a%3c xfrdfile: "/var/nsd/db/xfrd.state"%0a%3c database: "/var/nsd/db/nsd.db"%0a%3c %0a%3c remote-control:%0a%3c control-enable: yes%0a%3c control-interface: /var/nsd/run/nsd.sock%0a%3c %0a%3c zone:%0a%3c name: "example.net"%0a%3c zonefile: "master/example.net.zone"%0a%3c #notify: 193.201.116.2 NOKEY%0a%3c #provide-xfr: 193.201.116.2 NOKEY%0a%3c %3c/code>%0a%3c %0a%3c ====== Primary and secondary server ======%0a%3c If you need a secondary server to host the zone, you can do this as follows. Add to the block that describes your master zone, records about the secondary zone as in the example:%0a%3c %0a%3c %3ccode>%0a%3c zone:%0a%3c name: "example.net"%0a%3c zonefile: "master/example.net.zone"%0a%3c notify: 20.20.20.20 NOKEY%0a%3c provide-xfr: 20.20.20.20 NOKEY%0a%3c %3c/code>%0a%3c %0a%3c Create a new block in the secondary server config file, as in the example:%0a%3c %3ccode>%0a%3c zone:%0a%3c name: "example.net"%0a%3c zonefile: "slave/example.net.zone"%0a%3c allow-notify: 10.10.10.10 NOKEY%0a%3c request-xfr: 10.10.10.10 NOKEY%0a%3c %3c/code>%0a%3c %0a%3c ====== The zone file for NSD ======%0a%3c The next step is to write the zone files for NSD. First the forward lookup zone example.net:%0a%3c %0a%3c %3ccode>%0a%3c ; Domain file from My project%0a%3c %0a%3c example.net. 3600 SOA ns.example.net. admin.example.net. (%0a%3c 2020070701 ; serial YYYYMMDDnn%0a%3c 10800 ; refresh%0a%3c 3600 ; retry%0a%3c 604800 ; expire%0a%3c 86400 ) ; minimum TTL%0a%3c %0a%3c example.net. NS ns.example.net.%0a%3c example.net. NS ns.secondary.net.ua.%0a%3c ns A 10.10.10.10%0a%3c example.net. A 10.10.10.10%0a%3c www A 10.10.10.10%0a%3c irc A 10.10.10.10%0a%3c imap A 10.10.10.10%0a%3c smtp A 10.10.10.10%0a%3c example.net. mx 10 smtp.example.net.%0a%3c %3c/code>%0a%3c %0a%3c Save this zone file as /var/nsd/zones/master/example.net.zone%0a%3c %0a%3c ====== Configuration check and start ======%0a%3c NSD bring along a tool to check the configuration file before you start or reload the daemon:%0a%3c %3ccode>%0a%3c $ doas nsd-checkconf /var/nsd/etc/nsd.conf%0a%3c %3c/code>%0a%3c %0a%3c Any errors are reported, so no news are good news. You can go ahead and start NSD:%0a%3c %3ccode>%0a%3c $ doas rcctl enable nsd%0a%3c $ doas rcctl start nsd%0a%3c %3c/code>%0a\ No newline at end of file%0a
125 5127fd58 2021-12-17 jrmu host:1597224805=38.81.163.143
