Authoritative name serverをマスターもスレイブもNSDで構成していたのだが、同じ実装で揃えるのはいけないと思い直して、 スレイブをknot DNSに変更していた。 後ほど参照する必要がありそうなことを書いておく。 NSDとknot DNSのいずれもpkgsrcからインストールしている。
# # nsd.conf -- the NSD(8) configuration file, nsd.conf(5). # # Copyright (c) 2001-2011, NLnet Labs. All rights reserved. # # See LICENSE for the license. # # This is a comment. # Sample configuration file # include: "file" # include that file's text over here. Globbed, "*.conf" # options for the nsd server server: # Number of NSD servers to fork. Put the number of CPUs to use here. server-count: 1 # uncomment to specify specific interfaces to bind (default are the # wildcard interfaces 0.0.0.0 and ::0). # For servers with multiple IP addresses, list them one by one, # or the source address of replies could be wrong. # Use ip-transparent to be able to list addresses that turn on later. # ip-address: 1.2.3.4 # ip-address: 1.2.3.4@5678 # ip-address: 12fe::8ef0 ip-address: xxx.xxx.xxx.xxx ip-address: xxxx::xxxx # Allow binding to non local addresses. Default no. # ip-transparent: no # use the reuseport socket option for performance. Default no. # reuseport: no # enable debug mode, does not fork daemon process into the background. # debug-mode: no # listen on IPv4 connections # do-ip4: yes do-ip4: yes # listen on IPv6 connections # do-ip6: yes do-ip6: yes # port to answer queries on. default is 53. # port: 53 port: 53 # Verbosity level. # verbosity: 0 verbosity: 0 # After binding socket, drop user privileges. # can be a username, id or id.gid. # username: nsd username: nsd # Run NSD in a chroot-jail. # make sure to have pidfile and database reachable from there. # by default, no chroot-jail is used. # chroot: "/usr/pkg/etc/nsd" #chroot: "/usr/pkg/etc/nsd" # The directory for zonefile: files. The daemon chdirs here. # zonesdir: "/usr/pkg/etc/nsd" zonesdir: "/usr/pkg/etc/nsd" # the list of dynamically added zones. # zonelistfile: "/var/nsd/zone.list" zonelistfile: "/usr/pkg/etc/nsd/zone.list" # the database to use # if set to "" then no disk-database is used, less memory usage. # database: "/var/nsd/nsd.db" database: "/usr/pkg/etc/nsd/nsd.db" # log messages to file. Default to stderr and syslog (with # facility LOG_DAEMON). stderr disappears when daemon goes to bg. # logfile: "/var/log/nsd.log" logfile: "/usr/pkg/etc/nsd/nsd.log" # File to store pid for nsd in. # pidfile: "/var/run/nsd/nsd.pid" pidfile: "/usr/pkg/etc/nsd/nsd.pid" # The file where secondary zone refresh and expire timeouts are kept. # If you delete this file, all secondary zones are forced to be # 'refreshing' (as if nsd got a notify). Set to "" to disable. # xfrdfile: "/var/nsd/nsd-xfrd.state" xfrdfile: "/usr/pkg/etc/nsd/nsd-xfrd.state" # The directory where zone transfers are stored, in a subdir of it. # xfrdir: "/tmp" xfrdir: "/usr/pkg/etc/nsd" # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries # hide-version: no hide-version: yes # version string the server responds with for chaos queries. # default is 'NSD x.y.z' with the server's version number. # version: "NSD" # identify the server (CH TXT ID.SERVER entry). # identity: "unidentified server" # NSID identity (hex string, or "ascii_somestring"). default disabled. # nsid: "aabbccdd" # Maximum number of concurrent TCP connections per server. # tcp-count: 100 tcp-count: 100 # Maximum number of queries served on a single TCP connection. # By default 0, which means no maximum. # tcp-query-count: 0 tcp-query-count: 100 # Override the default (120 seconds) TCP timeout. # tcp-timeout: 120 tcp-timeout: 120 # Preferred EDNS buffer size for IPv4. # ipv4-edns-size: 4096 ipv4-edns-size: 4096 # Preferred EDNS buffer size for IPv6. # ipv6-edns-size: 4096 ipv6-edns-size: 4096 # statistics are produced every number of seconds. Prints to log. # Default is 0, meaning no statistics are produced. # statistics: 3600 statistics: 0 # Number of seconds between reloads triggered by xfrd. # xfrd-reload-timeout: 1 # log timestamp in ascii (y-m-d h:m:s.msec), yes is default. # log-time-ascii: yes # round robin rotation of records in the answer. # round-robin: no # check mtime of all zone files on start and sighup # zonefiles-check: yes zonefiles-check: yes # write changed zonefiles to disk, every N seconds. # default is 0(disabled) or 3600(if database is ""). # zonefiles-write: 3600 # Remote control config section. remote-control: # Enable remote control with nsd-control(8) here. # set up the keys and certificates with nsd-control-setup. # control-enable: no control-enable: yes # what interfaces are listened to for control, default is on localhost. # control-interface: 127.0.0.1 # control-interface: ::1 control-interface: 127.0.0.1 control-interface: ::1 # port number for remote control operations (uses TLS over TCP). # control-port: 8952 control-port: 8952 # nsd server key file for remote control. # server-key-file: "/usr/pkg/etc/nsd/nsd_server.key" server-key-file: "/usr/pkg/etc/nsd/nsd_server.key" # nsd server certificate file for remote control. # server-cert-file: "/usr/pkg/etc/nsd/nsd_server.pem" server-cert-file: "/usr/pkg/etc/nsd/nsd_server.pem" # nsd-control key file. # control-key-file: "/usr/pkg/etc/nsd/nsd_control.key" control-key-file: "/usr/pkg/etc/nsd/nsd_control.key" # nsd-control certificate file. # control-cert-file: "/usr/pkg/etc/nsd/nsd_control.pem" control-cert-file: "/usr/pkg/etc/nsd/nsd_control.pem" # Secret keys for TSIGs that secure zone transfers. # You could include: "secret.keys" and put the 'key:' statements in there, # and give that file special access control permissions. # # key: # The key name is sent to the other party, it must be the same #name: "keyname" # algorithm hmac-md5, or hmac-sha1, or hmac-sha256 (if compiled in) #algorithm: hmac-sha256 # secret material, must be the same as the other party uses. # base64 encoded random number. # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 #secret: "K2tf3TRjvQkVCmJF3/Z9vA==" key: name: "key" algorithm: hmac-sha256 secret: "SECRETSTRING" # Patterns have zone configuration and they are shared by one or more zones. # # pattern: # name by which the pattern is referred to #name: "myzones" # the zonefile for the zones that use this pattern. # if relative then from the zonesdir (inside the chroot). # the name is processed: %s - zone name (as appears in zone:name). # %1 - first character of zone name, %2 second, %3 third. # %z - topleveldomain label of zone, %y, %x next labels in name. # if label or character does not exist you get a dot '.'. # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s" #zonefile: "%s.zone" # If no master and slave access control elements are provided, # this zone will not be served to/from other servers. # A master zone needs notify: and provide-xfr: lists. A slave # may also allow zone transfer (for debug or other secondaries). # notify these slaves when the master zone changes, address TSIG|NOKEY # IP can be ipv4 and ipv6, with @port for a nondefault port number. #notify: 192.0.2.1 NOKEY # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 #provide-xfr: 192.0.2.0/24 my_tsig_key_name # set the number of retries for notify. #notify-retry: 5 # uncomment to provide AXFR to all the world # provide-xfr: 0.0.0.0/0 NOKEY # provide-xfr: ::0/0 NOKEY # A slave zone needs allow-notify: and request-xfr: lists. #allow-notify: 2001:db8::0/64 my_tsig_key_name # By default, a slave will request a zone transfer with IXFR/TCP. # If you want to make use of IXFR/UDP use: UDP addr tsigkey # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey #request-xfr: 192.0.2.2 the_tsig_key_name # Attention: You cannot use UDP and AXFR together. AXFR is always over # TCP. If you use UDP, we higly recommend you to deploy TSIG. # Allow AXFR fallback if the master does not support IXFR. Default # is yes. #allow-axfr-fallback: yes # set local interface for sending zone transfer requests. # default is let the OS choose. #outgoing-interface: 10.0.0.10 # if compiled with --enable-zone-stats, give name of stat block for # this zone (or group of zones). Output from nsd-control stats. # zonestats: "%s" # if you give another pattern name here, at this point the settings # from that pattern are inserted into this one (as if it were a # macro). The statement can be given in between other statements, # because the order of access control elements can make a difference # (which master to request from first, which slave to notify first). #include-pattern: "common-masters" # Fixed zone entries. Here you can config zones that cannot be deleted. # Zones that are dynamically added and deleted are put in the zonelist file. # # zone: # name: "example.com" # you can give a pattern here, all the settings from that pattern # are then inserted at this point # include-pattern: "master" # You can also specify (additional) options directly for this zone. # zonefile: "example.com.zone" # request-xfr: 192.0.2.1 example.com.key zone: name: zzz.zzz zonefile: onodera.net.zone notify: yyy.yyy.yyy.yyy key notify-retry: 5 provide-xfr: yyy.yyy.yyy.yyy key outgoing-interface: xxx.xxx.xxx.xxx
# This is a sample of a minimal configuration file for Knot DNS. # See knot.conf(5) or refer to the server documentation. key: - id: key algorithm: hmac-sha256 secret: SECRETSTRING server: rundir: "/var/run/knot" user: root:wheel listen: [ 0.0.0.0@53, ::@53 ] log: - target: syslog any: info remote: # - id: slave # address: 192.168.1.1@53 # - id: master key: key address: xxx.xxx.xxx.xxx@53 acl: # - id: acl_slave # address: 192.168.1.1 # action: transfer - id: acl_master address: xxx.xxx.xx key: key action: notify template: - id: default storage: "/usr/pkg/etc/knot" file: "%s.zone" zone: # # Master zone # - domain: example.com # notify: slave # acl: acl_slave # Slave zone - domain: zzz.zzz master: master acl: acl_master
nsd-config notify
でスレイブに反映できる。force_transfer
なのかと思ったが、notify
でないといけなかった。