NSD v3.2.4

1 files changed, 109 insertions, 212 deletions

diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in
index e3d1ff70fd8..442031b96fb 100644
--- a/usr.sbin/nsd/nsd.conf.sample.in
+++ b/usr.sbin/nsd/nsd.conf.sample.in
@@ -1,96 +1,47 @@
 #
 # nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
 #
-# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
+# Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
 #
 # See LICENSE for the license.
 #
 
 # This is a comment.
 # Sample configuration file
-# include: "file" # include that file's text over here.  Globbed, "*.conf"
 
 # options for the nsd server
 server:
-	# Number of NSD servers to fork.  Put the number of CPUs to use here.
-	# server-count: 1
-
-	# uncomment to specify specific interfaces to bind (default are the
-	# wildcard interfaces 0.0.0.0 and ::0).
-	# For servers with multiple IP addresses, list them one by one,
-	# or the source address of replies could be wrong.
-	# Use ip-transparent to be able to list addresses that turn on later.
+	# uncomment to specify specific interfaces to bind (default all).
 	# ip-address: 1.2.3.4
-	# ip-address: 1.2.3.4@5678
 	# ip-address: 12fe::8ef0
 
-	# Allow binding to non local addresses. Default no.
-	# ip-transparent: no
-
-	# use the reuseport socket option for performance.
-	# The default is yes on linux, no for others.
-	# reuseport: no
+	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
+	# hide-version: no
 
 	# enable debug mode, does not fork daemon process into the background.
 	# debug-mode: no
 
-	# listen on IPv4 connections
-	# do-ip4: yes
-
-	# listen on IPv6 connections
-	# do-ip6: yes
-
-	# port to answer queries on. default is 53.
-	# port: 53
-
-	# Verbosity level.
-	# verbosity: 0
-
-	# After binding socket, drop user privileges.
-	# can be a username, id or id.gid.
-	# username: @user@
-
-	# Run NSD in a chroot-jail.
-	# make sure to have pidfile and database reachable from there.
-	# by default, no chroot-jail is used.
-	# chroot: "@configdir@"
+	# listen only on IPv4 connections
+	# ip4-only: no
 
-	# The directory for zonefile: files.  The daemon chdirs here.
-	# zonesdir: "@zonesdir@"
+	# listen only on IPv6 connections
+	# ip6-only: no
 	
-	# the list of dynamically added zones.
-	# zonelistfile: "@zonelistfile@"
-
 	# the database to use
-	# if set to "" then no disk-database is used, less memory usage.
 	# database: "@dbfile@"
 
-	# log messages to file. Default to stderr and syslog (with
-	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
-	# logfile: "@logfile@"
-
-	# File to store pid for nsd in.
-	# pidfile: "@pidfile@"
-
-	# The file where secondary zone refresh and expire timeouts are kept.
-	# If you delete this file, all secondary zones are forced to be 
-	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
-	# xfrdfile: "@xfrdfile@"
-
-	# The directory where zone transfers are stored, in a subdir of it.
-	# xfrdir: "@xfrdir@"
-
-	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
-	# hide-version: no
-
 	# identify the server (CH TXT ID.SERVER entry).
 	# identity: "unidentified server"
 
-	# NSID identity (hex string, or "ascii_somestring"). default disabled.
-	# nsid: "aabbccdd"
+	# log messages to file. Default to stderr and syslog.
+	# logfile: "/var/log/nsd.log"
+
+	# Number of NSD servers to fork.
+	# server-count: 1
 
 	# Maximum number of concurrent TCP connections per server.
-	# tcp-count: 100
+	# This option should have a value below 1000.
+	# tcp-count: 10
 
 	# Maximum number of queries served on a single TCP connection.
 	# By default 0, which means no maximum.
@@ -105,179 +56,125 @@ server:
 	# Preferred EDNS buffer size for IPv6.
 	# ipv6-edns-size: 4096
 
-	# statistics are produced every number of seconds. Prints to log.
-	# Default is 0, meaning no statistics are produced.
-	# statistics: 3600
+	# File to store pid for nsd in.
+	# pidfile: "@pidfile@"
 
-	# Number of seconds between reloads triggered by xfrd.
-	# xfrd-reload-timeout: 1
-	
-	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
-	# log-time-ascii: yes
+	# port to answer queries on. default is 53.
+	# port: 53
 
-	# round robin rotation of records in the answer.
-	# round-robin: no
+	# statistics are produced every number of seconds.
+	# statistics: 3600
 
-	# check mtime of all zone files on start and sighup
-	# zonefiles-check: yes
-	
-	# write changed zonefiles to disk, every N seconds.
-	# default is 0(disabled) or 3600(if database is "").
-	# zonefiles-write: 3600
+	# Run NSD in a chroot-jail.
+	# make sure to have pidfile and database reachable from there.
+	# by default, no chroot-jail is used.
+	# chroot: "@configdir@"
 
-	# RRLconfig
-	# Response Rate Limiting, size of the hashtable. Default 1000000.
-	# rrl-size: 1000000
+	# After binding socket, drop user privileges.
+	# can be a username, id or id.gid.
+	# username: @user@
+
+	# The directory for zonefile: files.
+	# zonesdir: "@zonesdir@"
 
-	# Response Rate Limiting, maximum QPS allowed (from one query source).
-	# Default 200. If set to 0, ratelimiting is disabled. Also set
-	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
-	# rrl-ratelimit: 200
+	# The file where incoming zone transfers are stored.
+	# run nsd-patch to update zone files, then you can safely delete it.
+	# difffile: "@difffile@"
 
-	# Response Rate Limiting, number of packets to discard before
-	# sending a SLIP response (a truncated one, allowing an honest
-	# resolver to retry with TCP). Default is 2 (one half of the
-	# queries will receive a SLIP response, 0 disables SLIP (all
-	# packets are discarded), 1 means every request will get a
-	# SLIP response.
-	# rrl-slip: 2
+	# The file where secondary zone refresh and expire timeouts are kept.
+	# If you delete this file, all secondary zones are forced to be 
+	# 'refreshing' (as if nsd got a notify).
+	# xfrdfile: "@xfrdfile@"
 
-	# Response Rate Limiting, IPv4 prefix length. Addresses are
-	# grouped by netblock. 
-	# rrl-ipv4-prefix-length: 24
+	# Number of seconds between reloads triggered by xfrd.
+	# xfrd-reload-timeout: 10
 
-	# Response Rate Limiting, IPv6 prefix length. Addresses are
-	# grouped by netblock. 
-	# rrl-ipv6-prefix-length: 64
+	# Verbosity level.
+	# verbosity: 0
 
-	# Response Rate Limiting, maximum QPS allowed (from one query source)
-	# for whitelisted types. Default 2000.
-	# rrl-whitelist-ratelimit: 2000
-	# RRLend
+# key for zone 1
+key:
+	name: mskey
+	algorithm: hmac-md5
+	secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
 
-# Remote control config section. 
-remote-control:
-	# Enable remote control with nsd-control(8) here.
-	# set up the keys and certificates with nsd-control-setup.
-	# control-enable: no
+# Sample zone 1
+zone:
+	name: "example.com"
+	zonefile: "example.com.zone"
 
-	# what interfaces are listened to for control, default is on localhost.
-	# control-interface: 127.0.0.1
-	# control-interface: ::1
+	# This is a slave zone. Masters are listed below.
 
-	# port number for remote control operations (uses TLS over TCP).
-	# control-port: 8952
+	# master 1
+	allow-notify: 168.192.44.42 mskey
+	request-xfr: 168.192.44.42 mskey
 
-	# nsd server key file for remote control.
-	# server-key-file: "@configdir@/nsd_server.key"
+	# set local interface for sending zone transfer requests.
+	outgoing-interface: 10.0.0.10
 
-	# nsd server certificate file for remote control.
-	# server-cert-file: "@configdir@/nsd_server.pem"
+	# master 2
+	allow-notify: 10.0.0.11 NOKEY
+	request-xfr: 10.0.0.11 NOKEY
 
-	# nsd-control key file.
-	# control-key-file: "@configdir@/nsd_control.key"
+	# By default, a slave will request a zone transfer with IXFR/TCP.
+	# If you want to make use of IXFR/UDP use
+	allow-notify: 10.0.0.12 NOKEY
+	request-xfr: UDP 10.0.0.12 NOKEY
 
-	# nsd-control certificate file.
-	# control-cert-file: "@configdir@/nsd_control.pem"
+	# for a master that only speaks AXFR (like NSD) use
+	allow-notify: 10.0.0.13 NOKEY
+	request-xfr: AXFR 10.0.0.13 NOKEY
 
+	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
+	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
 
-# Secret keys for TSIGs that secure zone transfers.
-# You could include: "secret.keys" and put the 'key:' statements in there,
-# and give that file special access control permissions.
-#
-# key:
-	# The key name is sent to the other party, it must be the same
-	#name: "keyname"
-	# algorithm hmac-md5, or hmac-sha1, or hmac-sha256 (if compiled in)
-	#algorithm: hmac-sha256
-	# secret material, must be the same as the other party uses.
-	# base64 encoded random number.
-	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
-	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
-
-
-# Patterns have zone configuration and they are shared by one or more zones.
-# 
-# pattern:
-	# name by which the pattern is referred to
-	#name: "myzones"
-	# the zonefile for the zones that use this pattern.
-	# if relative then from the zonesdir (inside the chroot).
-	# the name is processed: %s - zone name (as appears in zone:name).
-	# %1 - first character of zone name, %2 second, %3 third.
-	# %z - topleveldomain label of zone, %y, %x next labels in name.
-	# if label or character does not exist you get a dot '.'.
-	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
-	#zonefile: "%s.zone"
-	
-	# If no master and slave access control elements are provided,
-	# this zone will not be served to/from other servers.
-
-	# A master zone needs notify: and provide-xfr: lists.  A slave
-	# may also allow zone transfer (for debug or other secondaries).
-	# notify these slaves when the master zone changes, address TSIG|NOKEY
-	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
-	#notify: 192.0.2.1 NOKEY
-	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
-	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
-	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
-	# set the number of retries for notify.
-	#notify-retry: 5
+	# Allow AXFR fallback if the master does not support IXFR. Default
+	# is yes.
+	allow-axfr-fallback: "yes"
 
 	# uncomment to provide AXFR to all the world
 	# provide-xfr: 0.0.0.0/0 NOKEY
 	# provide-xfr: ::0/0 NOKEY
 
-	# A slave zone needs allow-notify: and request-xfr: lists.
-	#allow-notify: 2001:db8::0/64 my_tsig_key_name
-	# By default, a slave will request a zone transfer with IXFR/TCP.
-	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
-	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
-	#request-xfr: 192.0.2.2 the_tsig_key_name
-	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
-	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
-	# Allow AXFR fallback if the master does not support IXFR. Default
-	# is yes.
-	#allow-axfr-fallback: yes
-	# set local interface for sending zone transfer requests.
-	# default is let the OS choose.
-	#outgoing-interface: 10.0.0.10
+# Sample zone 2
+zone:
+	name: "example.net"
+	zonefile: "example.net.signed.zone"
 
-	# if compiled with --enable-zone-stats, give name of stat block for
-	# this zone (or group of zones).  Output from nsd-control stats.
-	# zonestats: "%s"
+	# This is a master zone. Slaves are listed below.
 
-	# if you give another pattern name here, at this point the settings
-	# from that pattern are inserted into this one (as if it were a 
-	# macro).  The statement can be given in between other statements,
-	# because the order of access control elements can make a difference
-	# (which master to request from first, which slave to notify first).
-	#include-pattern: "common-masters"
+	# secondary 1. Uses port 5300.
+	notify: 10.0.0.14@5300 sec1_key
+	provide-xfr: 10.0.0.14@5300 sec1_key
 
+	# set local interface for sending notifies
+	outgoing-interface: 10.0.0.15
 
-# Fixed zone entries.  Here you can config zones that cannot be deleted.
-# Zones that are dynamically added and deleted are put in the zonelist file.
-#
-# zone:
- 	# name: "example.com"
- 	# you can give a pattern here, all the settings from that pattern
- 	# are then inserted at this point
- 	# include-pattern: "master"
- 	# You can also specify (additional) options directly for this zone.
- 	# zonefile: "example.com.zone"
- 	# request-xfr: 192.0.2.1 example.com.key
-
-	# RRLconfig
-	# Response Rate Limiting, whitelist types
-	# rrl-whitelist: nxdomain
-	# rrl-whitelist: error
-	# rrl-whitelist: referral
-	# rrl-whitelist: any
-	# rrl-whitelist: rrsig
-	# rrl-whitelist: wildcard
-	# rrl-whitelist: nodata
-	# rrl-whitelist: dnskey
-	# rrl-whitelist: positive
-	# rrl-whitelist: all
-	# RRLend
+	# secondary 2. 
+	notify: 10.11.12.14 sec2_key
+	provide-xfr: 10.11.12.14 sec2_key
+
+	# also provide xfr to operator's network.
+	provide-xfr: 169.192.85.0/24 NOKEY
+	# uncomment to disable xfr for the address.
+	# provide-xfr: 169.192.85.66 BLOCKED
+
+	# set the number of retries for notify.
+	notify-retry: 5
+
+# keys for zone 2
+key:
+	name: "sec1_key"
+	algorithm: hmac-md5
+	secret: "6KM6qiKfwfEpamEq72HQdA=="
+
+key:
+	name: sec2_key
+	algorithm: hmac-sha1
+	secret: "m83H2x8R0zbDf3yRKhrqgw=="
+
+key:
+	name: sec3_key
+	algorithm: hmac-sha256
+	secret: "m83H2x8R0zbDf3yRKhrqgw=="