summaryrefslogtreecommitdiff
path: root/usr.sbin/nsd
diff options
context:
space:
mode:
authorFlorian Obser <florian@cvs.openbsd.org>2022-06-30 08:21:38 +0000
committerFlorian Obser <florian@cvs.openbsd.org>2022-06-30 08:21:38 +0000
commitfcf20baf2458d38b1a2c92ff1272b84e452fbd54 (patch)
tree9ede7c38b6c07ef7787186bd8041085d9b75fd58 /usr.sbin/nsd
parent5865c7adc8c66ac5ec81789f82346edd9d5ddfcf (diff)
Track doc/README, makes merging new releases easier.
OK sthen
Diffstat (limited to 'usr.sbin/nsd')
-rw-r--r--usr.sbin/nsd/doc/README833
1 files changed, 833 insertions, 0 deletions
diff --git a/usr.sbin/nsd/doc/README b/usr.sbin/nsd/doc/README
new file mode 100644
index 00000000000..65218cb4f3f
--- /dev/null
+++ b/usr.sbin/nsd/doc/README
@@ -0,0 +1,833 @@
+1.0 Introduction
+1.1 ... Basic theory of operation
+1.2 ... Quick build & install
+2.0 Building nsd
+2.1 ... Unpacking the source
+2.2 ... Configuring NSD
+2.3 ... Building
+2.4 ... Installing
+3.0 Running NSD
+3.1 ... Logging
+3.2 ... AXFR access
+3.3 ... Using TSIG
+3.4 ... Zone expiry of secondary zones
+3.5 ... Diagnosing NSD log entries
+3.6 ... Interfaces
+3.7 ... Tuning
+4.0 Support and Feedback
+4.1 ... Your Support
+
+
+1.0 Introduction
+
+This is NSD Name Server Daemon (NSD) version 4.5.0.
+
+The NLnet Labs Name Server Daemon (NSD) is an authoritative RFC compliant
+DNS nameserver. It was first conceived to allow for more genetic
+diversity for DNS server implementations used by the root-server system
+and it has been developed for operations in environments where speed,
+reliability, stability, and security are of high importance. NSD is
+currently used on root servers such as k.root-servers.net and is also in
+use by several top-level domain registries.
+
+NSD is a complete implementation of an authoritative DNS name server.
+For further information about what NSD is and what NSD is not please
+consult the REQUIREMENTS document which is a part of this distribution.
+
+If you are a BIND user (the named daemon) consult NSD_FOR_BIND_USERS.
+
+The source code is available for download from:
+
+ http://www.nlnetlabs.nl/downloads
+
+
+1.1 Basic Theory of Operation
+
+NSD consists of two programs: the zone compiler 'zonec' and the name
+server 'nsd' itself. The name server works with an intermediate
+database prepared by the zone compiler from standard zone files.
+
+For NSD operation this means that zones have to be compiled by zonec
+before NSD can use them.
+
+All this can be controlled via rc.d (SIGTERM, SIGHUP) or nsd-control,
+and uses a simple configuration file 'nsd.conf'.
+
+
+1.2 Quick build and install
+
+Step 1: Unpack the source with gtar -xzvf nsd-4.5.0.tar.gz
+
+Step 2: Create user nsd or any other unprivileged user of your
+ choice. In case of later make sure to use
+ --with-user=<username> while running configure.
+ You can also set "username: <name>" in the nsd.conf file later.
+ Install openssl and libevent.
+
+Step 3: ./configure
+
+Step 4: make all (or simply 'make').
+
+Step 5: make install
+
+Step 6: Create and edit /etc/nsd/nsd.conf file possibly from
+ nsd.conf.sample template that comes with the distribution.
+ (installed by default at /etc/nsd/nsd.conf.sample)
+ Here you need to configure the zones you want to serve.
+ TSIG keys used for secure zone transfers must be included.
+ Also server parameters can be set, see nsd.conf(5) man page.
+
+ If you have a NSD 2 nsd.zones config file take a look at the
+ python script contrib/nsd.zones2nsd.conf, it will convert
+ zone and TSIG key settings for you.
+
+Step 7: Copy necessary master zone files into appropriate directories
+ under /etc/nsd/primary & /etc/nsd/secondary.
+
+Step 8: Run nsd-control start
+
+Step 9: Test the NSD with dig, drill or host.
+
+Step 10: If you're happy add a rc.d script to start into your OS boot up
+ sequence. The format of the rc.d startup script depends on
+ the platform. Also stop it in the shutdown sequence.
+ You can use SIGTERM to stop, or nsd-control stop.
+
+Step 11: If desired add 'nsd-control write' to your superuser crontab to
+ update the zone files with the content transferred from master
+ servers periodically, such as once per day.
+
+ Got any problems or questions with the steps above? Read the
+ rest of this file.
+
+
+
+2.0 Building NSD
+
+
+2.1 Unpacking the source
+
+Use your favorite combination of tar and gnu zip to unpack the source,
+for example
+
+$ gtar -xzvf nsd-4.5.0.tar.gz
+
+will unpack the source into the ./nsd-4.5.0 directory...
+
+
+2.2 Configuring NSD
+
+NSD can be configured using GNU autoconf's configure script. In
+addition to standard configure options, one may use the following:
+
+ CC=compiler
+
+ Specify the C compiler. The default is gcc or cc. The
+ compiler must support ANSI C89.
+
+ CPPFLAGS=flags
+
+ Specify the C preprocessor flags. Such as -I<includedir>.
+
+ CFLAGS=flags
+
+ Specify the C compiler flags. These include code generation,
+ optimization, warning, and debugging flags. These flags are
+ also passed to the linker.
+
+ The default for gcc is "-g -O2".
+
+ LD=linker
+
+ Specify the linker (defaults to the C compiler).
+
+ LDFLAGS=flags
+
+ Specify linker flags.
+
+ LIBS=libs
+
+ Specify additional libraries to link with.
+
+ --enable-root-server
+
+ Configure NSD as a root server. Unless this option is
+ specified, NSD will refuse to serve the ``.'' zone as a
+ misconfiguration safeguard.
+
+ --disable-ipv6
+
+ Disables IPv6 support in NSD.
+
+ --enable-checking
+
+ Enable some internal development checks. Useful if you want
+ to modify NSD. This option enables the standard C "assert" macro
+ and compiler warnings.
+
+ This will instruct NSD to be stricter when validating its input.
+ This could lead to a reduced service level.
+
+ --enable-bind8-stats
+
+ Enables BIND8-like statistics.
+
+ --enable-ratelimit
+
+ Enables ratelimiting, based on query name, type and source.
+
+ --enable-draft-rrtypes
+
+ Enables draft RRtypes.
+
+ --with-configdir=dir
+
+ Specified, NSD configuration directory, default /etc/nsd
+
+ --with-nsd_conf_file=path
+
+ Pathname to the NSD configuration file, default /etc/nsd/nsd.conf
+
+ --with-pidfile=path
+
+ Pathname to the NSD pidfile, default is platform specific,
+ mostly /var/run/nsd.pid
+
+ --with-dbfile=path
+
+ Pathname to the NSD database, default is /etc/nsd/nsd.db
+
+ --with-zonesdir=dir
+
+ NSD default location for master zone files, default /etc/nsd/
+
+ --with-user=username
+
+ User name or ID to answer the queries with, default is nsd
+
+ --with-facility=facility
+
+ Specify the syslog facility to use. The default is
+ LOG_DAEMON. See the syslog(3) manual page for the available
+ facilities.
+
+ --with-libevent=path
+
+ Specity the location of the libevent library (or libev).
+ --with-libevent=no uses a builtin portable implementation (select()).
+
+ --with-ssl=path
+
+ Specify the location of the OpenSSL libraries. OpenSSL 0.9.7
+ or higher is required for TSIG support.
+
+ --with-start_priority=number
+
+ Startup priority for NSD.
+
+ --with-kill_priority=number
+
+ Shutdown priority for NSD.
+
+ --with-tcp-timeout=number
+
+ Set the default TCP timeout (in seconds). Default 120 seconds.
+
+ --disable-nsec3
+
+ Disable NSEC3 support. With NSEC3 support enabled, very large zones,
+ also non-nsec3 zones, use about 20% more memory.
+
+ --disable-minimal-responses
+
+ Disable minimal responses. If disabled, responses are more likely
+ to get truncated, resulting in TCP fallback. When enabled (by default)
+ NSD will leave out RRsets to make responses fit inside one datagram,
+ but for shorter responses the full normal response is carried.
+
+ --disable-largefile
+
+ Disable large file support (64 bit file lengths). Makes off_t
+ a 32bit length during compilation.
+
+
+2.3 Building
+
+Use ``make'' to create NSD and support tools. If you get errors, try to
+use ``gmake'' (gnu version of make), especially on old systems. If so,
+do a `gmake realclean` first, to remove stuff that the make call messed up.
+
+
+2.4 Installing
+
+Become a superuser (if necessary) and type ``make install''
+
+This step should install four binaries
+
+nsd - the daemon itself
+nsd-control-setup - a shell script that creates keys for nsd-control.
+nsd-control - program that connects over SSL to nsd and gives commands.
+nsd-checkconf - simple C program to check nsd.conf before use.
+
+Plus the manual pages and a sample configuration file.
+
+
+3.0 Running NSD
+
+Before running NSD you need to create a configuration file for it.
+The config file contains server settings, secret keys and zone settings.
+
+The server settings start with a line with the keyword 'server:'.
+In the server settings set 'database: <file>' with the filename of the name
+database that NSD will use. Set 'chroot: <dir>' to run nsd in a chroot-jail.
+Make sure the zone files, database file, xfrdfile, difffile and pidfile
+can be accessed from the chroot-jail. Set 'username: <user>' to an
+unprivileged user, for security.
+
+For example:
+ # This is a sample configuration
+ server:
+ database: "/etc/nsd/nsd.db"
+ pidfile: "/etc/nsd/nsd.pid"
+ chroot: "/etc/nsd/"
+ username: nsd
+
+After the global server settings to need to make entries for the
+zones that you wish to serve. For each zone you need to list the zone
+name, the file name with the zone contents, and access control lists.
+
+ zone:
+ name: "example.com"
+ zonefile: "example.com.zone"
+
+The zonefile needs to be filled with the correct zone information
+for master zones. For secondary zones an empty file will suffice,
+a zone transfer will be initiated to obtain the slave zone contents.
+
+Access control lists are needed for zone transfer and notifications.
+
+For a slave zone list the masters, by IP address. Below is an example
+of a slave zone with two master servers. If a master only supports AXFR
+transfers and not IXFR transfers (like NSD), specify the master as
+"request-xfr: AXFR <ip_address> <key>". By default, all zone transfer requests
+are made over TCP. If you want the IXFR request be transmitted over UDP, use
+"request-xfr: UDP <ip address> <key>".
+
+ zone:
+ name: "example.com"
+ zonefile: "example.com.zone"
+ allow-notify: 168.192.185.33 NOKEY
+ request-xfr: 168.192.185.33 NOKEY
+ allow-notify: 168.192.199.2 NOKEY
+ request-xfr: 168.192.199.2 NOKEY
+
+By default, a slave will fallback to AXFR requests if the master told us it does
+not support IXFR. You can configure the slave not to do AXFR fallback with:
+
+ allow-axfr-fallback: "no"
+
+For a master zone, list the slave servers, by IP address or subnet.
+Below is an example of a master zone with two slave servers.
+
+ zone:
+ name: "example.com"
+ zonefile: "example.com.zone"
+ notify: 168.192.133.75 NOKEY
+ provide-xfr: 168.192.133.75 NOKEY
+ notify: 168.192.5.44 NOKEY
+ provide-xfr: 168.192.5.44 NOKEY
+
+You also can set the outgoing interface for notifies and zone transfer requests
+to satisfy access control lists at the other end:
+
+ outgoing-interface: 168.192.5.69
+
+By default, NSD will retry a notify up to 5 times. You can override that
+value with:
+
+ notify-retry: 5
+
+Zone transfers can be secured with TSIG keys, replace NOKEY with
+the name of the tsig key to use. See section 3.3.
+
+Since NSD is written to be run on the root name servers, the config file
+can to contain something like:
+
+ zone:
+ name: "."
+ zonefile: "root.zone"
+ provide-xfr: 0.0.0.0/0 NOKEY # allow axfr for everyone.
+ provide-xfr: ::0/0 NOKEY
+
+You should only do that if you're intending to run a root server, NSD
+is not suited for running a . cache. Therefore if you choose to serve
+the . zone you have to make sure that the complete root zone is
+timely and fully updated.
+
+To prevent misconfiguration, NSD configure has the --enable-root-server
+switch, that is by default disabled.
+
+In the config file, you can use patterns. A pattern can have the
+same configuration statements that a zone can have. And then you can
+include-pattern: <name-of-pattern> in a zone (or in another pattern)
+to apply those settings. This can be used to organise the settings.
+
+The nsd-control tool is also controlled from the nsd.conf config file.
+It uses SSL encrypted transport to 127.0.0.1, and if you want to use it
+you have to setup the keys and also edit the config file. You can leave
+the remote-control disabled (the secure default), or opt to turn it on:
+
+ # generate keys
+ nsd-control-setup
+
+ # edit nsd.conf to add this
+ remote-control:
+ control-enable: yes
+
+By default nsd-control is limited to localhost, as well as encrypted, but
+some people may want to remotely administer their nameserver. What you
+then do is setup nsd-control to listen to the public IP address, with
+control-interface: <IP> after the control-enable statement. Furthermore,
+you copy the key files /etc/nsd/nsd_server.pem /etc/nsd/nsd_control.*
+to a remote host on the internet; on that host you can run nsd-control
+with -c <special config file> which references same IP address
+control-interface and references the copies of the key files with
+server-cert-file, control-key-file and control-cert-file config lines
+after the control-enable statement. The nsd-server authenticates the
+nsd-control client, and also the nsd-control client authenticates the
+nsd-server.
+
+When you are done with the configuration file, check the syntax using
+
+ nsd-checkconf <name of configfile>
+
+The zone files are read by the daemon, which builds 'nsd.db' with their
+contents. You can start the daemon with
+
+ nsd
+ or with "nsd-control start" (which execs nsd again).
+ or with nsd -c <name of configfile>
+
+To check if the daemon is running look with ps, top, or if you enabled
+nsd-control,
+
+ nsd-control status
+
+To reload changed zone files after you edited them, without stopping
+the daemon, use this to check if files are modified:
+
+ kill -HUP `cat <name of nsd pidfile>`
+
+If you enabled nsd-control, you can reread with
+
+ nsd-control reload
+
+With nsd-control you can also reread the config file (new zones, ..)
+
+ nsd-control reconfig
+
+To restart the daemon
+
+ /etc/rc.d/nsd restart # or your system(d) equivalent
+
+To shut it down (for example on the system shutdown) do
+
+ kill -TERM <pid of nsd>
+ or nsd-control stop
+
+NSD will automatically keep track of secondary zones and update them
+when needed. When primary zones are updated and reloaded notifications
+are sent to slave servers.
+
+The zone transfers are applied to nsd.db by the daemon. To write changed
+contents of the zone files for slave zones to disk in the text-based zone
+file format, issue nsd-control write.
+
+NSD will send notifications to slave zones if a master zone is updated.
+NSD will check for updates at master servers periodically and transfer
+the updated zone by AXFR/IXFR and reload the new zone contents. If
+you wish exert manual control use nsd-control notify, transfer and
+force_transfer commands. The transfer command will check for new versions
+of the secondary zones hosted by this NSD. The notify command will send
+notifications to the slave servers configured in 'notify:' statements.
+
+
+3.1 Logging
+
+NSD doesn't do any logging. We believe that logging is a separate task
+and has to be done independently from the core operation.
+
+This consciously is not part of nsd itself in order to keep nsd
+focused and minimize its complexity. It is better to leave logging and
+tracing to separate dedicated tools. dnsstat can also easily be
+configured and/or modified to suit local statistics requirements
+without any danger of affecting the name server itself. We have run
+dnsstat on the same machine as nsd, we would recommend using a
+multiprocessor if performance is an issue. Of course it can also run
+on a separate machine that has MAC layer access to the network of the
+server.
+
+The nsd-control tool can output some statistics, with nsd-control stats
+and nsd-control stats_noreset. In contrib/nsd_munin_ there is a munin
+grapher plugin that uses it. The output of nsd-control stats is easy
+to read (text only) with scripts. The output values are documented on
+the nsd-control man page.
+
+The CAIDA dnsstat tool referenced is recommended to nsd operators as a
+means of keeping statistics and check on abnormal query loads.
+
+ http://www.caida.org/tools/utilities/dnsstat/dnsstat-3.5.1a.tar.gz
+
+Another tool is the dnstop, that displays DNS statistics on your network.
+
+ http://dns.measurement-factory.com/tools/dnstop/src/dnstop-20060517.tar.gz
+
+A sample invocation of dnsstat:
+
+/usr/local/Coral/bin/crl_dnsstat -D -Ci=60 -Cd=240 -C'filter dst 10.1.1.3' -h -u if:fxp1
+
+A sample output of a slightly modified version:
+
+# dnsstat output version: 0.2 "dfk"
+
+# begin trace interval at 1025267664.859043, duration 15.000000
+# DNS messages: 74973 (4998.200000/s); DNS queries: 151983 (10132.200000/s)
+# print threshold: 30 messages/sec
+
+#src op type class queries msgs rd notes
+ 208.18.162.10 - - - 533 533 0
+ " 0 MX IN 6
+ " 0 A IN 264
+ " 0 ANY IN 263
+ 209.11.18.248 - - - 661 661 0
+ " 0 A IN 655
+ " 0 MX IN 6
+ 210.117.65.137 - - - 745 745 0
+ " 0 A IN 745
+ 216.54.221.131 - - - 477 477 0
+ " 0 A IN 477
+ 193.97.205.80 - - - 681 681 0
+ " 0 A IN 3
+ " 0 ANY IN 678
+ 168.30.240.11 - - - 685 685 0
+ " 0 A IN 405
+ " 0 MX IN 280
+ 210.94.6.67 - - - 742 742 0
+ " 0 A IN 742
+ 63.66.68.237 - - - 1375 1375 0
+ " 0 A IN 1375
+ 168.30.240.12 - - - 493 493 0
+ " 0 A IN 493
+ 139.142.205.225 - - - 5579 5579 0
+ " 0 A IN 3006
+ " 0 MX IN 2573
+ 210.117.65.2 - - - 700 700 0
+ " 0 A IN 700
+# end trace interval
+
+
+3.2 AXFR access
+
+The access list for AXFR should be set with provide-xfr:
+in the nsd config file. This is per zone. See nsd.conf(5).
+For example to grant zone 'example.com' AXFR right to localhost for
+IPv4 and IPv6, use the below config options.
+
+zone:
+ name: "example.com"
+ provide-xfr: 127.0.0.1 NOKEY
+ provide-xfr: ::1 NOKEY
+
+You can use dig @localhost example.com axfr to test this.
+
+
+3.3 Using TSIG
+
+NSD supports TSIG for any query to the server, for zone transfer
+and for notify sending and receiving.
+
+TSIG keys are based on shared secrets. These must be configured
+in the config file. To keep the secret in a separate file use
+include: "filename" to include that file.
+
+An example tsig key named sec1_key.
+
+ key:
+ name: "sec1_key"
+ algorithm: hmac-md5
+ secret: "6KM6qiKfwfEpamEq72HQdA=="
+
+This key can then be used for any query to the NSD server. NSD
+will check if the signature is valid, and if so, return a signed
+answer. Unsigned queries will be given unsigned replies.
+
+The key can be used to restrict the access control lists, for
+example to only allow zone transfer with the key, by listing
+the key name on the access control line.
+
+ # provides AXFR to the subnet when TSIG is used.
+ provide-xfr: 10.11.12.0/24 sec1_key
+ # allow only notifications that are signed
+ allow-notify: 192.168.0.0/16 sec1_key
+
+If the TSIG key name is used in notify or request-xfr lines,
+the key is used to sign the request/notification messages.
+
+
+3.4 Zone expiry of secondary zones
+
+NSD will keep track of the status of secondary zones, according to the
+timing values in the SOA record for the zone. When the refresh time of a
+zone is reached, the serial number is checked and a zone transfer is
+started if the zone has changed. Each master server is tried in turn.
+
+Master zones cannot expire. They are always served. Zones are master
+zones if they have no 'request-xfr:' statements in the config file.
+
+After the expire timeout (from the SOA record at the zone apex) is reached,
+the zone becomes expired. NSD will return SERVFAIL for expired zones,
+and will attempt to perform a zone transfer from any of the masters.
+After a zone transfer succeeds, or if the master indicates that the SOA
+serial number is still the same, the zone will be OK again.
+
+In contrast with e.g. BIND, the inception time for a slave zone is stored
+on disk (in the xfrdfile: "xfrd.state"), together with timeouts. If a
+slave zone acquisition time is recent enough, this means that NSD can start
+serving a zone immediately on loading, without querying the master server.
+
+If your slave zone has expired, and no masters can be reached, but you
+still want NSD to serve the zone. (i.e. ''My network is in shambles, but
+serve the zone dangit!''). You can delete the file 'xfrd.state',
+but leave the zonefile for the zone intact. Make sure to stop nsd before
+you delete the file, as NSD writes it on exit. Upon loading NSD will treat
+the zonefile that you as operator have provided as recent and will serve
+the zone. Even though NSD will start to serve the zone immediately,
+the zone will expire after the timeout is reached again. NSD will also
+attempt to confirm that you have provided the correct data by polling
+the masters. So when the master servers come back up, it will transfer
+the updated zone within <retry timeout from SOA> seconds.
+
+In general it is possible to provide zone files for both master and
+slave zones manually (say from email or rsync). Reload with SIGHUP
+or nsd-control reload to read the new zonefile contents into the name
+database. When this is done the new zone will be served. For master
+zones, NSD will issue notifications to all configured 'notify:' targets.
+For slave zones the above happens; NSD attempts to validate the zone
+from the master (checking its SOA serial number).
+
+
+3.5 Diagnosing NSD log entries
+
+NSD will print log messages to the system log (or 'logfile:' configuration
+entry). Some of these messages are discussed below. These messages can
+get extra support if errors happen.
+
+- "Reload process <pid> failed with status <s>, continuing with old database"
+
+This log message indicates the reload process of NSD has failed for
+some reason. The reason can be anything from a missing database file
+to internal errors. If this happens often, please let us know, this
+error message can be caught in the code, and appropriate action could
+be taken. We are as of yet not sure what action is appropriate, if any.
+
+- "snipping off trailing partial part of <ixfr.db>"
+
+Please let us know if, and how often, this happens.
+
+What happens is the file ixfr.db contains only part of expected data.
+The corruption is removed by snipping off the trailing part.
+
+- "memory recyclebin holds <num> bytes"
+
+This is printed for every reload. NSD allocates and deallocates memory
+to service IXFR updates. The recyclebin holds deallocated memory ready
+for future use. If the number grows too large, a restart resets it.
+
+- "xfrd: max number of tcp connections (32) reached."
+
+This line is printed when more than 32 zones need a zone transfer at the
+same time. The value is a compile constant (xfrd-tcp.h), but if this
+happens often for you, we could make this a config option. NSD will reuse
+existing TCP connections to the same master (determined by IP address)
+to transfer up to 64k zones from that master. Thus this error should
+only happen with more than 32 masters or more than 64*32=2M zones that
+need to be updated at the same time.
+
+If this happens, more zones have to wait until a zone transfer completes
+(or is aborted) before they can have a zone transfer too. This waiting
+list has no size limit.
+
+- "error: <zone> NSEC3PARAM entry <num> has unknown hash algo <number>"
+
+This error means that the zone has NSEC3 chain(s) with hash algorithms
+that are not supported by this version of NSD, and thus cannot be served
+by NSD. If there are also no NSECs or NSEC3 chain(s) with known hash
+algorithms, NSD will not be able to serve DNSSEC authenticated denials
+for the zone.
+
+
+3.6 Interfaces
+
+NSD will by default bind itself to the system default interface and
+service ip4 and if available also ip6. It is possible to service only ip4
+or ip6 using the -4, -6 commandline options, or the ip4-only and ip6-only
+config file options.
+
+The commandline option -a and config file option ip-address can be given
+to bind to specific interfaces. Multiple interfaces can be specified.
+This is useful for two reasons:
+ o The specific interface bound will result in the OS bypassing
+ routing tables for the interface selection. This results in
+ a small performance gain. It is not the performance gain that
+ is the problem, sometimes the routing tables can give the
+ wrong answer, see the next point.
+ o The answer will be routed via the interface the query came from.
+ This makes sure that the return address on the DNS replies is the
+ same as the query was sent to. Many resolvers require the source
+ address of the replies to be correct. The ip-address: option is
+ easier than configuring the OS routing table to return the DNS
+ replies via the correct interface.
+The above means that even for systems with multiple interfaces where you
+intend to provide DNS service to all interfaces, it is prudent to specify
+all the interfaces as ip-address config file options.
+
+With the config file option ip-transparent you can allow NSD to bind to
+non local addresses.
+
+
+3.7 Tuning
+
+NSD is performant by design and most users will have little need for tuning
+it. For setups that do require every ounce of performance, NSD offers a number
+of configuration options.
+
+
+cpu-affinity, server-<N>-cpu-affinity and xfrd-cpu-affinity
+
+Modern computer systems have many cores available. By default the operating
+system's scheduling-algorithm determines which core a given task is allocated
+to. Processors build up state, like keeping frequently accessed data in cache
+memory, for the task (process/thread) that it is currently running. Whenever,
+a task switches cores, performance is degraded because the core it switched
+to has yet to build up said state. The cpu-affinity configuration options can
+be used to bind NSD to one or more cores.
+
+cpu-affinity can be used to designate a set of cores onto which NSD processes
+are scheduled. server-<N>-cpu-affinity and xfrd-cpu-affinity can be used to
+designate a specific core to each individual process. This improves L1/L2
+cache hits and reduces pipeline stalls/flushes.
+
+For example, a name server configured to fork two NSD servers that must run on
+dedicated cores 0 and 2, while the transfer daemon (xfrd) must run on core 1,
+the configuration becomes.
+
+ server:
+ server-count: 2
+ cpu-affinity: 0 1 2
+ server-1-cpu-affinity: 0
+ server-2-cpu-affinity: 2
+ xfrd-cpu-affinity: 1
+
+
+ip-address: x.x.x.x servers=<N>
+
+ip-address options can be configured per (set of) server(s). Sockets that are
+configured for a specific server are closed by other servers on startup. This
+improves select/poll performance and avoids waking up multiple servers when a
+packet comes in.
+
+
+ip-address: x.x.x.x bindtodevice=yes
+ip-address: x.x.x.x setfib=<N>
+
+The bindtodevice attribute on Linux and the setfib ip-address attribute on
+FreeBSD can be used to skip the interface selection process in the kernel. This
+improves performance, and ensures responses written to the socket are pushed
+out the same interface the corresponding query came in on when multiple
+interfaces are configured to listen on the same subnet.
+
+The aforementioned options all complement eachother and best performance is
+achieved by assigning a socket to a single server that runs on a dedicated
+core and line that up with a dedicated network interface. Network interface
+interrupts are best handled by a core not designated to any NSD servers.
+
+ server:
+ server-count: 3
+ cpu-affinity: 0 1 2 4
+ server-1-cpu-affinity: 0
+ server-2-cpu-affinity: 1
+ server-3-cpu-affinity: 2
+ xfrd-cpu-affinity: 4
+ ip-address: 1.2.3.11 servers=1 setfib=1 bindtodevice=yes
+ ip-address: 1.2.3.12 servers=2 setfib=2 bindtodevice=yes
+ ip-address: 1.2.3.13 servers=3 setfib=3 bindtodevice=yes
+
+The number of NSD servers to fork and which cores are best used depends
+entirely on the hardware. cpu-affinity options are supported on Linux and
+FreeBSD.
+
+
+4.0 Support and Feedback
+
+NLnet Labs is committed to support NSD and its other software products on
+a best effort basis, free of charge. This form of community support is
+offered through a mailing lists and the 'bugzilla' web interface.
+
+ http://www.nlnetlabs.nl/bugs/
+
+If for any reason NLnet Labs would stop community support of NSD such
+would be announced on our web pages at least two years in advance.
+
+The community mailing list nsd-users@nlnetlabs.nl can be used to discuss
+issues with other users of NSD. Subscribe here
+
+ http://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
+
+NLnet Labs recognizes that in some corporate environments this commitment to
+community support is not sufficient and that support needs to be codified.
+We therefore offer paid support contracts that come in 3 varieties.
+
+More information about these support varieties can be found at
+ <url on support varieties on www.nlnetlabs.nl>
+
+Alternatively you can contact mailto:nsd-support@nlnetlabs.nl .
+
+Support goes two ways. By acquiring one of the support contracts you
+also support NLnet Labs to continue to participate in the development
+of the Internet architecture. We do this through our participation in
+the (IETF) standards process and by developing and maintaining
+reference implementations of standards and tools to support operation
+and deployment of new and existing Internet technology.
+
+We are interested in our users and in the environment you use NSD. Please
+drop us a mail when you use NSD. Indicate in what kind of operation you
+deploy NSD and let us know what your positive and negative experiences are.
+http://www.nlnetlabs.nl/nsd and mailto:nsd-info@nlnetlabs.nl
+
+
+4.1 Your Support
+
+NLnet Labs offers all of its software products as open source, most are
+published under a BSD license. You can download them, not only from the
+NLnet Labs website but also through the various OS distributions for
+which NSD, ldns, and Unbound are packaged. We therefore have little idea
+who uses our software in production environments and have no direct ties
+with 'our customers'.
+
+Therefore, we ask you to contact us at users@NLnetLabs.nl and tell us
+whether you use one of our products in your production environment,
+what that environment looks like, and maybe even share some praise.
+We would like to refer to the fact that your organization is using our
+products. We will only do that if you explicitly allow us. In all other
+cases we will keep the information you share with us to ourselves.
+
+In addition to the moral support you can also support us
+financially. NLnet Labs is a recognized not-for-profit charity foundation
+that is chartered to develop open-source software and open-standards
+for the Internet. If you use our software to satisfaction please express
+that by giving us a donation. For small donations PayPal can be used. For
+larger and regular donations please contact us at users@NLnetLabs.nl. Also
+see http://www.nlnetlabs.nl/labs/contributors/.
+
+
+$Id: README,v 1.3 2022/06/30 08:21:37 florian Exp $