Cisco CNS Network Registrar User's Guide, 6.0
Configuring DNS Servers
Downloads: This chapterpdf (PDF - 423.0KB) The complete bookPDF (PDF - 7.06MB) | Feedback

Configuring DNS Servers

Table Of Contents

Configuring DNS Servers

Configuring a Primary DNS Server

Adding a Primary Forward Zone

Creating the Zone

Adding Authoritative Name Servers for the Zone

Adding a Host Address for the Name Server

Confirming the Settings

Importing and Exporting Zone Data

Adding a Primary Reverse Zone for the Server

Configuring Secondary Servers for a Zone

Adding a Secondary Forward Zone for a Server

Adding a Secondary Reverse Zone for a Server

Configuring a Caching-Only Server

Setting Basic DNS Server Properties

Setting General Server Properties

Defining Forwarders for the Servers

Defining Root Name Servers

Adding a Root Name Server

Updating the Root Name Servers List

Specifying an Exception List

Adding an Exception

Editing and Removing an Exception

Setting DNS Server Options

Enabling Recursive Queries

Enabling Round-Robin

Hiding Subzones

Enabling Subnet Sorting

Enabling Incremental Zone Transfers (IXFR)

Enabling NOTIFY

Troubleshooting the DNS Server


Configuring DNS Servers


The Domain Name System (DNS) is a distributed database for objects in a computer network. By using a name server approach, the network consists of a hierarchy of autonomous domains and zones. The namespace is organized as a tree that often resembles the organizations that are responsible for the administration boundaries.

The basic function of DNS name servers is to provide data about network objects by answering queries. You can configure the Cisco CNS Network Registrar DNS server and zones by accepting the system defaults or changing them through the Web UI, CLI, and GUI.

This chapter assumes that you already installed your software by following the instructions in the Network Registrar Installation Guide. It describes the basics of configuring the Network Registrar DNS servers, and their primary and secondary zones. "Customizing DNS Zone and Server Parameters," describes how to set some of the more advanced zone and server properties.

Table 5-1 lists the topics and sections you need to configure Network Registrar DNS servers. The Network Registrar Web UI Guide explains how to use the Web-based interface to accomplish these tasks.

Table 5-1 DNS Configuration Topics 

If you want to...
See...

Know more about DNS before you start configuring your DNS server and zones

"Understanding Network Registrar Concepts"

Configure the primary name server for a zone

"Configuring a Primary DNS Server" section

Configure a secondary zone for the server

"Configuring Secondary Servers for a Zone" section

Configure a caching-only server

"Configuring a Caching-Only Server" section

Set the basic DNS server properties

"Setting Basic DNS Server Properties" section

Troubleshoot the DNS server

"Troubleshooting the DNS Server" section


Configuring a Primary DNS Server

You do not need to create a loopback zone, because Network Registrar automatically creates one. A loopback zone is a reverse zone that a host uses to resolve its loopback address, 127.0.0.1, to localhost so that it can direct network traffic to itself. The reverse loopback zone is 127.in-addr.arpa. If you inadvertently delete the loopback zone, see "Restoring a Loopback Zone."

Adding a Primary Forward Zone

This section explains how to configure a primary name server with a primary forward zone. When you are done with this procedure, follow the procedure in the "Adding a Primary Reverse Zone for the Server" section to configure a reverse zone for each network that you use.

Creating the Zone

The first thing in creating a forward zone is to give the zone a name and set its Start of Authority (SOA) resource records. The SOA record designates the top of the zone in the DNS inverted-tree namespace. A zone can have only one SOA record, which sets these primary zone properties:

SOA time to live (TTL)—soattl

Primary server name—ns

Hostmaster (person in charge) name—person

Serial number—serial

Secondary refresh time—refresh

Secondary retry time—retry

Secondary expire time—expire

Minimum TTL—minttl

For now, add only the serial number, primary server, and hostmaster data for the SOA record. (For details on the other SOA properties, see the "Setting the Zone's Start of Authority Properties" section.)

Enter the zone's name—The name should be in the domain name format.

Enter the zone's serial number—A primary DNS server uses a serial number to indicate when its database changes and uses any incrementing of this number to trigger a zone transfer to a secondary server. The serial number you can enter here is the suggested one only, and the DNS server does not always accept it. If you edit the serial number to be less than the actual serial number that the server maintains, the server logs a warning message and ignores the suggested serial number. You must reload the server for your change to take effect. The actual serial number always equals or is higher than the suggested one. You can get the actual serial number by using the zone name get serial command (listing or showing the zone attributes always returns the suggested serial number), or by refreshing the DNS Server Value for the zone Serial Number attribute in the Web UI. In the Web UI, you must explicitly enter this suggested serial number when creating a zone. In the CLI and GUI, the serial number defaults to 1.

Enter the zones' primary DNS server name—Enter either just the host name (such as exampleDNSserv1) or its fully qualified name (such as exampleDNSserv1.example.com., ending with a trailing dot). Use the fully qualified name if the primary name server is in a different zone. The primary DNS server becomes the ns value in the zone's SOA record. In the Web UI and GUI, you must also specify one or more authoritative name servers for the zone—these become the Name Server (NS) records for the zone. In the CLI, the primary DNS server automatically becomes the first NS record and also appears as the first entry in the nameservers attribute list.

Enter the zone hostmaster's (person in charge's) name and address as a slightly altered form of the e-mail address—Substitute a dot (.) for the "at" symbol (@), and end the address with a trailing dot (for example, enter hostmaster@example.com as hostmaster.example.com.). Escape any dot before the "@" in the original address with a backslash (\) (for example, enter hostmaster.marketing@example.com as hostmaster\.marketing.example.com.).

Using the Web UI


Step 1 On the Primary Navigation bar, click the Zone tab.

Step 2 On the Secondary Navigation bar, click the Zones tab.

Step 3 On the List/Add Zones page, enter the name of the zone in the Name field. You can also select a predefined owner and a template, if available, from the drop-down lists. If you create a zone without a template, this opens the Add Zone page. If you create a zone with a template, the primary name server and hostmaster were already defined (see the Network Registrar Web UI Guide for how to create a zone owner and template).

Step 4 Click Add Zone.

Step 5 If you are on the Add Zone page, you can change the zone name, reselect the owner name, and select a zone distribution to set a primary and secondary zone relationship (see the Network Registrar Web UI Guide for details).

Step 6 In the Serial Number field, enter the zone's suggested serial number. In most cases, the value is 1.

Step 7 You can leave the SOA TTL value undefined. This time-to-live affects the SOA record only, if set. If undefined, it adopts the Zone Default TTL value. The SOA TTL is an advanced function, described in the "Setting the Zone's Start of Authority Properties" section.

Step 8 In the Nameserver field, enter the primary DNS server name, as its host name or fully qualified, if the server is in another zone.

Step 9 In the Contact E-Mail field, enter the hostmaster name, in the form described earlier in this section.

Step 10 You can leave the other SOA attributes at their defaulted values. If you want to change them, see the "Setting the Zone's Start of Authority Properties" section.

Step 11 Before you can finish creating the zone, you must also add one or more authoritative name servers. See the "Adding Authoritative Name Servers for the Zone" section.


Using the CLI

Use the zone name create primary command to create a primary zone. (Note that you can import a zone file by using another command—see the "Importing and Exporting Zone Data" section.)

The minimum you have to specify to create a primary zone using the CLI is to give it a name, identify it as a primary zone, and add its primary DNS server and hostmaster (person in charge) names. The primary DNS server also becomes one of the authoritative name servers for the zone. The CLI sets default values for all the other SOA record properties for the zone.

nrcmd> zone example.com. create primary exampleDNSserv1 hostmaster 
100 Ok
serial=1
ns=exampleDNSserv1.example.com.
person=hostmaster.example.com.
example.com. (primary):
checkpoint-interval = [default=3h]
checkpoint-min-interval =
defttl = 24h
...

This creates the example.com zone. The exampleDNSserv1 entry is the name of the zone's primary DNS server. Note that it also appears as the first authoritative name server in the nameservers list. The hostmaster entry is the name of the person in charge of the zone, which appears as the value set for person. Enter this value in the syntax given at the beginning of this section.

The CLI sets the zone's serial number to 1 by default. If you want to change this setting, use the zone name set serial command. You must reload the server if you reset this number. Note that the DNS server does not necessarily recognize suggested serial number changes.

nrcmd> zone example.com. set serial=1 
100 Ok
serial=1

If you need to change the name of the zone's primary DNS server, use the zone name set ns command.

nrcmd> zone example.com. set ns=exampleDNSserv1 
100 Ok
ns=exampleDNSserv1.

To change the hostmaster name, use the zone name set person command. Use the proper syntax.

nrcmd> zone example.com. set person=hostmaster.example.com. 
100 Ok
person=hostmaster.example.com.

To confirm the settings, use the zone name get command for each attribute, or the zone list or zone name show command to get all the attribute settings.

After you create the zone, reload the DNS server using the dhcp reload command.

nrcmd> dns reload 
100 Ok

To delete the zone for any reason, use the zone name delete command and reload the server.

Using the GUI


Step 1 From the Server Manager window, choose the DNS server you want to configure as the primary name server for the zone. If you configure the server on your local host to be the primary name server, choose the DNS@localhost object.

Step 2 Click Add on the toolbar to display the Add Zone dialog box.

Step 3 In the Name field, enter the full domain name of the primary zone. End the name with a trailing dot, because it is a fully qualified domain name (FQDN).

Step 4 Click Primary to create the zone as a primary zone.

Step 5 You may want to import an existing primary zone from a Berkeley Internet Name Domain (BIND) format zone file. See the "Importing and Exporting Zone Data" section. To import a BIND zone file, enter its name in the Import from BIND file field, or click Browse to locate it.

If you do not want to import the zone file, leave the Import from BIND file field blank.

Step 6 Click OK to open the Add Primary DNS Zone dialog box. The SOA (Start of Authority) tab is active. The name of the zone appears in the Name field. You can change it there if you wish.

Step 7 In the Contact email address field, enter the e-mail address of the zone's hostmaster (person in charge), in the form described earlier in this section.

Step 8 In the Name of primary server field, enter the name of the primary server, as its host name or fully qualified (if the server is in another zone).

Step 9 You can accept the defaults in the remaining fields. These are more advanced settings covered in the "Setting the Zone's Start of Authority Properties" section.

Step 10 Click OK.


Adding Authoritative Name Servers for the Zone

Authoritative name servers validate the data in their zones. Both primary and secondary servers can be authoritative. The crucial difference is where they get their zone data. A primary server reads its data from the local database. A secondary server loads its data from the primary server.

You must add at least one name server for a zone—Network Registrar does not consider the zone data complete unless you do so. The name servers you list should be those that you want people outside your domain to query when trying to resolve names in your zone. In the CLI, creating a primary zone requires specifying a primary DNS server—this server becomes the first entry in the name server list. In the Web UI and GUI, you must add the authoritative name servers in addition to the primary server for the zone. If the primary DNS server for the zone is in the zone, you must create a host address for it—see the "Adding a Host Address for the Name Server" section.

Using the Web UI


Step 1 On the Primary Navigation bar, click the Zone tab.

Step 2 On the Secondary Navigation bar, click the Zones tab.

Step 3 On the List/Add Zones page, create a zone, as described in the "Creating the Zone" section. If you do not specify a zone template, this opens the Add Zone page. If you specify a template, the authoritative name servers are already defined through the template (see the Network Registrar Web UI Guide for how to create a zone template).

Step 4 On the Add Zone page, enter the name of an authoritative name server (either as host name or fully qualified, if in another zone) in the field next to Add Nameserver.

Step 5 Click Add Nameserver.

Step 6 Repeat the last two steps for each additional name server you add.

Step 7 Unless you want to add additional attributes for the zone (see "Customizing DNS Zone and Server Parameters"), click Add Zone.


Using the CLI

Create the zone, as described in the "Creating the Zone" section. To enter additional authoritative name servers in addition to the primary DNS server already specified, enter a comma-separated list of using the zone name set nameservers command. Enter them as fully qualified or as IP addresses. Note that only the first server entered is confirmed by the command. Use the zone name show command to show all the server names. Reload the server.

nrcmd> zone boston.example.com 
set nameservers=bostonDNSserv1.boston.example.com.,exampleDNSserv1.example.com. 
100 Ok 
nameservers=bostonDNSserv1.example.com. 
nrcmd> zone boston.example.com show 
100 Ok
boston.example.com. (primary):
... 
nameservers = {{0 bostonDNSserv1.boston.example.com} {1 exampleDNSserv1.example.com.}} 
nrcmd> dns reload 
100 Ok

Using the GUI


Step 1 After you create a zone (see the "Creating the Zone" section), click the Name Servers tab.

Step 2 Click Add to open the Add Name Server dialog box.

Step 3 Enter the name of an authoritative name server for the zone in the Name field. In most cases, you would want to enter the same name as in the Name of primary server field on the SOA tab.

Step 4 Click OK to add the name to the Name list in the Add Primary DNS Zone dialog box.

Step 5 Repeat the last two steps for each additional name server you add.


Adding a Host Address for the Name Server

For every DNS server that resides in the zone, you must create an Address (A) resource record for it to associate the server's domain name with an IP address.

Using the Web UI


Step 1 On the Primary Navigation bar, click the Zone tab and create the zone, as described in the "Adding a Primary Forward Zone" section. See the Network Registrar Web UI Guide for details.

Step 2 On the Primary Navigation bar, click the Host tab to open the List Zones page.

Step 3 Click the zone name to open the List/Add Hosts for Zone page.

Step 4 Add the host name and IP address of the primary server.

Step 5 Click Add Host. The server's host name and address appear in the list.


Using the CLI

Create the zone, as described in the "Creating the Zone" section. Use the zone name addRR hostname A address command to add the authoritative server's host name and address.

nrcmd> zone example.com. addRR exampleDNSserv1 A 192.168.50.1 
100 Ok 
exampleDNSserv1					IN		A		192.168.50.1 

To list the host, use the zone name listHosts command. To remove the host, use the zone name removeRR hostname A command.

Using the GUI


Step 1 After you create a zone (see the "Creating the Zone" section), click the Hosts tab.

Step 2 Click Add. This opens the Add Host dialog box.

Step 3 In the Name field, copy the same primary server name that you entered on the Name Servers tab.

Step 4 In the Addresses field, enter the IP address of the primary server.

Step 5 Click OK.


Confirming the Settings

Confirm your current primary zone configuration by looking at the resource records that you created.

Using the Web UI


Step 1 On the Primary Navigation bar, click the Zone tab.

Step 2 On the Secondary Navigation bar, click the Zones tab to open the List/Add Zones page.

Step 3 Click the View icon () in the Configuration RRs column of the zone name to open the List/Add Static Resource Records for Zone page. There should be an A record for each name server host in the zone. Edit these records or add any additional A records on this page. See the Network Registrar Web UI Guide for details.

Step 4 To view the NS records for the zone, reload the server, if you have the privileges to do so. On the Primary Navigation bar, click the Administrators tab, and on the Secondary Navigation bar, the Servers tab. On the Manage Protocol Servers page, click Reload in the Local DNS Server row.

Step 5 Return to the List/Add Zones page.

Step 6 Click the View icon in the Active Server RRs column of the zone name to open the List/Add DNS Server Resource Records for Zone page. There should be an NS record for each name server in the zone. See the Network Registrar Web UI Guide for details.


Using the CLI

Reload the DHCP server. Use the zone name listRR command to check the resource records you added.

nrcmd> dns reload 
100 Ok
nrcmd> zone example.com. listRR 
100 Ok
Static Resource Records
@		IN		SOA		exampleDNSserv1.example.com. hostmaster.example.com. 
1 10800 3600 604800 86400 
@		IN		NS		exampleDNSserv1.example.com. 
ns		IN		A		192.168.50.1 
Dynamic Resource Records 

Using the GUI


Step 1 Click the Resource Records tab to verify your zone configuration. Review the resource records created so far. You should see an SOA record for the zone, and an NS and A record for its authoritative name server.

Step 2 Once you are satisfied with the configuration, click Close.

Step 3 If you see a red star in the server icon in the Server Manager window, reload the DNS server.

Step 4 If the server traffic signal is missing in the Status Monitor, right-click the server icon and click Add to status monitor. The server traffic signal now shows a green light.


Importing and Exporting Zone Data

The easiest and quickest way to create a primary zone is to import an existing BIND format zone file, defined in RFC 1035. You can also export these same kinds of files to another server.

BIND 4.x.x uses a boot file, called named.boot, to point the server to its database files. You can import your entire BIND 4.x.x configuration using the import command. BIND 8 and BIND 9 use a configuration file, called named.config, with a different syntax.

When a BIND file contains an $INCLUDE directive, BIND searches for the include file relative to the directory that the directory directive in the named.boot file specifies. In contrast, the nrcmd program searches for the include file relative to the directory containing the zone file being processed.

To avoid this problem, ensure that the BIND configuration uses absolute paths whenever specifying an include file in a zone file. If your zone files contain relative paths when specifying include files, and the directory containing the zone file is not the same as the directory that the directory directive in the named.boot file specifies, your configuration cannot load properly. You need to convert the relative paths in your zone files to absolute paths so that you can import your BIND configuration into Network Registrar. Here is an example of a configuration and how to fix paths in directory hierarchy, configuration files, and zone files:

Directory hierarchy:

/etc/named.boot
/usr/local/domain/primary/db.example
/usr/local/domain/primary/db.include
/usr/local/domain/secondary

Configuration file (/etc/named.boot):

#BIND searches for zone files and include files relative to /usr/local/domain
directory /usr/local/domain
#BIND finds zone file in /usr/local/domain/primary 
primary example.com primary/db.example 
#end of /etc/named.boot

Configuration file (/etc/named.conf):

#BIND searches for zone files and include files relative to /usr/local/domain
option directory /usr/local/domain
#BIND finds zone file in /usr/local/domain/primary 
zone example.com {
	type master ;
	file primary/db.example ;
#end of /etc/named.conf

Incorrect zone file (/usr/local/domain/primary/db.example):

#BIND searches for include file relative to /usr/local/domain
$INCLUDE primary/db.include
#end of /usr/local/domain/primary/db.example

To make the configuration loadable, change the relative path ($INCLUDE primary/db.include) in the file db.example to an absolute path ($INCLUDE /usr/local/domain/primary/db.include).

Table 5-2 describes the named.boot and named.conf file directives that BIND 4 and BIND 9 support, and the corresponding CLI command syntax, if any.

Table 5-2 BIND-to-CLI Command Mappings 

BIND 4 Command
BIND 9 Command
Mapping to CLI Command

acl name {
addr-match-list };

acl name create value match-list=addr-match-list

forwarders addrlist

options {
forwarders {
addr; addr;... }; };

dns addForwarder addr[,addr...]

key id {
algorithm string;
secret string; };

key name create secret algorithm=alg

limit transfers-in num

options {
transfers-in num ;};

session set visibility=3
dns set xfer-client-concurrent-limit
=number

options allow-recursion addr-match-list

options {
allow-recursion addr-match-list ;};

dns enable no-recurse

options forward-only

options {
forward only ;};

dns enable slave-mode

options listen-on port

options {
listen-on port {addr-match-list} ;};

dns set local-port-number=port

options max-cache-ttl num

options {
max-cache-ttl num ;};

dns set max-cache-ttl=num

options no-fetch-glue

options {
fetch-glue no ;};

dns enable no-fetch-glue

options no-recursion

options {
recursion no ;};

dns enable no-recurse

options notify yes

options {
notify yes ;};

dns enable notify

options rrset-order order order ...

options {
rrset-order order ; order ; ... ;};

dns enable round-robin

options support-ixfr yes

options {
request-ixfr yes ;};

dns enable ixfr-enable

options transfer-format many-answers

options {
transfer-format many-answers ;};

remote-dns addr enable multirec

primary zonename file

zone "name"
{ type master; };

zone name create primary file=file

secondary zonename
addr list
[backupfile]

zone "name"
{ type slave; };

zone name create secondary ip-addr [,ip-addr...]

slave

zone "name"
{ type slave; };

dns enable slave-mode

tcplist addrlist
xfernets addrlist

zone "name"
{ allow-transfer { addr; ... }};

zone name enable restrict-xfer (does not take ACLs)
zone name set restricted-set=addr[,addr...]


Importing Using the CLI

To import an existing BIND zone file, create the zone using the zone name create primary file=file command. Reload the server after you import the file.

nrcmd> zone example.com. create primary file=hosts.local 
100 Ok
nrcmd> dns reload 
100 Ok

Network Registrar can read a BIND named.boot file and import all the zone files identified in it. Use UNIX file path syntax for all operating systems. Also, ensure that any $INCLUDE directives in zone files have absolute paths. Network Registrar makes any file paths relative to what any directory directive contains in the configuration file. Reload the server.

nrcmd> import named.boot /etc/named.boot 
nrcmd> dns reload 
100 Ok

Network Registrar recognizes $TTL directives for zone file imports. The first $TTL directive it encounters serves as the default TTL for the zone. This value is assigned to defttl for future use. Subsequent $TTL directives do not override the first directive; they do not change the default TTL for the zone. Instead, they provide the TTL for subsequent resource records that have no explicit TTL values. Consider this BIND zone file with $TTL directives:

$ORIGIN example.com.
@ IN SOA exampleDNSserv1 hostmaster 10 10800 3600 604800 7200 
$TTL 3600 
exampleDNSserv1 IN A 192.168.50.1 
$TTL 7200 
examplehost1 IN A 192.168.50.101 
$TTL 9800 
examplehost2 IN A 192.168.50.102 
examplehost3 13400 IN A 192.168.50.103 

Network Registrar imports this data as:

default TTL: 3600
example.com. IN SOA exampleDNSserv1 hostmaster 10 10800 3600 604800 7200 
exampleDNSserv1 IN A 192.168.50.1 
examplehost1 7200 IN A 192.168.50.101 
examplehost2 9800 IN A 192.168.50.102 
examplehost3 13400 IN A 192.168.50.103 

Importing Using the GUI

To import an existing BIND file from the GUI, specify the BIND file name when you add a zone.


Step 1 When entering the primary zone data in the Add Zone dialog box, enter the name of the BIND file or click Browse to open a file selection dialog box.

Step 2 Navigate to the zone configuration file location and choose the file. The filename should reflect the zone you are importing. The filename often ends with a .txt or .config file extension.

Step 3 Click OK. You should get a series of progress messages in the status bar. Corrupt or unreadable BIND files generate errors. Keep track of any errors so that you can modify the BIND files accordingly.

Step 4 From the Server Manager window, choose the primary zone server that you want to reload. Click Control on the toolbar to display the Control dialog box, then Reload, then OK.


Exporting Zone Data Using the CLI

Exported BIND data can include static or dynamic addresses, or both. When exporting dynamic addresses, Network Registrar includes the MAC address of the host in a text (TXT) resource record for those resource records it creates dynamically. To export a DNS zone, use the export zone command to specify the type of addresses (static, dynamic, or both) and the name of the output file. If you specify the filename without a path, the path defaults to the bin directory of the installation directories.

When Network Registrar receives an export zone CLI command, it records the default TTL for the zone in a BIND directive ($TTL).

This example shows partial file output from an export zone command. Because host stanley is a DHCP client, its MAC address (from the DHCPREQUEST packet) appears in a TXT record:

nrcmd> export zone example.com. static 
100 Ok
$ORIGIN example.com.
$TTL 86400
@				IN		SOA		exampleDNSserv1.example.com. hostmaster.example.com. 2 10800 
3600 604800 86400 
@				IN		NS		exampleDNSserv1.example.com. 
ns1				IN		CNAME		exampleDNSserv1.example.com. 
exampleDNSserv1				IN		A		192.168.50.1 
examplehost1				IN		A		192.168.50.101 

You can also export all zones of a particular type. Use the export zonenames {forward | reverse | both} file command to specify the zone type and output file.

nrcmd> export zonenames both hosts.local 
100 Ok

Exporting UNIX Hosts Files Using the CLI

You can export DNS data in UNIX /etc/hosts file format. Network Registrar combines information from the A and CNAME records for a host. To export all the zones in the server in hosts file format, use the export hostfile command and give the name of the output file.

nrcmd> export hostfile 
100 Ok 
# Hostfile created by nrcmd from Network Registrar 
# Cisco Systems, Inc. 
# Created on Fri Jan 25 15:26:10 Eastern Daylight Time 2002 
# 2 records created 
#
192.168.50.1				exampleDNSserv1.example.com								exampleDNSserv1 ns1						# 
192.168.50.101				examplehost1.example.com								examplehost1						# 

Adding a Primary Reverse Zone for the Server

For a correct DNS configuration, you must create a reverse zone for each network that you use. A reverse zone is a primary zone that the DNS server uses to convert IP addresses back to hostnames, and are in a special in-addr.arpa domain. You can create a reverse zone manually or import it from BIND.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the Reverse Zones tab to open the List/Add Reverse Zones page. Add a reverse zone the same way you would add a forward zone, as described in the "Adding a Primary Forward Zone" section, except use the reverse of the forward zone's network number added to the special in-addr.arpa domain as the zone name. Use the same template or SOA and name server values as for the related forward zone. See the Network Registrar Web UI Guide for details.

Using the CLI

Use the zone name create primary and zone name addRR PTR commands to add the primary reverse zone and pointer records for the server.

nrcmd> zone 50.168.192.in-addr.arpa. create primary exampleDNSserv1.example.com. 
hostmaster.example.com. 
100 Ok
serial=1
ns=exampleDNSserv1.example.com.
person=bostmaster.example.com.
50.168.192.in-addr.arpa. (primary):
address =
checkpoint-interval = [default=3h]
checkpoint-min-interval =
defttl = 24h
...
nrcmd> zone 50.168.192.in-addr.arpa. addRR 2 PTR exampleDNSserv1.example.com. 
100 Ok
2				IN		PTR		exampleDNSserv1.example.com.

Import an existing BIND reverse zone the same way you would a forward zone.

nrcmd> zone 50.168.192.in-addr.arpa. create primary file=hosts.local 
100 Ok

Using the GUI


Step 1 Open the Add Zone dialog box for the same DNS server that you chose for the forward zone. See the "Adding a Primary Forward Zone" section for the initial steps.

Step 2 Enter the reverse zone name in the Name field. This is the reverse of your zone's network number, added to the special in-addr.arpa domain. Omit any trailing zeroes in the conversion. For example, if your network number is 192.168.50.0, your reverse zone is 50.168.192.in-addr.arpa.

Step 3 Choose Primary as the zone type. To import a reverse zone file, see the "Importing and Exporting Zone Data" section.

Step 4 Click OK to open the Add Primary DNS Zone dialog box.

Step 5 Enter the same hostmaster and primary server name you entered for the forward zone. Do not enter them as reverse addresses. End any FQDNs with a trailing dot and use the proper hostmaster syntax. Leave the other fields as they are for now.

Step 6 Click the Name Servers tab.

Step 7 Enter the same authoritative server as for the forward zone. See the "Adding Authoritative Name Servers for the Zone" section for the procedure.

There is no Host tab for a reverse zone. Network Registrar automatically creates all the appropriate host address-to-name entries as you add hosts to the forward zone.

Step 8 Look at your configuration on the Resource Records tab. You should have an NS record and SOA record for the reverse zone. If so, click Apply. If not, check that you completed the steps correctly.

Step 9 Reload the DNS server.

Step 10 Look at the Resource Records tab for the reverse zone again. You should see a new pointer (PTR) record for the server host's address. The PTR record name does not end with a dot, because it is relative to the reverse zone's domain name.

Step 11 Click OK.


Configuring Secondary Servers for a Zone

When you configure a zone, choose at least one secondary server. If you have only one name server and it becomes unavailable, there is nothing that can look up names. A secondary server splits the load with the primary or handles the whole load if the primary is unavailable. When a secondary server starts up, it contacts the primary and pulls the zone data over. This is known as a zone transfer.


Tip If you have only one secondary server, remove it geographically from the primary. They should not even be on the same network segment, switch, or router, but on a different cluster entirely. See the "General Configuration Guidelines" section.


You can configure a secondary DNS server to be responsible for a secondary zone, which makes the server a secondary for that zone. You also need to give the address of the primary from which to perform zone transfers. Network Registrar must know about this primary server. If you add it to Network Registrar, be sure the secondary zone that you configure is the primary server's primary zone.

Adding a Secondary Forward Zone for a Server

Add a secondary server for a forward zone by creating a secondary zone.

Using the Web UI


Step 1 On the Primary Navigation bar, click the Zone tab. See the Network Registrar Web UI Guide for details.

Step 2 On the Secondary Navigation bar, click Secondary Zones to open the List Secondary Zones page.

Step 3 Click Add Secondary Zone to open the Add Secondary Zone page.

Step 4 Give the zone a name and add at least one authoritative DNS server's IP address in the auth-servers field.

Step 5 Click Add Secondary Zone.


Using the CLI

Use the zone name create secondary command to create a secondary zone. The IP address you include is that of the name server from which data is expected, typically a primary name server.

nrcmd> zone secondary.example.com. create secondary 192.168.50.1 
100 Ok 
secondary.example.com. (secondary): 
auth-servers = {{0 192.168.50.1}} 
checkpoint-interval = [default=3h] 
checkpoint-min-interval = 
ixfr = [default=false] 
notify = [default=false] 
notify-set = 
origin = secondary.example.com. 
restrict-xfer = [default=false] 
restricted-set = 

To restrict zone transfers to particular addresses only, use the zone name enable restrict-xfer command, then use the zone name set restricted-set command to specify the (comma-separated) addresses. Note that confirmation is given for the first address in the restricted set; use the zone name show command to display all addresses in the set.

nrcmd> zone secondary.example.com. enable restrict-xfer 
100 ok 
restrict-xfer= true 
nrcmd> zone secondary.example.com. set restricted-set=192.168.1.1,192.168.1.20 
100 Ok 
restricted-set=192.168.1.1 
nrcmd> zone secondary.example.com. show 
100 Ok 
secondary.example.com. (secondary): 
... 
restricted-set = {{0 192.168.1.1} {1 192.168.1.20}} 

Using the GUI


Step 1 In the Server Manager window, choose the DNS server to configure as a secondary server for a zone.

Step 2 Click Add on the toolbar to display the Add Zone dialog box.

Step 3 Enter the name of the secondary zone in the Name field. This zone can be a subdomain of the domain name that you entered for the primary zone, or it can be in a different domain.

Step 4 Select Secondary. (You cannot import a secondary zone for a server. However, you can import the zone as a primary when you configure the primary server.)

Step 5 Click OK. This opens the Add Secondary DNS Zone dialog box with the Secondary Zone Configuration tab active.

Step 6 Enter the IP address of the server from which the zone transfer should occur. This address can be on the same network segment or different network segment.

Step 7 Click the Zone Transfers tab.

Do not restrict zone transfers is selected by default. You can restrict zone transfers to specified addresses only by clicking Restrict zone transfers to the following addresses. Then, enter the restricted IP addresses in the fields.

There is no Resource Records tab for a secondary zone, because these records belong to the related primary zone.

Step 8 Click OK.

Step 9 Reload the DNS server. Notice that the secondary zone has a different icon than its primary zone.


Adding a Secondary Reverse Zone for a Server

You should add a secondary reverse zone, just as you added a secondary forward zone. To add a secondary reverse zone, perform these steps.


Step 1 Add the secondary reverse zone the same way you did the primary reverse zone, except set the zone type to Secondary. See the "Adding a Primary Reverse Zone for the Server" section.

Step 2 Make the secondary zone's domain name an in-addr.arpa reverse domain, ending it with a trailing dot.

Step 3 Add the name server address for the secondary forward zone and set any zone transfer address restrictions, as in the "Adding a Secondary Forward Zone for a Server" section.

Step 4 Reload the DNS server and confirm its status.


Configuring a Caching-Only Server

By definition, all servers are caching servers, because they save the data that they receive until it expires. However, you can create a caching-only server that is not authoritative for any zone. This type of server's only function is to answer queries by storing in its memory data from authoritative servers. The caching-only server can then learn or cache the data to answer subsequent queries. This can avoid the system overhead required by zone transfers. "Setting Maximum Cache TTL" section describes setting the cache update frequency.

When you first install Network Registrar, the DNS server automatically becomes a nonauthoritative, caching-only server until you configure zones for it. If you keep the DNS server as a caching-only server, you must have another primary or secondary DNS server somewhere that is authoritative and to which the caching-only server can refer. A caching-only server is never registered on the Internet. In fact, it should never be set up as an authoritative name server for any zone. This can cause lame delegation, which occurs when a zone is delegated to a nonauthoritative server. See the "Reporting Lame Delegation" section.

You must set up a caching-only server to respond to recursive queries, where a server keeps trying to get to an authoritative server so that it can update its cache with the address resolution data. Because Network Registrar servers are recursive by default, you should just verify that this property is set.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. Under the Forwarders category, ensure that Recursive queries is set to enabled, then click Modify Server. See the Network Registrar Web UI Guide for details.

Using the CLI

Use the dns get no-recurse command to find out if nonrecursion is disabled. If not, use the dns disable no-recurse command and reload the server.

nrcmd> dns get no-recurse 
100 Ok 
no-recurse=enabled 
nrcmd> dns disable no-recurse 
100 Ok 
no-recurse=disabled 

Using the GUI


Step 1 In the Server Manager window, choose the DNS server to designate as caching-only.

Step 2 Click Show Properties on the toolbar to display the DNS Server Properties dialog box.

Step 3 Click the Options tab and confirm that the Enable recursive queries box is checked.

Step 4 Click OK.


Setting Basic DNS Server Properties

You can set properties for the DNS server itself, along with those you already set for its zones.

Setting General Server Properties

You can display DNS general server properties, such as the name of the server's cluster or host machine and the version number of the Network Registrar DNS server software.

You can change the internal name of the DNS server by deleting the current name and entering a new one. This name is used for notation and does not reflect the server's official name. Network Registrar uses the server's IP address for official name lookups and for dynamic DNS (RFC 2136) updates.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. The page displays all the DNS server attributes. Click Modify Server to modify the attribute. See the Network Registrar Web UI Guide.

Using the CLI

Use the dns [show] command to display the DNS server's properties.

nrcmd> dns show 
100 Ok
DNS@localhost:
checkpoint-interval = 3h
fake-ip-name-response = enabled
hide-subzones = disabled
...

Using the GUI

Use the General tab in the DNS Server Properties dialog box to display the cluster name and the software version. Change the server name if you wish, then click Apply.

Defining Forwarders for the Servers

Sites that must limit their network traffic for security reasons can designate one or more servers to be forwarders that handle all off-site requests before the local server goes out to the Internet. Over time, the forwarders build up a rich data cache that can satisfy most requests. They are useful in that they:

Reduce the load on the Internet connection—Forwarders build up a cache and thus reduce the number of requests sent to external name servers and improve DNS performance.

Improve the DNS response to repeated queries—The forwarder's cache can answer most queries.

Handle firewalls—Hosts that do not have access to root name servers can send requests to the forwarder that does.


Tip You may want to restrict the name server even more by stopping it from even attempting to contact an off-site server. A slave server uses forwarders exclusively. It answers queries from its authoritative and cached data, but it relies completely on the forwarders for data not in its cache. If the forwarder does not provide an answer, the slave server does not try to contact other servers.


You can have multiple forwarders. If the first forwarder does not respond after eight seconds, Network Registrar asks each remaining forwarder in sequence until one answers or it gets to the end of the list. If the DNS server does not get an answer, the next step depends on whether you have slave mode on or off:

If slave mode is on, the DNS server stops searching and responds that it cannot find the answer.

If slave mode is off, the DNS server sends the query to the domain's designated name servers as if there were no forwarders listed.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. Under the Forwarders category, enter the IP addresses of the forwarding servers, click whether you want slave mode enabled or disabled, then click Modify Server. See the Network Registrar Web UI Guide for details.

Using the CLI

Use the dns addForwarder command to specify the address (or space-separated addresses) of name servers you want your Network Registrar DNS server to use as forwarders.

nrcmd> dns addForwarder 192.168.50.101 
100 Ok 

Use the dns enable slave-mode command to designate the server as a slave.

nrcmd> dns enable slave-mode 
100 Ok 
slave-mode=enabled 

To list the current forwarders, use the dns listForwarders command. To edit your forwarder list, you must delete any offending forwarder and re-enter another one. To remove a forwarder or list of forwarders, use the dns removeForwarder command.

nrcmd> dns listForwarders 
100 Ok 
192.168.50.101 

nrcmd> dns removeForwarder 192.168.50.101 
100 Ok

Using the GUI


Step 1 Click the Forwarders tab of the DNS Server Properties dialog box.

Step 2 Enter the address or addresses of the forwarder or forwarders. You can replace or delete any entries later on, if necessary.

Step 3 To make the server a slave server, check the Slave mode box. Do this if you want the server to rely on its cache and forwarders only.

Step 4 Click OK.


Defining Root Name Servers

Root name servers know the addresses of the authoritative name servers for all the top-level domains. When you first start a newly installed Network Registrar DNS server, it uses a set of preconfigured root servers, sometimes called root hints, as authorities to ask for the current root name servers.

When Network Registrar gets a response to a root server query, it caches it and refers to the root server list. When the cache expires, the server repeats the process. Because Network Registrar has a persistent cache, it does not need to requery this data when it restarts.

You can also define internal root servers for your network. If you have a large namespace, adding one or more internal root servers is a good solution, even better than using forwarders.

The time to live (TTL) on the official root server records is currently six days, so Network Registrar will requery every six days, unless you specify a lower maximum cache TTL value. See the "Setting Maximum Cache TTL" section for details.

The root hints list is updated about every six months. You can FTP to ftp.rs.internic.net to get the latest version of the list, or you can run the nslookup or dig tool. See the "Updating the Root Name Servers List" section for details.

Adding a Root Name Server

You can add any number of root server names and addresses, but you must configure only valid root name servers. Network Registrar confirms this and displays an error message if any one is invalid.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. Under the Root Nameservers category, enter the domain name and IP address of each additional root name server, then click Modify Server. See the Network Registrar Web UI Guide for details.

Using the CLI

Use the dns addRootHint command to add root name servers by name and address. Do this only if the server was inadvertently removed from the list or if there was an update to the list since the last version.

nrcmd> dns addRootHint a.root-servers.net. 198.41.0.4 
100 Ok 
a.root-servers.net.: 198.41.0.4 

Using the GUI

In the DNS Server Properties dialog box, click the Root Name Servers tab. Enter the name and address of the root hint server. You can, for example, add an internal root server to the list. (Just be careful not to remove any existing ones.) Then, click OK.

Updating the Root Name Servers List

Be careful in removing any root servers from the list. If you accidentally remove the address of one of the roots, or you know that it might have changed, use the nslookup tool to find out what it is.

nslookup a.root-servers.net 
Name: a.root-servers.net 
Address: 198.41.0.4 

Using the Web UI or GUI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. Under the Root Nameservers category, check the list of existing root name servers. To replace one, click the Delete () icon next to its name, then re-enter the name and address. Click Modify Server when you are finished. See the Network Registrar Web UI Guide for details.

Using the CLI

You can also list the root hint servers using the dns listRootHints command. To edit the name or address of a root entry in the DNS Server Properties dialog box, choose it in either column and enter or overtype it. Use the command dns removeRootHint, carefully, and add the correct entry using the dns addRootHint command.

You can also use the dig tool, if it is installed as part of BIND, to update the root servers list. Finally, you can FTP to the ftp.rs.internic.net site to get the latest roots list.

dig @a.root-servers.net . ns 
ftp ftp.rs.internic.net 
<login>
ls domain 
<roots list>

Specifying an Exception List

If you do not want the DNS servers to use the standard resolution method to query the root name server for certain names outside its domain, use resolution exception. This bypasses the root name servers and targets a specific server to handle name resolution.

The resolution exception covers subzone delegations. If the global forwarding is set and a subzone is in the resolution exception list, the query for that subzone goes to the name server that appears in the exception list and not to the forwarder. To achieve subzone queries, both the subzone delegation and the resolution exception must be defined.

For example, example.com has four subsidiaries—Red, Blue, Yellow, and Green. Each has its own domain under the .com domain. When users at Red want to access resources at Blue, their DNS server knows that it is not authoritative for Blue and appeals to the root name servers. These queries cause unnecessary traffic, and in some cases fail because internal resources are often barred from external queries or sites that use unreachable private networks without unique addresses.

Resolution exception solves these problems. Red's administrator lists all the other example.com domains that users might want to reach and at least one corresponding name server. When a Red user wants to reach a Blue server, the Red server asks the Blue server instead of querying the root.


Note With no resolution exception defined, when the global forwarding option is set, any query for the subzone delegation goes to the forwarder, and not to the server that is authoritative for that subzone. However, if you set the subzone-forward attribute to no-forward for a zone, the zone's server is set as the implicit resolution exception server for all the subzones, and any forwarding and explicitly set resolution exceptions are ignored for that zone.


Adding an Exception

Resolution exception handling is a DNS server property that you can assign.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. Under the Resolution Exceptions category, enter the domain name and IP address or addresses of each excepted name server, then click Modify Server. See the Network Registrar Web UI Guide for details.

Using the CLI

Use the dns listExceptions command to list the available exceptions. Then, use the dns addException command to add the exception domains and servers, separated by spaces. Use this command only if you do not want your DNS server to use the standard name resolution for names outside the local authoritative zone.

nrcmd> dns listExceptions 
100 Ok
nrcmd> dns addException blue.example.com. 192.168.60.1 192.168.70.1 
100 Ok
blue.example.com.: 192.168.60.1, 192.168.70.1 

Using the GUI


Step 1 In the DNS Server Properties dialog box, click the Exception tab.

Step 2 Click Add domain name.

Step 3 Enter the name of the domain you want to add as a resolution exception and click OK.

Step 4 Enter the name server address in the Add Name Server Address dialog box and click OK.

Step 5 In the DNS Server Properties dialog box, click Add address to add each additional address, then click Apply.


Editing and Removing an Exception

You can edit and remove resolution exception servers from the DNS server.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click DNS Server and the name of the server to open the Edit DNS Server page. Under the Resolution Exceptions category, click the Delete icon () next to the domain name and IP address or addresses of the name server you want to remove, then click Modify Server. See the Network Registrar Web UI Guide.

Using the CLI

To remove a resolution exception, use the dns removeException command. To replace it, follow this with a dns addException command with the new values. You must also flush the cache so that the server does not refer to the old resolution values in cache. For details, see the "Flushing DNS Cache" section.

nrcmd> dns removeException blue.com. 
100 Ok
nrcmd> dns addException blue.com. 192.168.1.8 192.168.1.9 
100 Ok
blue.example.com.: 192.168.1.8, 192.168.1.9 
nrcmd> dns flushCache 
100 Ok

Using the GUI

To remove or change a resolution exception, edit the domain or server address on the Exception tab of the DNS Server Properties dialog box. Choose the address and click, as is appropriate, Edit domain name or Edit address.

To remove a domain name, choose it, then click Remove domain name. To remove an address, choose it, then click Remove address. If you choose the last remaining address for the domain and try to remove it, clicking OK in a confirmation dialog box removes both it and the domain. If you click Cancel, you can edit the address or add another one before removing it.


Tip You must complete every resolution exception removal by flushing cache. On the Advanced tab of the DNS Server Properties dialog box, click Flush now, then click OK. For details, see the "Flushing DNS Cache" section.


Setting DNS Server Options

You can enable or disable these DNS server options:

Recursive and iterative queries

Round-robin

Hiding subzones

Subnet sorting

Incremental transfer (IXFR)

NOTIFY

Enabling Recursive Queries

There are two types of queries—recursive and iterative (nonrecursive). DNS clients typically generate recursive queries, where the name server asks other DNS servers for any nonauthoritative data not in its own cache. With an iterative query, the name server answers the query if it is authoritative for the zone, has the answer in its cache, or tells the client which name server to ask next. You often want to make a root server iterative instead of recursive. Recursion is like saying, "Let me talk to Bob and get back to you." Iteration is like saying, "Let me direct you to Bob for the information."

Using the Web UI

On the Primary Navigation bar, click Zone. On the Secondary Navigation bar, click DNS Server and the name of the server to open the Edit DNS Server page. Under the Forwarders category, set Recursive queries to enabled, then click Modify Server. See the Network Registrar Web UI Guide for details.

Using the CLI

In the CLI, recursion is set by default. To set iterative queries, enable the no-recurse attribute.

nrcmd> dns enable no-recurse 
100 Ok
no-recurse=enabled

Using the GUI

In the DNS Server Properties dialog box, click the Options tab. Then, if you want to make queries iterative, uncheck the Enable recursive queries box.

Enabling Round-Robin

A query might return multiple A records for a name server. To compensate for most DNS clients starting with, and limiting their use to, the first record in the list, you can enable round-robin to share the load. This ensures that successive clients resolving the same name will connect to different addresses on a revolving basis. The DNS server then re-arranges the order of the records each time it is queried. It is a method of load sharing, rather than load balancing, which is based on the actual load on the server.


Tip Adjust the switchover rate from one round-robin server to another using the TTL property of the server's A record. See the "Adding Address, Canonical Name, and Mail Exchanger Records" section.


Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. Under the Miscellaneous Options and Settings category, set the Enable round-robin attribute to enabled, then click Modify Server. See the Network Registrar Web UI Guide for details.

Using the CLI

Use the dns get round-robin command to see if round-robin is enabled (it is by default). If not, use the dns enable round-robin command.

nrcmd> dns enable round-robin 
100 Ok
round-robin=enabled

Using the GUI

In the DNS Server Properties dialog box, click the Options tab. Check the Enable round-robin box to enable round-robin.

Hiding Subzones

For security reasons, you can hide the zone's internal infrastructure from outside the zone. If enabled, it must include the top-level domain. You can enable or disable hiding the subzones using the CLI only.

Using the Web UI

On the Primary Navigation bar, click Zone. On the Secondary Navigation bar, click DNS Server and the name of the server to open the Edit DNS Server page. Under the Reserved category, set the hide-subzones attribute to enabled, then click Modify Server. See the Network Registrar Web UI Guide for details.

Using the CLI

Use the dns enable hide-subzones command to hide information about the subzone hierarchy for all zones that the server delegates. This collapses a part of the domain namespace into one virtual zone. The default setting is dns disable hide-subzones.

nrcmd> dns enable hide-subzones 
100 Ok
hide-subzones=enabled

Enabling Subnet Sorting

If you enable subnet sorting, as implemented in BIND 4.9.7, the Network Registrar DNS server confirms the client's network address before responding to a query. If the client, server, and target of the query are on the same subnet, and the target has multiple A records, the server tries to re-order the A records in the response by putting the target's closest address first in the response packet. DNS servers always return all of a target's addresses, but most clients use the first address and ignore the others.

If you enable both round-robin and subnet sorting, Network Registrar first applies round-robin sorting and then applies subnet sorting. The result is that if you have a local answer, it remains at the top of the list, and if you have multiple local A records, Network Registrar cycles through them.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. Under the Advanced Options and Settings category, set the Enable subnet sorting attribute to enabled, then click Modify Server. See the Network Registrar Web UI Guide.

Using the CLI

Use the dns enable subnet-sorting or dns disable subnet-sorting (the default) command.

nrcmd> dns enable subnet-sorting 
100 Ok
subnet-sorting=enabled

Using the GUI

On the Options tab of the DNS Server Properties dialog box, check the Enable subnet sorting box.

Enabling Incremental Zone Transfers (IXFR)

Incremental zone transfer (IXFR, described in RFC 1995) is a protocol that allows only changed data to be transferred between servers. This is especially useful in dynamic environments. IXFR works together with NOTIFY to ensure more efficient zone updates. See the "Enabling NOTIFY" section.

Using the Web UI

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the DNS Server tab and the name of the server to open the Edit DNS Server page. Under the Zone Defaults category, set the Request incremental transfers (IXFR) attribute to enabled. For a secondary zone, you can also fine tune the incremental zone transfers by setting the Maximum IXFR-only interval (secondary zones) attribute, under the Advanced Options and Settings category, to the interval in which to try the transfers. Also, if required, enable the relax-ixfr-query-validation attribute, which is listed under the Reserved category when you set your session visibility to Expert on the Main Menu page. Then, click Modify Server. See the Network Registrar Web UI Guide for details.

Using the CLI

Use the dns enable ixfr-enable command to enable incremental transfer for all zones for which you did not configure specific behavior. By default, the ixfr-enable attribute is enabled.

nrcmd> dns enable ixfr-enable 
100 Ok
ixfr-enable=enabled

Use these commands to fine tune IXFR:

zone name disable ixfr—Disables incremental transfer for a single secondary zone if you do not want to use the global value from the dns disable ixfr-enable command, unless you override it.

nrcmd> zone boston.example.com. disable ixfr 
100 Ok 
ixfr=false 

remote-dns ipaddr create and disable ixfr—Prevents the specified server from performing incremental zone transfers.

nrcmd> remote-dns 192.169.1.15 create 
100 Ok
192.169.1.15:
ixfr = disabled 
multirec = disabled 
nrcmd> remote-dns 192.169.1.15 disable ixfr 
100 Ok 
ixfr=false 

dns set ixfr-expire-interval—Defines the interval, in seconds, in which to attempt incremental zone transfers, followed by full zone transfers.

nrcmd> dns set ixfr-expire-interval=7000 
100 Ok 
ixfr-expire-interval=1h56m40s 

dns enable relax-ixfr-query-validation—When BIND 8.2.2p5 responds to an IXFR query, it mistakenly responds with the query type AXFR, a full zone transfer. Because Network Registrar adheres to RFC 1995, it expects the value IXFR in that field and rejects the BIND 8.2.2p5 response. You can relax the IXFR query validation by enabling this attribute. This requires setting the session visibility level to 3 temporarily—always reset it to 5 again.

nrcmd> session set visibility=3 
100 Ok 
visibility=3 
nrcmd> dns enable relax-ixfr-query-validation 
100 Ok 
relax-ixfr-query-validation=enabled 
nrcmd> session set visibility=5 
100 Ok 
visibility=5 


Tip For every optional DNS property you set, you can also unset it using the dns unset attribute command.


Using the GUI

On the Options tab of the DNS Server Properties dialog box, check the Enable incremental transfer (IXFR) box to enable incremental transfer.

Enabling NOTIFY

The NOTIFY protocol, described in RFC 1996, lets the Network Registrar DNS primary server inform its secondaries that zone changes occurred. The NOTIFY packet does not indicate the changes themselves, just that they occurred, and this triggers a zone transfer request. Use NOTIFY in environments where the namespace is relatively dynamic.

Because a zone's master server cannot know specifically which secondary server transfers from it, Network Registrar notifies all registered zone name servers when the zone changes. The only exception is the server named in the SOA primary master field.

You can use IXFR and NOTIFY together, but this is not necessary. You can disable NOTIFY for a quickly changing zone for which immediate updates on all secondaries does not warrant the constant NOTIFY traffic. Such a zone might benefit from having a short refresh time and a disabled NOTIFY.

Using the Web UI


Step 1 On the Primary Navigation bar, click the Zone tab. See the Network Registrar Web UI Guide for details.

Step 2 On the Secondary Navigation bar, click the DNS Server tab to open the Edit DNS Server page.

Step 3 Under the Zone Defaults category, set the Send zone change notification (NOTIFY) attribute to enabled and set any of the other NOTIFY attributes (see the "Using the CLI" section), then click Modify Server.

Step 4 Click Zones on the Secondary Navigation and select the zone name so that you can add a comma-separated list of servers to notify using the notify-set attribute on the Edit Zone page. Also, set the notify attribute to true.

Step 5 Click Modify Zone on that page.


Using the CLI

Use the dns enable notify command to send notification for all zones not configured for specific behavior. NOTIFY is enabled by default. You can also enable NOTIFY at the zone level.

nrcmd> dns enable notify 
100 Ok
notify=enabled

NOTIFY also notifies the servers that you specify in the notify-set list. Use the zone name set notify-set command to specify an optional, comma-separated list of servers to notify. Then, use the zone name show command to confirm the setting.

nrcmd> zone example.com. set notify-set=1.1.1.1,2.2.2.2 
100 Ok
nrcmd> zone example.com. show 
100 Ok 
example.com. (primary): 
...
notify-set = {{0 1.1.1.1} {1 2.2.2.2}} 

For the other NOTIFY tuning parameters you can set, see the "Tuning DNS Properties" section.

Using the GUI

On the Options tab of the DNS Server Properties dialog box, check the Enable NOTIFY box.

Troubleshooting the DNS Server

Useful troubleshooting hints tools to diagnose the DNS server include:

Getting the health of the server—In the Web UI, if you have server administration rights, click Administration on the Primary Navigation bar and Servers on the Secondary Navigation bar to display the health of the servers. A value of 10 is the optimum health, while a value of 0 indicates that the server is stopped, with other gradations in between. In the CLI, use the following command:

nrcmd> dns getHealth 
100 ok
10

Listing the values of the DNS server properties—In the Web UI, on the Primary Navigation bar, click the Zone tab, then on the Secondary Navigation bar, click the DNS Server tab to open the Edit DNS Server page. In the CLI, use the following command.

nrcmd> dns show 
...

Choosing from the DNS log settings to give you greater control over existing log messages—Use the Log settings attribute on the Edit DNS Server page in the Web UI, or the dns set log-settings command in the CLI with one or more of these keyword or numeric values, separated by commas (see Table 5-3). Restart the server if you make any changes to the log settings.

Table 5-3 DNS Log Settings 

Log Setting
(Numeric Equivalent)
Description

config (1)

Server configuration and de-initialization.

ddns (2)

High level dynamic update messages.

xfr-in (3)

Inbound full and incremental zone transfers.

xfr-out (4)

Outbound full and incremental zone transfers.

notify (5)

NOTIFY transactions.

datastore (8)

Datastore processing that provides insight into various events in the server's embedded databases.

scavenge (9)

Scavenging of dynamic resource records.

scavenge-details (10)

More detailed scavenging output (disabled by default).

server-operations (11)

General high-level server events, such as those pertaining to sockets and interfaces.

lame-delegation (13)

Lame delegation events; although enabled by default, disabling this flag could prevent the log from getting filled with frequent lame delegation encounters.

root-query (14)

Queries and responses from root servers.

ddns-refreshes (15)

Dynamic DNS update refreshes for Windows 2000 clients (disabled by default).

ddns-refreshes-details (16)

Resource records refreshed during dynamic DNS updates for Windows 2000 clients (disabled by default).

ddns-details (17)

Resource records added or deleted due to dynamic DNS updates.

tsig (18)

Logs events associated Transaction Signature (TSIG) dynamic DNS updates.

tsig-details (19)

More detailed logging of TSIG dynamic DNS updates (disabled by default).

activity-summary (20)

Summary of activities in the server. You can adjust the interval at which these summaries are taken using the activity-summary-interval attribute, which defaults to five-minute intervals (you can adjust this interval using the dns set-activity-summary-interval command).

query-errors (21)

Logs errors encountered while processing DNS queries.

config-details (22)

Generates detailed information during server configuration by displaying all configured and assumed server attributes (disabled by default).


Using the nslookup utility to test and confirm the DNS configuration—This utility is a simple resolver that sends queries to Internet name servers. Here are simple commands that return the IP address of the default server and the host. To obtain help for the nslookup utility, enter help at the prompt after you invoke the command.

$ nslookup 
> pc3 
Server: server2.example.com 
Address: 192.168.40.2 
Name: pc3.example.com 
Address: 192.168.40.33