1nsd-control(8) nsd 4.2.4 nsd-control(8)
2
3
4
6 nsd-control, nsd-control-setup - NSD remote server control utility.
7
9 nsd-control [-c cfgfile] [-s server] command
10
12 nsd-control performs remote administration on the nsd(8) DNS server.
13 It reads the configuration file, contacts the nsd server over SSL,
14 sends the command and displays the result.
15
16 The available options are:
17
18 -h Show the version and commandline option help.
19
20 -c cfgfile
21 The config file to read with settings. If not given the default
22 config file /etc/nsd/nsd.conf is used.
23
24 -s server[@port]
25 IPv4 or IPv6 address of the server to contact. If not given,
26 the address is read from the config file.
27
29 There are several commands that the server understands.
30
31 start Start the server. Simply execs nsd(8). The nsd executable is
32 searched for in the PATH set in the environment. It is started
33 with the config file specified using -c or the default config
34 file.
35
36 stop Stop the server. The server daemon exits.
37
38 reload [<zone>]
39 Reload zonefiles and reopen logfile. Without argument reads
40 changed zonefiles. With argument reads the zonefile for the
41 given zone and loads it.
42
43 reconfig
44 Reload nsd.conf and apply changes to TSIG keys and configuration
45 patterns, and apply the changes to add and remove zones that are
46 mentioned in the config. Other changes are not applied, such as
47 listening ip address and port and chroot, also per-zone statis‐
48 tics are not applied. The pattern updates means that the con‐
49 figuration options for zones (request-xfr, zonefile, notify,
50 ...) are updated. Also new patterns are available for use with
51 the addzone command.
52
53 repattern
54 Same as the reconfig option.
55
56 log_reopen
57 Reopen the logfile, for log rotate that wants to move the log‐
58 file away and create a new logfile. The log can also be
59 reopened with kill -HUP (which also reloads all zonefiles).
60
61 status Display server status. Exit code 3 if not running (the connec‐
62 tion to the port is refused), 1 on error, 0 if running.
63
64 stats Output a sequence of name=value lines with statistics informa‐
65 tion, requires NSD to be compiled with this option enabled.
66
67 stats_noreset
68 Same as stats, but does not zero the counters.
69
70 addzone <zone name> <pattern name>
71 Add a new zone to the running server. The zone is added to the
72 zonelist file on disk, so it stays after a restart. The pattern
73 name determines the options for the new zone. For slave zones a
74 zone transfer is immediately attempted. For zones with a zone‐
75 file, the zone file is attempted to be read in.
76
77 delzone <zone name>
78 Remove the zone from the running server. The zone is removed
79 from the zonelist file on disk, from the nsd.db file and from
80 the memory. If it had a zonefile, this remains (but may be out‐
81 dated). Zones configured inside nsd.conf itself cannot be
82 removed this way because the daemon does not write to the
83 nsd.conf file, you need to add such zones to the zonelist file
84 to be able to delete them with the delzone command.
85
86 changezone <zone name> <pattern name>
87 Change a zone to use the pattern for options. The zone is
88 deleted and added in one operation, changing it to use the new
89 pattern for the zone options. Zones configured in nsd.conf can‐
90 not be changed like this, instead edit the nsd.conf (or the
91 included file in nsd.conf) and reconfig.
92
93 addzones
94 Add zones read from stdin of nsd-control. Input is read per
95 line, with name space patternname on a line. For bulk addi‐
96 tions.
97
98 delzones
99 Remove zones read from stdin of nsd-control. Input is one name
100 per line. For bulk removals.
101
102 write [<zone>]
103 Write zonefiles to disk, or the given zonefile to disk. Zones
104 that have changed (via AXFR or IXFR) are written, or if the
105 zonefile has not been created yet then it is created. Directory
106 components of the zonefile path are created if necessary.
107
108 notify [<zone>]
109 Send NOTIFY messages to slave servers. Sends to the IP
110 addresses configured in the 'notify:' lists for the master zones
111 hosted on this server. Usually NSD sends NOTIFY messages right
112 away when a master zone serial is updated. If a zone is given,
113 notifies are sent for that zone. These slave servers are sup‐
114 posed to initiate a zone transfer request later (to this server
115 or another master), this can be allowed via the 'provide-xfr:'
116 acl list configuration.
117
118 transfer [<zone>]
119 Attempt to update slave zones that are hosted on this server by
120 contacting the masters. The masters are configured via
121 'request-xfr:' lists. If a zone is given, that zone is updated.
122 Usually NSD receives a NOTIFY from the masters (configured via
123 'allow-notify:' acl list) that a new zone serial has to be
124 transferred. For zones with no content, NSD may have backed off
125 from asking often because the masters did not respond, but this
126 command will reset the backoff to its initial timeout, for fre‐
127 quent retries.
128
129 force_transfer [<zone>]
130 Force update slave zones that are hosted on this server. Even
131 if the master hosts the same serial number of the zone, a full
132 AXFR is performed to fetch it. If you want to use IXFR and
133 check that the serial number increases, use the 'transfer' com‐
134 mand.
135
136 zonestatus [<zone>]
137 Print state of the zone, the serial numbers and since when they
138 have been acquired. Also prints the notify action (to which
139 server), and zone transfer (and from which master) if there is
140 activity right now. The state of the zone is printed as: 'mas‐
141 ter' (master zones), 'ok' (slave zone is up-to-date), 'expired'
142 (slave zone has expired), 'refreshing' (slave zone has transfers
143 active). The serial numbers printed are the 'served-serial'
144 (currently active), the 'commit-serial' (is in reload), the
145 'notified-serial' (got notify, busy fetching the data). The
146 serial numbers are only printed if such a serial number is
147 available.
148
149 serverpid
150 Prints the PID of the server process. This is used for statis‐
151 tics (and only works when NSD is compiled with statistics
152 enabled). This pid is not for sending unix signals, use the pid
153 from nsd.pid for that, that pid is also stable.
154
155 verbosity <number>
156 Change logging verbosity.
157
158 print_tsig [<key_name>]
159 print the secret and algorithm for the TSIG key with that name.
160 Or list all the tsig keys with their name, secret and algorithm.
161
162 update_tsig <name> <secret>
163 Change existing TSIG key with name to the new secret. The
164 secret is a base64 encoded string. The changes are only in-mem‐
165 ory and are gone next restart, for lasting changes edit the
166 nsd.conf file or a file included from it.
167
168 add_tsig <name> <secret> [algo]
169 Add a new TSIG key with the given name, secret and algorithm.
170 Without algorithm a default (hmac-sha256) algorithm is used.
171 The secret is a base64 encoded string. The changes are only in-
172 memory and are gone next restart, for lasting changes edit the
173 nsd.conf file or a file included from it.
174
175 assoc_tsig <zone> <key_name>
176 Associate the zone with the given tsig. The access control
177 lists for notify, allow-notify, provide-xfr and request-xfr are
178 adjusted to use the given key.
179
180 del_tsig <key_name>
181 Delete the TSIG key with the given name. Prints error if the
182 key is still in use by some zone. The changes are only in-mem‐
183 ory and are gone next restart, for lasting changes edit the
184 nsd.conf file or a file included from it.
185
187 The nsd-control program exits with status code 1 on error, 0 on suc‐
188 cess.
189
191 The setup requires a self-signed certificate and private keys for both
192 the server and client. The script nsd-control-setup generates these in
193 the default run directory, or with -d in another directory. If you
194 change the access control permissions on the key files you can decide
195 who can use nsd-control, by default owner and group but not all users.
196 The script preserves private keys present in the directory. After run‐
197 ning the script as root, turn on control-enable in nsd.conf.
198
200 The stats command shows a number of statistic counters.
201
202 num.queries
203 number of queries received (the tls, tcp and udp queries added
204 up).
205
206 serverX.queries
207 number of queries handled by the server process. The number of
208 server processes is set with the config statement server-count.
209
210 time.boot
211 uptime in seconds since the server was started. With fractional
212 seconds.
213
214 time.elapsed
215 time since the last stats report, in seconds. With fractional
216 seconds. Can be zero if polled quickly and the previous stats
217 command resets the counters, so that the next gets a fully zero,
218 and zero elapsed time, report.
219
220 size.db.disk
221 size of nsd.db on disk, in bytes.
222
223 size.db.mem
224 size of the DNS database in memory, in bytes.
225
226 size.xfrd.mem
227 size of memory for zone transfers and notifies in xfrd process,
228 excludes TSIG data, in bytes.
229
230 size.config.disk
231 size of zonelist file on disk, excludes the nsd.conf size, in
232 bytes.
233
234 size.config.mem
235 size of config data in memory, kept twice in server and xfrd
236 process, in bytes.
237
238 num.type.X
239 number of queries with this query type.
240
241 num.opcode.X
242 number of queries with this opcode.
243
244 num.class.X
245 number of queries with this query class.
246
247 num.rcode.X
248 number of answers that carried this return code.
249
250 num.edns
251 number of queries with EDNS OPT.
252
253 num.ednserr
254 number of queries which failed EDNS parse.
255
256 num.udp
257 number of queries over UDP ip4.
258
259 num.udp6
260 number of queries over UDP ip6.
261
262 num.tcp
263 number of connections over TCP ip4.
264
265 num.tcp6
266 number of connections over TCP ip6.
267
268 num.tls
269 number of connections over TLS ip4. TLS queries are not part of
270 num.tcp.
271
272 num.tls6
273 number of connections over TLS ip6. TLS queries are not part of
274 num.tcp6.
275
276 num.answer_wo_aa
277 number of answers with NOERROR rcode and without AA flag, this
278 includes the referrals.
279
280 num.rxerr
281 number of queries for which the receive failed.
282
283 num.txerr
284 number of answers for which the transmit failed.
285
286 num.raxfr
287 number of AXFR requests from clients (that got served with
288 reply).
289
290 num.truncated
291 number of answers with TC flag set.
292
293 num.dropped
294 number of queries that were dropped because they failed sanity
295 check.
296
297 zone.master
298 number of master zones served. These are zones with no
299 'request-xfr:' entries.
300
301 zone.slave
302 number of slave zones served. These are zones with
303 'request-xfr' entries.
304
306 /etc/nsd/nsd.conf
307 nsd configuration file.
308
309 /etc/nsd
310 directory with private keys (nsd_server.key and nsd_control.key)
311 and self-signed certificates (nsd_server.pem and nsd_con‐
312 trol.pem).
313
315 nsd.conf(5), nsd(8), nsd-checkconf(8)
316
317
318
319NLnet Labs Dec 10, 2019 nsd-control(8)