Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
nsd-control(8)			   nsd 4.3.5			nsd-control(8)

       nsd-control, nsd-control-setup -	NSD remote server control utility.

       nsd-control [-c cfgfile]	[-s server] command

       nsd-control  performs  remote  administration on	the nsd(8) DNS server.
       It reads	the configuration file,	contacts  the  nsd  server  over  SSL,
       sends the command and displays the result.

       The available options are:

       -h     Show the version and commandline option help.

       -c cfgfile
	      The config file to read with settings.  If not given the default
	      config file /usr/local/etc/nsd/nsd.conf is used.

       -s server[@port]
	      IPv4 or IPv6 address of the server to contact.   If  not	given,
	      the address is read from the config file.

       There are several commands that the server understands.

       start  Start  the  server.  Simply execs	nsd(8).	 The nsd executable is
	      searched for in the PATH set in the environment.	It is  started
	      with  the	 config	 file specified	using -c or the	default	config

       stop   Stop the server. The server daemon exits.

       reload [<zone>]
	      Reload zonefiles and reopen  logfile.   Without  argument	 reads
	      changed  zonefiles.   With  argument  reads the zonefile for the
	      given zone and loads it.

	      Reload nsd.conf and apply	changes	to TSIG	keys and configuration
	      patterns,	and apply the changes to add and remove	zones that are
	      mentioned	in the config.	Other changes are not applied, such as
	      listening	 ip address and	port and chroot, also per-zone statis-
	      tics are not applied.  The pattern updates means that  the  con-
	      figuration  options  for	zones  (request-xfr, zonefile, notify,
	      ...) are updated.	 Also new patterns are available for use  with
	      the addzone command.

	      Same as the reconfig option.

	      Reopen  the  logfile, for	log rotate that	wants to move the log-
	      file away	and create a new logfile.  The log  can	 also  be  re-
	      opened with kill -HUP (which also	reloads	all zonefiles).

       status Display  server  status. Exit code 3 if not running (the connec-
	      tion to the port is refused), 1 on error,	0 if running.

       stats  Output a sequence	of name=value lines with  statistics  informa-
	      tion, requires NSD to be compiled	with this option enabled.

	      Same as stats, but does not zero the counters.

       addzone <zone name> <pattern name>
	      Add  a new zone to the running server.  The zone is added	to the
	      zonelist file on disk, so	it stays after a restart.  The pattern
	      name determines the options for the new zone.  For slave zones a
	      zone transfer is immediately attempted.  For zones with a	 zone-
	      file, the	zone file is attempted to be read in.

       delzone <zone name>
	      Remove  the  zone	 from the running server.  The zone is removed
	      from the zonelist	file on	disk, from the nsd.db  file  and  from
	      the memory.  If it had a zonefile, this remains (but may be out-
	      dated).  Zones configured	inside nsd.conf	itself cannot  be  re-
	      moved this way because the daemon	does not write to the nsd.conf
	      file, you	need to	add such zones to the zonelist file to be able
	      to delete	them with the delzone command.

       changezone <zone	name> <pattern name>
	      Change  a	 zone  to  use	the  pattern for options.  The zone is
	      deleted and added	in one operation, changing it to use  the  new
	      pattern for the zone options.  Zones configured in nsd.conf can-
	      not be changed like this,	instead	edit the nsd.conf (or the  in-
	      cluded file in nsd.conf) and reconfig.

	      Add  zones  read	from  stdin of nsd-control.  Input is read per
	      line, with name space patternname	on a  line.   For  bulk	 addi-

	      Remove  zones read from stdin of nsd-control.  Input is one name
	      per line.	 For bulk removals.

       write [<zone>]
	      Write zonefiles to disk, or the given zonefile to	 disk.	 Zones
	      that  have  changed  (via	 AXFR  or IXFR)	are written, or	if the
	      zonefile has not been created yet	then it	is created.  Directory
	      components of the	zonefile path are created if necessary.

       notify [<zone>]
	      Send  NOTIFY  messages  to  slave	 servers.  Sends to the	IP ad-
	      dresses configured in the	'notify:' lists	for the	 master	 zones
	      hosted  on this server.  Usually NSD sends NOTIFY	messages right
	      away when	a master zone serial is	updated.  If a zone is	given,
	      notifies	are  sent for that zone.  These	slave servers are sup-
	      posed to initiate	a zone transfer	request	later (to this	server
	      or  another  master), this can be	allowed	via the	'provide-xfr:'
	      acl list configuration.

       transfer	[<zone>]
	      Attempt to update	slave zones that are hosted on this server  by
	      contacting  the  masters.	  The  masters are configured via 're-
	      quest-xfr:' lists.  If a zone is given, that  zone  is  updated.
	      Usually  NSD  receives a NOTIFY from the masters (configured via
	      'allow-notify:' acl list)	that a	new  zone  serial  has	to  be
	      transferred.  For	zones with no content, NSD may have backed off
	      from asking often	because	the masters did	not respond, but  this
	      command  will reset the backoff to its initial timeout, for fre-
	      quent retries.

       force_transfer [<zone>]
	      Force update slave zones that are	hosted on this	server.	  Even
	      if  the  master hosts the	same serial number of the zone,	a full
	      AXFR is performed	to fetch it.  If you  want  to	use  IXFR  and
	      check  that the serial number increases, use the 'transfer' com-

       zonestatus [<zone>]
	      Print state of the zone, the serial numbers and since when  they
	      have  been  acquired.   Also  prints the notify action (to which
	      server), and zone	transfer (and from which master) if  there  is
	      activity	right now.  The	state of the zone is printed as: 'mas-
	      ter' (master zones), 'ok'	(slave zone is up-to-date),  'expired'
	      (slave zone has expired),	'refreshing' (slave zone has transfers
	      active).	The serial numbers  printed  are  the  'served-serial'
	      (currently active), the 'commit-serial' (is in reload), the 'no-
	      tified-serial' (got notify, busy fetching	the data).  The	serial
	      numbers are only printed if such a serial	number is available.

	      Prints  the PID of the server process.  This is used for statis-
	      tics (and	only works when	NSD is compiled	 with  statistics  en-
	      abled).	This  pid is not for sending unix signals, use the pid
	      from for that, that pid is also stable.

       verbosity <number>
	      Change logging verbosity.

       print_tsig [<key_name>]
	      print the	secret and algorithm for the TSIG key with that	 name.
	      Or list all the tsig keys	with their name, secret	and algorithm.

       update_tsig <name> <secret>
	      Change  existing	TSIG key with name to the new secret.  The se-
	      cret is a	base64 encoded string.	The changes are	only in-memory
	      and are gone next	restart, for lasting changes edit the nsd.conf
	      file or a	file included from it.

       add_tsig	<name> <secret>	[algo]
	      Add a new	TSIG key with the given	name,  secret  and  algorithm.
	      Without  algorithm  a  default  (hmac-sha256) algorithm is used.
	      The secret is a base64 encoded string.  The changes are only in-
	      memory  and  are gone next restart, for lasting changes edit the
	      nsd.conf file or a file included from it.

       assoc_tsig <zone> <key_name>
	      Associate	the zone with the  given  tsig.	  The  access  control
	      lists  for notify, allow-notify, provide-xfr and request-xfr are
	      adjusted to use the given	key.

       del_tsig	<key_name>
	      Delete the TSIG key with the given name.	Prints	error  if  the
	      key  is still in use by some zone.  The changes are only in-mem-
	      ory and are gone next restart,  for  lasting  changes  edit  the
	      nsd.conf file or a file included from it.

       The  nsd-control	 program  exits	with status code 1 on error, 0 on suc-

       The setup requires a self-signed	certificate and	private	keys for  both
       the server and client.  The script nsd-control-setup generates these in
       the default run directory, or with -d in	 another  directory.   If  you
       change  the  access control permissions on the key files	you can	decide
       who can use nsd-control,	by default owner and group but not all	users.
       The script preserves private keys present in the	directory.  After run-
       ning the	script as root,	turn on	control-enable in nsd.conf.

       The stats command shows a number	of statistic counters.

	      number of	queries	received (the tls, tcp and udp	queries	 added

	      number  of queries handled by the	server process.	 The number of
	      server processes is set with the config statement	server-count.

	      uptime in	seconds	since the server was started.  With fractional

	      time  since  the last stats report, in seconds.  With fractional
	      seconds.	Can be zero if polled quickly and the  previous	 stats
	      command resets the counters, so that the next gets a fully zero,
	      and zero elapsed time, report.

	      size of nsd.db on	disk, in bytes.

	      size of the DNS database in memory, in bytes.

	      size of memory for zone transfers	and notifies in	xfrd  process,
	      excludes TSIG data, in bytes.

	      size  of	zonelist  file on disk,	excludes the nsd.conf size, in

	      size of config data in memory, kept twice	 in  server  and  xfrd
	      process, in bytes.

	      number of	queries	with this query	type.

	      number of	queries	with this opcode.

	      number of	queries	with this query	class.

	      number of	answers	that carried this return code.

	      number of	queries	with EDNS OPT.

	      number of	queries	which failed EDNS parse.

	      number of	queries	over UDP ip4.

	      number of	queries	over UDP ip6.

	      number of	connections over TCP ip4.

	      number of	connections over TCP ip6.

	      number of	connections over TLS ip4.  TLS queries are not part of

	      number of	connections over TLS ip6.  TLS queries are not part of

	      number  of  answers with NOERROR rcode and without AA flag, this
	      includes the referrals.

	      number of	queries	for which the receive failed.

	      number of	answers	for which the transmit failed.

	      number of	AXFR requests from clients (that got served  with  re-

	      number of	answers	with TC	flag set.

	      number  of  queries that were dropped because they failed	sanity

	      number of	master zones served.  These are	 zones	with  no  're-
	      quest-xfr:' entries.

	      number  of  slave	 zones	served.	  These	 are  zones  with 're-
	      quest-xfr' entries.

	      nsd configuration	file.

	      directory	with private keys (nsd_server.key and nsd_control.key)
	      and   self-signed	  certificates	(nsd_server.pem	 and  nsd_con-

       nsd.conf(5), nsd(8), nsd-checkconf(8)

NLnet Labs			 Jan 26, 2021			nsd-control(8)


Want to link to this manual page? Use this URL:

home | help