1NSD 4 features 2 3By W.C.A. Wijngaards, NLnet Labs, 2012. 4 5Migration 6--------- 7The old NSD3 config file can be used without changes for NSD4. There are 8new config statements and some old statements are gone. 9 10The nsd.db file has a new format that allows read and write. Thus the 11nsd.db file needs to be re-created in NSD4 format. This happens when 12you start NSD4. NSD4 needs write permission on the nsd.db directory 13for that. If you need to rollback to NSD3, run its zonec to recreate 14the NSD3 nsd.db file (use nsdc rebuild). 15 16The cron job for nsdc patch is no longer needed. It can be removed. 17 18If you admire cron jobs, you can have a cron job that does "nsd-control 19write". This would periodically write the contents of changed zones to 20their zonefile. 21 22nsdc is removed, reload with kill -HUP $pid and use nsd-control. 23The SIGHUP makes NSD4 check zone file timestamps and reload changed zones. 24nsd-control reload is the same. SIGTERM stops NSD. 25 26You probably want to install and enable some of the new NSD 4 features, 27such as set up nsd-control and statistics. And you may want to use the 28new pattern config options. 29 30Removed config options 31---------------------- 32difffile: ixfr.db is gone. This setting is no longer applicable, because 33the ixfr.db file is no longer used. Files are created in /tmp now. 34The value is ignored by NSD4 if given in nsd.conf. 35 36ip4-only and ip6-only: are replaced with more straightforward do-ip4 and 37do-ip6. They are still accepted in nsd.conf for backwards compatibility. 38 39New config options 40------------------ 41zonelistfile: zone.list. This file contains a plain text listing of 42the dynamically added zones and their pattern. It is read and written 43by NSD while it is running. 44 45xfrdir: /tmp. This directory is used to store temporary zone transfer 46files. They are stored in a unique subdirectory that has few access 47permissions. 48 49tcp-count: 100. This option already exists in NSD3, but in NSD4 you 50can increase it above 1024, like 2048, to have higher TCP capacity. 51 52remote-control: this is a new section in the config file that configures 53the nsd-control remote control utility. It is very similar to unbound's 54remote control configuration. With control-enable: yes you can enable 55it, it is disabled by default. It is bound to the loopback interface 56by default. See the manpage or sample config for the list of options, 57it is possible to set the port number and keyfile paths, and configure 58it to be accessible from the outside. 59 60pattern: these allow you to bundle a set of zone config statements. 61Then for a zone you can include-pattern: "nameofpattern" to apply those 62config statements. patterns can also include other patterns. This is 63needed to allow the user to specify the config statement pattern for a 64newly added zone. But you can also use it to organise the configuration. 65 66zone: These already exist in NSD3 and work similarly. For NSD4, 67they create a zone, these zones added and removed by a restart or the 68nsd-control reconfig command. Zones that are dynamically added can 69also be dynamically removed (with nsd-control addzone and delzone), 70those zones are in the zones.list file. The zone can have the normal 71zone config statements, and it can also use include-pattern to apply 72config statements from a pattern to it. 73 74The nsd-control utility 75----------------------- 76You can control the NSD4 daemon with signals, SIGHUP, SIGTERM, if you 77want. It reloads on SIGHUP and this includes parsing and loading changed 78zone files. More commands are available via the nsd-control utility. 79It connects over SSL with the daemon and sends the command to it, and 80prints the result. 81 82To enable nsd-control you have to create the private and public keys 83with nsd-control-setup, run it as root. Then edit nsd.conf and set 84remote-control: control-enable: yes in the config file. Then you should 85be able to use nsd-control, the nsd-control status command is a simple 86check if everything works. 87 88reload [zone] : without a zone name it checks if zone files have changed, 89if so, loads them. If you specify the zone name (nsd-control reload 90example.com) it'll load that zone. 91 92reconfig : this rereads the nsd.conf file without a restart. Only the 93zone configuration, and ratelimits are updated from it. Other settings, 94file paths, chroot location, interfaces and port numbers, cannot 95be applied and need a restart, during the restart NSD will have the 96permissions to bind port 53 and chroot again. It adds and removes 97zones that have been added and removed in the config file, and it also 98changes zone configurations. 99 100log_reopen : also done on SIGHUP, but this controls more exactly that only 101the logfile is reopened. 102 103stats and stats_noreset : print statistics. 104 105addzone name pattern : adds a new zone to the running server. If it has a 106zonefile this file is read in and served. If it is a slave zone, a zone 107transfer is attempted. 108 109delzone name : removes zone. 110 111write [zone] : write a zone contents from nsd.db to its zonefile in text format. 112writes all changed zones, but if you specify a particular zone, it writes 113that zone only. 114 115notify [zone] : for master zones here, send notifies to its slaves. 116If you specify a name, only that zone, otherwise all master zones. 117 118transfer [zone] : for slave zones here, attempt a zone transfer from 119the masters. If you specify a name, only that zone, otherwise all 120slave zones. 121 122force_transfer [zone] : same as transfer but uses full zone transfer 123with AXFR and does not perform a serial number check. 124 125Statistics 126---------- 127With nsd-control you can get a list of statistics from NSD on demand. 128This makes it easier to integrate NSD into a statistics collection system. 129In source/contrib/nsd_munin_ is an example munin plugin. 130 131Other features 132-------------- 133* Performance increase. 134* Support a high zone count. 135* Faster zone transfers. 136* Add and remove zones without a restart. 137* Can reread zone configuration from config file without a restart. 138* Higher TCP service levels, more sockets. 139* Detect which zone files have changed. 140* Calculates nsec3-prehash incrementally after IXFR. 141* Domain tree does not have the small leak of domain nodes. 142 143More documentation 144------------------ 145The nsd(8) man page, the nsd.conf(5) man page, the nsd-control(8) man page. 146 147