xref: /netbsd-src/external/bsd/nsd/dist/doc/NSD-4-features (revision d83a80ee7fb31190352cf1f781441e06ca6a86db)

NSD 4 features

By W.C.A. Wijngaards, NLnet Labs, 2012.

Migration
---------
The old NSD3 config file can be used without changes for NSD4.  There are
new config statements and some old statements are gone.

The nsd.db file has a new format that allows read and write.  Thus the
nsd.db file needs to be re-created in NSD4 format.  This happens when
you start NSD4.  NSD4 needs write permission on the nsd.db directory
for that.  If you need to rollback to NSD3, run its zonec to recreate
the NSD3 nsd.db file (use nsdc rebuild).

The cron job for nsdc patch is no longer needed.  It can be removed.

If you admire cron jobs, you can have a cron job that does "nsd-control
write".  This would periodically write the contents of changed zones to
their zonefile.

nsdc is removed, reload with kill -HUP $pid and use nsd-control.
The SIGHUP makes NSD4 check zone file timestamps and reload changed zones.
nsd-control reload is the same.  SIGTERM stops NSD.

You probably want to install and enable some of the new NSD 4 features,
such as set up nsd-control and statistics.  And you may want to use the
new pattern config options.

Removed config options
----------------------
difffile: ixfr.db is gone.  This setting is no longer applicable, because
the ixfr.db file is no longer used.  Files are created in /tmp now.
The value is ignored by NSD4 if given in nsd.conf.

ip4-only and ip6-only: are replaced with more straightforward do-ip4 and
do-ip6.  They are still accepted in nsd.conf for backwards compatibility.

New config options
------------------
zonelistfile: zone.list.  This file contains a plain text listing of
the dynamically added zones and their pattern.  It is read and written
by NSD while it is running.

xfrdir: /tmp.  This directory is used to store temporary zone transfer
files.  They are stored in a unique subdirectory that has few access
permissions.

tcp-count: 100.  This option already exists in NSD3, but in NSD4 you
can increase it above 1024, like 2048, to have higher TCP capacity.

remote-control: this is a new section in the config file that configures
the nsd-control remote control utility.  It is very similar to unbound's
remote control configuration.  With control-enable: yes you can enable
it, it is disabled by default.  It is bound to the loopback interface
by default.  See the manpage or sample config for the list of options,
it is possible to set the port number and keyfile paths, and configure
it to be accessible from the outside.

pattern: these allow you to bundle a set of zone config statements.
Then for a zone you can include-pattern: "nameofpattern" to apply those
config statements.  patterns can also include other patterns.  This is
needed to allow the user to specify the config statement pattern for a
newly added zone.  But you can also use it to organise the configuration.

zone: These already exist in NSD3 and work similarly.  For NSD4,
they create a zone, these zones added and removed by a restart or the
nsd-control reconfig command.  Zones that are dynamically added can
also be dynamically removed (with nsd-control addzone and delzone),
those zones are in the zones.list file. The zone can have the normal
zone config statements, and it can also use include-pattern to apply
config statements from a pattern to it.

The nsd-control utility
-----------------------
You can control the NSD4 daemon with signals, SIGHUP, SIGTERM, if you
want.  It reloads on SIGHUP and this includes parsing and loading changed
zone files.  More commands are available via the nsd-control utility.
It connects over SSL with the daemon and sends the command to it, and
prints the result.

To enable nsd-control you have to create the private and public keys
with nsd-control-setup, run it as root.  Then edit nsd.conf and set
remote-control: control-enable: yes in the config file.  Then you should
be able to use nsd-control, the nsd-control status command is a simple
check if everything works.

reload [zone] : without a zone name it checks if zone files have changed,
if so, loads them.  If you specify the zone name (nsd-control reload
example.com) it'll load that zone.

reconfig : this rereads the nsd.conf file without a restart.  Only the
zone configuration, and ratelimits are updated from it.  Other settings,
file paths, chroot location, interfaces and port numbers, cannot
be applied and need a restart, during the restart NSD will have the
permissions to bind port 53 and chroot again.  It adds and removes
zones that have been added and removed in the config file, and it also
changes zone configurations.

log_reopen : also done on SIGHUP, but this controls more exactly that only
the logfile is reopened.

stats and stats_noreset : print statistics.

addzone name pattern : adds a new zone to the running server.  If it has a
zonefile this file is read in and served.  If it is a slave zone, a zone
transfer is attempted.

delzone name : removes zone.

write [zone] : write a zone contents from nsd.db to its zonefile in text format.
writes all changed zones, but if you specify a particular zone, it writes
that zone only.

notify [zone] : for master zones here, send notifies to its slaves.
If you specify a name, only that zone, otherwise all master zones.

transfer [zone] : for slave zones here, attempt a zone transfer from
the masters.  If you specify a name, only that zone, otherwise all
slave zones.

force_transfer [zone] : same as transfer but uses full zone transfer
with AXFR and does not perform a serial number check.

Statistics
----------
With nsd-control you can get a list of statistics from NSD on demand.
This makes it easier to integrate NSD into a statistics collection system.
In source/contrib/nsd_munin_ is an example munin plugin.

Other features
--------------
* Performance increase.
* Support a high zone count.
* Faster zone transfers.
* Add and remove zones without a restart.
* Can reread zone configuration from config file without a restart.
* Higher TCP service levels, more sockets.
* Detect which zone files have changed.
* Calculates nsec3-prehash incrementally after IXFR.
* Domain tree does not have the small leak of domain nodes.

More documentation
------------------
The nsd(8) man page, the nsd.conf(5) man page, the nsd-control(8) man page.