Recent Changes - Search:
Nsd /

Configuring nsd

nsd(8) is an authoritative name server. nsd(8) comes with OpenBSD base, so it receives audits from the OpenBSD team and no installation is necessary.

This guide assumes a basic understanding of TCP/IP networking, IPv4 and IPv6 addressing, the domain name system, resource records, and zone files.

Edit nsd.conf(5)

By default, nsd(8) runs chrooted inside /var/nsd/, so the default location of nsd.conf(5) is /var/nsd/etc/nsd.conf. This guide provides a simple configuration of a single nameserver. Replace the existing nsd.conf(5) with: 

server:
	hide-version: yes
	verbosity: 2
	database: "" # disable database
	username: _nsd
	logfile: "/var/log/nsd.log"

In the above configuration, the version is hidden. Verbosity is set to 2 to provide errors and warnings about failed transfers. By leaving the database blank, no database will be used. Next, nsd(8) will drop to the user _nsd after binding the socket?. Finally, nsd(8) will log to the file /var/log/nsd.log. 

	ip-address: 198.51.100.1
	ip-address: 2001:db8::

These two directives bind to the public IPv4 address 198.51.100.1 and IPv6 address 2001:db8::. Substitute these with the real public IP addresses of the server.

Note: If the real public IP addresses are forgotten, ifconfig, hostname.if0?, the server web panel, or registration email may provide the actual IP address. It may also be necessary to contact the network administrator. 

remote-control:
        control-enable: yes
        control-interface: /var/run/nsd.sock

This directive allows nsd-control(8) to control the server.

Master Server

The DNS system requires admins specify at least two name servers for every zone. This normally means that an admin will configure master and slave nameservers.

To simplify the initial configuration, however, this guide will configure just a single master name server (without a slave or zone transfers). This simple setup, although it does not comply with the standard, will quickly allow an admin to test the nameserver. 

## master zone example
zone:
       name: "example.com"
       zonefile: "master/example.com"

Line 2 defines a new zone. Line 3 defines the name of the zone, which is example.com. A subdomain might be subdomain.example.com.

Write the Zone File

Next, a zone file must be created for the zone that is specified above. In this case, a zone file should be created for /var/nsd/zones/master/example.com. Here is a sample zone file: 

$ORIGIN example.com.
example.com.     3600   SOA   ns1.example.com. admin.example.com. (
                            2021020301   ; serial YYYYMMDDnn
                            1800        ; refresh
                            3600         ; retry
                            86400       ; expire
                            3600 )      ; minimum TTL
        3600    IN      MX      10 mail
        3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
        3600    IN      NS      ns1
        3600    IN      NS      ns2
ns1     3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
ns2     3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
www     3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
irc     3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
imap    3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
smtp    3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
mail    3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::

See the guide on zone files for an explanation of how to interpret the zone file.

Start nsd(8) and Test

# rcctl enable nsd
# rcctl start nsd

If all is configured correctly, it should now be possible to query the nameserver with host or dig. Assuming the IP address of the nameserver is 198.51.100.1: 

$ host www.example.com 198.51.100.1
Using domain server:
Name: example.com
Address: 198.51.100.1#53
Aliases: 

www.example.com has address 198.51.100.1
www.example.com has IPv6 address 2001:db8::

This command queries the name server with IP address 198.51.100.1 for resource records for www.example.com.

Delegate Zone

After confirming nsd(8) works, authority for the zone can be delegated to the nameserver. If using a subdomain, the admin responsible for the domain must finish this step. If the domain was registered with a name registrar, the registrar will often provide a web panel that can be used to specify NS records? and glue records?. If using a subdomain provided by an admin, ask the network admin responsible for the subdomain.

Troubleshooting NSD

nsd provides two helpful tools for troubleshooting: nsd-checkconf(8) and nsd-checkzone(8). dig, host, and nslookup(1) are also valuable tools. The troubleshoot NSD guide provides solutions for several common errors. As always, remember to check the error log (/var/log/nsd.log).