This section provides information about configuring DNS by using the Java-based Management Console.
IMPORTANT:Make a forced exit from Java Management console if you observe any of the following two scenarios:
Unable to reach eDirectory after establishing a connection.
If there is any network interruption.
Install the Java Management Console on client computers to administer DNS and DHCP services. To install Java Management Console, see Section 7.2.1, Installing Java Management Console.
DNS server management involves the following tasks:
Click the
tab of the Management Console.Click
on the toolbar.Select
in the Create New DNS Object dialog box, then click .The Create New DNS Server dialog box is displayed, prompting you to select an NCP Server object.
Specify the desired server's name or use the browse button to select the server.
Specify the server's domain name.
Click the
check box to view the newly created server property pages.Click
.The DNS Server object is created and displayed in the lower pane of the Management Console.
NOTE:To configure DNS for an existing NetWare 6.5 server, create the DNS Server to use the iManager plug-in for DNS. If server is created, then the NetWare 6.5 NCP server should have DNIP:LocaterPtr attribute pointing to the DNS Locator object.
To modify an existing DNS Name Server object, click the object's icon in the lower pane of the DNS Service window to display detailed information in the right pane. A DNS Name Server object's detailed information window displays four tab pages:
Zones: On this page, the zone list contains a list of all zones and the role each zone serves for the selected DNS Name Server object.
To change the zone information, you must modify the specific Zone object. This information cannot be modified from the server page.
The
field is read-only and is received from the DNS server.Forwarding List: This page displays a list of all forwarding IP addresses.
To add an address to the list, click
. Specify the IP address in the Add Forward IP Address field, then click .To delete an address from the list, select an IP address and click
.No-Forward List This page displays a list of all domain names to which queries are not sent.
To add a domain name to the No-Forward List, click
. Specify the domain name in the field, then click .To delete a domain name from the list, select the domain name from the list and click
.Options This page allows you to configure maximum cache size and max recursion for a new DNS server.
Key List
Available DNS Keys: Displays a list of DNS keys that are available in the eDirectory tree. These keys can be associated with the DNS server.
Selected DNS Keys: Displays a list of DNS keys that are associated with the DNS server.
To add the DNS Key, select the key, then click
.To remove the DNS key, select the key, then click
.To add all the keys, click Add
.To remove all the keys, click
.NOTE:To add or remove multiple keys, use the Ctrl key to select the keys. Then click
or .Control Lists
This page displays various lists that can be configured to control the behavior of the DNS server. You can configure the zone out filter, allow recursion, query filter as address match lists. You can also configure the also notify and black listed servers as a list of IP addresses.
To add an element to the address match list, click
. Specify the element to be added and clickTo delete elements from the list, select the element to be deleted and click
.To add an address into the list, click
. Specify the IP address and clickTo delete an address from the list, select the address to be deleted and click
.Advanced This page displays all advanced configuration options. It displays the configured values and the default values for each option. The default value that is displayed is the value that the server assumes if it is not configured.
To modify the options, click
and specify the new value, then click .To clear the configured values, select the option, then click
.The allow-notify and listen-on options are multi-valued. You can also specify a port value, which is optional for listen-on.
To add an element to the list, specify the address, then click
. This populates the list with the new entry.To delete elements from the list, select the elements to be deleted, then click
.Click
to modify the configured elements.Click
to populate the column with the elements.Select the DNS server from the lower pane of the Management Console.
Click
on the toolbar and confirm the deletion.The DNS server (novell-named) must be loaded before you can start or stop the server activity.
The Start/Stop service can be used to load zone data along with the modified configuration without unloading and reloading the DNS server. When you stop the DNS server by using this option, it is still loaded in the memory. However, no services are provided. You can use iManager Management utility or the Java Management Console to update the zone data. When you restart the DNS server by using this option, the server is reconfigured with the new configuration settings and the zone data is also reloaded.
This option can also be used to remotely start and stop the DNS server.
Select the DNS server from the lower pane of the Management Console.
Click Start/Stop Service on the toolbar.
Depending on the state of the DNS Server module, one of the following operations occurs:
Start action: If the DNS Server module is loaded but is in Stop mode, it is started.
Stop action: If the DNS Server module is loaded and is in Start mode, it is stopped.
This task enables you to move the DNS Services from one NCP server to another NCP server. You can also convert a DNS server to a cluster-enabled DNS server by moving it to a virtual NCP server.
Select the DNS server name from the bottom panel of the Management Console.
Click the
icon on the toolbar.In the Move DNS Server dialog box, select the NCP server that the DNS services will be moved to, then click
.The following sections give details on zone management information.
The DNS Zone object is an eDirectory container object that is made up of Resource Record Set (RRSet) objects and resource records.
To create a zone object:
Click the
tab of the Management Console.Click
on the toolbar, select , then click .Click
to create a forward zone.Use the browse button to select the eDirectory context for the zone.
Specify a name for the Zone object in the
field.Select the zone type.
Novell DNS servers act as primary or secondary depending on the zone type that you select.
If you select the zone type as secondary, specify the IP address of the master DNS server that will provide zone out transfers for this secondary zone.
Select a DNS server to act as an authoritative DNS server for this zone.
Click
.A message is displayed indicating that the new zone has been created. If you have created a primary zone, you are reminded to create the Address record for the host server domain name and corresponding Pointer record in the IN-ADDR.ARPA zone (if you have not already done so).
After you create a DNS server object, you can use the Management Console to create and set up an IN-ADDR.ARPA Zone object.
Click the
tab of the Management Console.Click
on the toolbar, select , then click .The Create Zone dialog box is displayed. The default setting is to create a new primary zone.
Select
.Use the browse button to select the eDirectory context for the zone.
Specify the network address in the
field.For example, specify 143.72.155 only for 155.72.143.IN-ADDR.ARPA.
After you specify the IP address, it is reversed and prepended to .INADDR. ARPA and reflected in the
field.Under the Zone Type, select
or .If you select
, you must specify the IP address of the DNS Name server that will provide zone out transfers to this zone.In the
field, select a DNS server.After you have selected an authoritative DNS server, the
field is filled with the name of the authoritative DNS server.Click
.To modify an existing Zone object, click the Zone object to be modified in the left pane of the DNS Service window. A Zone object's detailed information window displays the following tab pages:
Attributes
This page allows you to configure the zone type and zone servers.
To change a primary zone to a secondary zone, click the
box and specify the IP address of the primary DNS server in the field.To assign a server to the zone, select the server to which the zone should be assigned from the Available DNS Servers and click
. The server is then displayed in the field. To delete a DNS server assignment to a zone, select the server to be removed from the field, then click .To configure one of the DNS servers as the designated server for the zone, select the server from the
field in the case of a primary zone. This server is responsible for DHCP updates for the zone.For a secondary zone, select the server from the
field. This server is responsible for receiving the zone-in transfers.You can specify new comments or modify existing comments for the zone.
Zone Out Filter
This page allows you configure the zone out filters for the zone.
To add an entry into the list, click
.Specify the
and the for the network, then click .To delete the elements in the list, select the elements to be deleted, then click
.SOA Information
This page allows you to configure the zone master, e-mail address, serial number, refresh, retry, expire, and minimum TTL values.
Key List: This page allows you to associate the DNS TSIG keys with the Zone.
NOTE:In earlier versions, key association was a must before updating a policy. Now, it is not required for SAM because the keys are negotiated at run time. Because of this, no checking is done to validate the identity field for SAM-based updates.
Available DNS Keys: Displays a list of DNS TSIG keys that are available in the eDirectory tree. These keys can be associated with the Zone.
Selected DNS Keys: Displays a list of DNS TSIG keys that are associated with the Zone.
To add the DNS TSIG key, select the key, then click
.To remove the DNS TSIG key, select the key, then click
.To add all the keys, click
.To remove all the keys, click
.NOTE:To add or remove multiple keys, use the Ctrl key to select the keys. Then click
or .Control Lists: This page displays various lists that can be configured for the zone. You can configure the query filter, also notify, and allow update options.
The query filter and allow update options can be configured as address match lists.
To add an element, click
. Specify the element to be added, then click .To delete elements from the list, select the element to be deleted, then click
The also notify option can be configured as a list of IP addresses.
To add an address to the list, click
. Specify the IP address, then click .To delete an address from the list, select the address to be deleted, then click
.The update policy option specifies the policy to update the measure to implement security for a zone object. This is implemented by the default DNS server administering the zone. Addition of TSIG Key at server level and zone level for Secured updates to DNS Zones and servers. The keys are added to the KeyList for DNS Zones and DNS servers by the user for associating with the ACLs.The update policy is a five-token string where each token has a definite function to perform. It can be configured by specifying the following syntax:
Permission Identity MatchType TName RR
To add an update policy, click
. Specify the following values:: Refers to a grant or deny option.
: Refers to the name of the key used to sign the update. Identity field may have Wildcard characters. Only "*" is the allowed wildcard character. As a valid entry for Identity field, only valid keyCN is allowed, "*", or "*" followed by "." and a character string, matching atleast one of the associated Keys for the DNS zone. Any invalid value entry will throw an error.
:
The
can be one of the following:name: Matches when the domain name being updated is the same as the name in the name field.
subdomain: Matches when the domain name being updated is a subdomain of the name in the name field (The domain name must still be in the zone.)
wildcard: Matches when the domain name being updated matches the wildcard expression in the name field.
self: Matches when the domain name being updated is the same as the name in the identity (not name) field; that is when the domain name being updated is the same as the name of the key used to sign the update. If nametype is self, then the name field is ignored; however you must include the name field when using a nametype of self.
: Specify the , which is the domain name appropriate to the MatchType specified. For Update Policy entries with the field mentioned as , only wildcard entries are allowed for the field. Otherwise character strings are not allowed.
(Optional): Specify the
(Resource Record) which can contain any valid record type.NOTE:Allow Update with keys and Update Policy options are supported for Linux DNS only. Creation of keys with same CN is not allowed in the same Linux tree.
Advanced
This page displays all advanced configuration options for the zone. It displays the configured values for each option. If any option is not configured at the zone level, the default behavior is server-specific. The value configured for the zone overrides the server value. If no value is configured at the server, the default value specified for the server is used.
The following are the advanced options for the zone:
allow-notify: Specifies the list of hosts that are allowed to notify the slaves of zone changes in addition to the zone masters. You can configure this option only for a secondary zone.
Allow-notify specified at the server level is overridden by the settings of this zone.
forward: Specifies the forwarder address. This option can be configured only if the Forwarding list is not empty. A value of first, which is the default, causes the server to query the forwarders first, and if that does not answer the query, the server then looks for the answer in itself. If only is specified, the server queries only the forwarders.
max-size-journal: Sets a maximum size in bytes for the journal file. This should be configured only for a Linux zone.
NOTE:All changes made to a zone by using dynamic update are written to the zone's journal file. The server periodically flushes the complete contents of the updated zone to its zone file approximately every 15 minutes. When a server is restarted after a shutdown, it replays the journal file to incorporate into the zone any updates that took place after the last zone file update.The dynamic reconfig interval settings are immaterial for a max-journal-size event triggering.
notify: Specifies if the notification of any zone data changes must be sent to a slave server. You can select from the following options:
Yes: Notification is sent to all the name servers of the zone when the zone data changes.
Explicit: Notification is sent explicitly to the servers specified in the also-notify list when the zone data changes.
No: Notification is not sent.
Notify specified at the server level will be overridden by the settings of this zone.
notify-source: Specifies the local source address. You also have the option to specify the UDP ports that are used to send notify messages. The local source address must appear in the masters list of the slave server or in the allow-notify list. The slave should also be configured to receive notify messages from this address.
Notify-source specified at the server level is overridden by the settings of this zone.
transfer-source: Specifies the local addresses that are bound to the IPv4 TCP connections used by the zones that are transferred inbound by the server. It also specifies the source IPv4 address and optionally, the UDP port. The UDP port is used to refresh queries and forward any dynamic updates.
If you have not set a value, it defaults to a system-controlled value, usually the address of the interface closest to the remote end.
Transfer-source specified at the server level is overridden by the settings of this zone
zone-statistics: Specifies the statistical information that is dumped to the statistics-file for all zones in the server. Values can be either Yes or No. If you set the value to Yes, the server collects statistical data on all zones in the server. Zone-statistics specified at the server level is overridden by the settings of this zone.
To modify the option, click
, specify the value, then click .To add an element, specify the address, then click
. This populates the new entry into the list.To delete elements from the list, select the elements to be deleted, then click
. Click to populate the column with the elements.To clear the configured values for the options, select the option, then click
.A DNS server can be configured to serve only the queries by specifying the role of a zone as secondary or passive secondary.
To associate the existing DNS zone to a specific DNS server and specify the role of the zone by using the Java Management Console:
In the Java Management Console, select the zone that you want to configure for a specific DNS server.
In the Attributes page of this zone, select the
for this zone as the specific DNS server that will serve this zone.Click
.Select the Zone object you want to delete.
Click
on the toolbar.A warning message is displayed to confirm the zone deletion. You can also delete subzones by selecting the option from the message window.
NOTE:Creation, modification or deletion of a forward zone is not supported.
Use the Import dialog box to convert BIND-formatted DNS files and transfer them into the eDirectory database.
NOTE:Reimporting the same configuration file does not work for DNS Java Console for a DSfW server.
To import a Zone object:
Click the
tab of the Management Console.Click
on the toolbar.Specify the DNS BIND formatted filename in the field provided. You can browse to select filenames from the File Selection dialog box.
Click
to select the context where the zone object should be created.Click
to select the server name that manages the zone.You can select an existing DNS server or an NCP server where the DNS server object will be created. The selected DNS server must have DNS/DHCP services installed on it. If you select this zone type as
, this DNS server acts as a designated primary; or if you select zone type as , it acts as a designated secondary.If you do not want to assign a DNS server for this zone at this point, leave this field blank.
Click
to specify this zone type.If you select the zone type as
, Novell DNS servers act as primary servers for this zone; if you select , they act as secondary DNS servers.Click
to view the configuration that you have selected.Click
to start the import operation.If the import operation encounters any errors while transferring data, the
button is enabled. Click to view the errors.If some resource records are not transferred because of incorrect data, you can create them by clicking
on the toolbar.Click
to complete the import operation.Use the Export dialog box to copy the eDirectory database to a text file. The text file enables you to save the DNS zone data to BIND master file format files. These files can be imported to other applications, including BIND servers, or they can be imported back into the eDirectory database by using the Management Console.
Click the
tab of the Management Console.In the DNS Service window, select the zone you want to export and click
on the toolbar.In the Export - DNS window, specify the name of the destination file or browse to select a filename from the dialog box.
Click
to export the database into a file.NOTE:Importing or exporting of forward zone is not supported.
A resource record is a piece of information about a domain name that contains information about a particular piece of data within the domain.
Every domain name in the zone has a corresponding RRset object under that zone container object. An RRset is not created directly. Initially, when a resource record is created and is assigned a unique domain name within a zone, the corresponding RRset is created first; then, the RR is associated with the RRset.
If you select an existing RRset and click
on the toolbar to create a new RR, the Management Console sets the new RR domain name to read-only and assigns the newly created resource record to the selected RRset. Resource records cannot be created in a secondary zone. All changes to the resource record data should be done at the master server; the secondary servers receive the changes through zone transfers.To create resource records:
In the DNS Service window, select the zone in which the resource record will be created. If you want to add another resource record to an already existing RRset, select that RRset.
Click
on the toolbar.In the Create New DNS Object window, select the resource record, then click
.Provide information in the fields:
If you have selected an RRset, the owner name field is filled with the RRset name. This field does not need to be edited.
If you have selected a zone and want to create a new RRset, specify the domain name of that resource record in the owner name field.
The zone name part of the domain name already filled. Only the remaining portion needs to be filled.
If you are creating a resource record to zone domain name, the owner name field does not need to be filled because the zone domain name is already present.
In the Create Resource Record window, select the RR type to be created.
Specify the required data for the selected resource record, then click
.NOTE:Start of Authority (SOA) is defined as part of a Zone object attribute. A Pointer (PTR) record is created automatically when any new A resource record is created and if a primary INADDR.ARPA zone exists to which the IP address belongs. Similarly, an A type resource is created when any new PTR record is created and if a primary zone exists to which the domain name pointed by PTR record belongs.
Several resource record types correspond with a variety of data stored in the domain namespace. For a list and description of resource record types, see Section A.2, Types of Resource Records.
When you select an existing resource record in the left pane of the DNS Service window, the detailed information for the object is displayed in the right pane. You can modify the resource record data and save changes by clicking
on the toolbar.You can modify resource record data and the associated comments for all resource records except the AAA, A6, SRV, LOC, and HINFO records.
You can delete one, more than one, or all resource records and RRsets, using the multi-select deletion feature in the Management Console. RRsets and resource records in a secondary zone cannot be deleted. They should be deleted from a primary server.
Click the
tab of the Management Console.From
, select the domain that contains the host or RRSet.Select the item to be deleted.
You can delete either the entire RRSet or one or more resource records in the RRSet.
To delete one or more objects:
Press the Shift key and select the objects.
Click
.NOTE:When the A and PTR type resource records are deleted, the corresponding PTR and A resource records also deleted.
A DNS server supports secure updates and secure queries by using the TSIG-key mechanism. The DNS Key Management role consists of tasks that allow you to create, modify, and delete DNS Key objects.A DNS key provides a means of authentication for dynamic DNS updates and for queries to a secured DNS server. A DNS key uses shared secret keys as a cryptographically secure means of authenticating a DNS update/query.
NOTE:The DNS key option is supported for Linux DNS only. DNS keys can now be created with ‘.’ and ‘_’ in their names.
-a: RSA, RSAMD5, DH, DSA, RSASHA1 are not supported by novell-named.
-n: ZONE nametype.
-f: setting the flag in DNSKEY record.
-p: protocol support is not affirmed as it is used in conjunction with DNSKEY for DNSSEC.
Example: dnssec-keygen -v Usage: dnssec-keygen -a HMAC-MD5 -b 218 -n HOST mykey Version: 9.3.4 Required options: -a algorithm: RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 -b key size, in bits: RSAMD5: [512..4096] RSASHA1: [512..4096] DH: [128..4096] DSA: [512..1024] and divisible by 64 HMAC-MD5: [1..512] -n nametype: ZONE | HOST | ENTITY | USER | OTHER name: owner of the key
The following sections give details on DNS key management:
Click Create on the toolbar.
In the
window, select the DNS Key, then click .In the
window, specify a name to identify the DNS key in the field.Specify the Algorithm used to hash the DNS data. The HMAC-MD5 algorithm is the only supported algorithm for the DNS key.
Specify the Secret Key generated by the dnssec-keygen. This is used by the DNS server to encrypt/decrypt the hashed data. Secret-456errt4545= is the secret key generated by dnssec-keygen.
The secret key provided must be Base64 encoded, or the DNS server fails to start.
Specify or browse to select the
.Click
. The DNS key is now created.Example: DNS KeyName-Key1,Alorithm-HMAC-MD5,Key Secret-456errt4545=
When you select an existing DNS key in the left pane of the DNS Service window, the detailed information for the object is displayed in the right pane. You can modify the DNS key data and save changes by clicking
on the toolbar.You can modify DNS key data such as secret key, and the associated Comments.
You can delete one, more than one, or all DNS keys, using the multi-select deletion feature in the Management Console.
NOTE:Deleting DNS key objects, deletes the references to key objects (if any) in Zone and DNS server objects.
To delete one key:
Click the
tab of the Management Console.Select the DNS key to be deleted.
Click on the toolbar.
Click
to confirm the deletion in the window.To delete more than one DNS key:
Click the
tab of the Management Console.Select the DNS key to be deleted.
Press the Shift key and select the Keys.
Click on toolbar. Click
to confirm the deletion in the window.NOTE:For further details, please refer to the dnssec-keygen man page.