13.1 Using the Java Management Console to Manage DNS

This section provides information about configuring DNS by using the Java-based Management Console.

IMPORTANT:Make a forced exit from Java Management console if you observe any of the following two scenarios:

  • Unable to reach eDirectory after establishing a connection.

  • If there is any network interruption.

13.1.1 Installing the Java Management Console

Install the Java Management Console on client computers to administer DNS and DHCP services. To install Java Management Console, see Section 7.1.1, Installing Java Management Console.

13.1.2 DNS Server Management

DNS server management involves the following tasks:

Creating a DNS Server Object

  1. Click the DNS Service tab of the Management Console.

  2. Click Create create on the toolbar.

  3. Select DNS Server in the Create New DNS Object dialog box, then click OK.

    The Create New DNS Server dialog box is displayed, prompting you to select an NCP Server object.

  4. Specify the desired server's name or use the browse button to select the server.

  5. Specify the server's domain name.

  6. Click the Define Additional Properties check box to view the newly created server property pages.

  7. Click Create.

    The DNS Server object is created and displayed in the lower pane of the Management Console.

Viewing or Modifying a DNS Name Server Object

To modify an existing DNS Name Server object, click the object's icon in the lower pane of the DNS Service window to display detailed information in the right pane. A DNS Name Server object's detailed information window displays seven tab pages:

  • Zones: On this page, the zone list contains a list of all zones and the role each zone serves for the selected DNS Name Server object.

    To change the zone information, you must modify the specific Zone object. This information cannot be modified from the server page.

    The DNS Server IP Address field is read-only and is received from the DNS server.

  • Forwarding List: This page displays a list of all forwarding IP addresses.

    • To add an address to the list, click Add. Specify the IP address in the Add Forward IP Address field, then click OK.

    • To delete an address from the list, select an IP address and click Delete.

  • No-Forward List This page displays a list of all domain names to which queries are not sent.

    • To add a domain name to the No-Forward List, click Add. Specify the domain name in the No-Forward Name field, then click OK.

    • To delete a domain name from the list, select the domain name from the list and click Delete.

  • Options This page allows you to configure maximum cache size and maximum recursion for a new DNS server.

  • Key List

    Available DNS Keys: Displays a list of DNS keys that are available in the eDirectory tree. These keys can be associated with the DNS server.

    Selected DNS Keys: Displays a list of DNS keys that are associated with the DNS server.

    • To add the DNS Key, select the key, then click Add.

    • To remove the DNS key, select the key, then click Remove.

    • To add all the keys, click Add All.

    • To remove all the keys, click Remove All.

    NOTE:To add or remove multiple keys, use the Ctrl key to select the keys. Then click Add or Remove.

  • Control Lists This page displays various lists that can be configured to control the behavior of the DNS server. You can configure the zone out filter, allow recursion, query filter as address match lists. You can also configure the also notify and black listed servers as a list of IP addresses.

    • To add an element to the address match list, click Add. Specify the element to be added and click OK.

      To delete elements from the list, select the element to be deleted and click Delete.

    • To add an address into the list, click Add. Specify the IP address and click OK.

      To delete an address from the list, select the address to be deleted and click Delete.

  • Advanced This page displays all advanced configuration options. It displays the configured values and the default values for each option. The default value that is displayed is the value that the server assumes if it is not configured.

    • To modify the options, click Modify and specify the new value, then click OK.

    • To clear the configured values, select the option, then click Clear.

    The allow-notify and listen-on options are multi-valued. You can also specify a port value, which is optional for listen-on.

    • To add an element to the list, specify the address, then click Add. This populates the list with the new entry.

    • To delete elements from the list, select the elements to be deleted, then click Delete.

    • Click Modify to modify the configured elements.

    • Click OK to populate the Configured Value column with the elements.

Deleting a DNS Server

  1. Select the DNS server from the lower pane of the Management Console.

  2. Click Delete delete on the toolbar and confirm the deletion.

Starting or Stopping a DNS Server

The DNS server (novell-named) must be loaded before you can start or stop the server activity.

The Start/Stop service can be used to load zone data along with the modified configuration without unloading and reloading the DNS server. When you stop the DNS server by using this option, it is still loaded in the memory. However, no services are provided. You can use the Java Management Console to update the zone data. When you restart the DNS server by using this option, the server is reconfigured with the new configuration settings and the zone data is also reloaded.

This option can also be used to remotely start and stop the DNS server.

  1. Select the DNS server from the lower pane of the Management Console.

  2. Click Start/Stop Service start on the toolbar.

  3. Depending on the state of the DNS Server module, one of the following operations occurs:

    • Start action: If the DNS Server module is loaded but is in Stop mode, it is started.

    • Stop action: If the DNS Server module is loaded and is in Start mode, it is stopped.

Moving a DNS Server

This task enables you to move the DNS Services from one NCP server to another NCP server. You can also convert a DNS server to a cluster-enabled DNS server by moving it to a virtual NCP server.

  1. Select the DNS server name from the bottom panel of the Management Console.

  2. Click the Move DNS Server move dns icon on the toolbar.

  3. In the Move DNS Server dialog box, select the NCP server that the DNS services will be moved to, then click Move.

    NOTE:A message is displayed indicating the successful completion of Move operation.

13.1.3 Zone Management

The following sections give details on zone management information.

Creating a Zone Object

The DNS Zone object is an eDirectory container object that is made up of Resource Record Set (RRSet) objects and resource records.

To create a zone object:

  1. Click the DNS Service tab of the Management Console.

  2. Click Create create on the toolbar, select Zone, then click OK.

  3. Click Create New Zone to create a forward zone.

  4. Use the browse button to select the eDirectory context for the zone.

  5. Specify a name for the Zone object in the Zone Domain Name field.

  6. Select the zone type.

    Novell DNS servers act as primary or secondary depending on the zone type that you select.

  7. If you select the zone type as secondary, specify the IP address of the master DNS server that will provide zone out transfers for this secondary zone.

    Select a DNS server to act as an authoritative DNS server for this zone.

  8. Click Create.

    A message is displayed indicating that the new zone has been created. If you have created a primary zone, you are reminded to create the Address record for the host server domain name and corresponding Pointer record in the IN-ADDR.ARPA zone (if you have not already done so).

Creating an IN-ADDR.ARPA Object

After you create a DNS server object, you can use the Management Console to create and set up an IN-ADDR.ARPA Zone object.

  1. Click the DNS Service tab of the Management Console.

  2. Click Create create on the toolbar, select Zone, then click OK.

    The Create Zone dialog box is displayed. The default setting is to create a new primary zone.

  3. Select Create IN-ADDR.ARPA.

  4. Use the browse button to select the eDirectory context for the zone.

  5. Specify the network address in the Network Address field.

    For example, specify 143.72.155 only for 155.72.143.IN-ADDR.ARPA.

    After you specify the IP address, it is reversed and prepended to .INADDR. ARPA and reflected in the Zone Domain Name field.

  6. Under the Zone Type, select Primary or Secondary.

    If you select Secondary, you must specify the IP address of the DNS Name server that will provide zone out transfers to this zone.

  7. In the Assign Authoritative DNS Server field, select a DNS server.

    After you have selected an authoritative DNS server, the Name Server Host Name field is filled with the name of the authoritative DNS server.

  8. Click Create.

Viewing or Modifying a Zone Object

To modify an existing Zone object, click the Zone object to be modified in the left pane of the DNS Service window. A Zone object's detailed information window displays the following tab pages:

  • Attributes: This page allows you to configure the zone type and zone servers.

    • To change a primary zone to a secondary zone, click the secondary zone box and specify the IP address of the primary DNS server in the Zone Master IP Address field.

    • To assign a server to the zone, select the server to which the zone should be assigned from the Available DNS Servers and click Add. The server is then displayed in the Authoritative DNS Servers field. To delete a DNS server assignment to a zone, select the server to be removed from the Authoritative DNS Servers field, then click Remove.

    • To configure one of the DNS servers as the designated server for the zone, select the server from the Designated Primary field in the case of a primary zone. This server is responsible for DHCP updates for the zone.

      For a secondary zone, select the server from the Designated Secondary field. This server is responsible for receiving the zone-in transfers.

    • You can specify new comments or modify existing comments for the zone.

  • Forwarding List: Use this tab to specify the IP addresses of DNS servers to which queries are forwarded from a zone, when it is unable to resolve queries from an authoritative data or cache. Unresolved queries are sent to these servers before they are sent to root servers.

    You can configure a forwarding list as an Empty Forwarder or IP Addresses:

    • To configure an Empty Forwarder click Add, then select Empty Forwarder option. An empty forwarder specifies that no forwarding is done for the zone. If this field is configured, each DNS server servicing this zone will not forward the queries of this zone.

    • To configure IP address of a forwarder, click Add and select the Forwarder Address option.

    • To delete, select the forwarder and click Delete.

  • Zone Out Filter: This page allows you configure the zone out filters for the zone.

    • To add an entry into the list, click Add.

      Specify the subnet address and the subnet mask for the network, then click OK.

    • To delete the elements in the list, select the elements to be deleted, then click Delete.

  • SOA Information: This page allows you to configure the zone master, e-mail address, serial number, refresh, retry, expire, and minimum TTL values.

  • Key List: This page allows you to associate the DNS TSIG keys with the Zone.

    NOTE:In earlier versions, key association was a must before updating a policy. Now, it is not required for SAM because the keys are negotiated at run time. Because of this, no checking is done to validate the identity field for SAM-based updates.

    Available DNS Keys: Displays a list of DNS TSIG keys that are available in the eDirectory tree. These keys can be associated with the Zone.

    Selected DNS Keys: Displays a list of DNS TSIG keys that are associated with the Zone.

    • To add the DNS TSIG key, select the key, then click Add.

    • To remove the DNS TSIG key, select the key, then click Remove.

    • To add all the keys, click Add All.

    • To remove all the keys, click Remove All.

    NOTE:To add or remove multiple keys, use the Ctrl key to select the keys. Then click Add or Remove.

  • Control Lists: This page displays various lists that can be configured for the zone. You can configure the query filter, also notify, and allow update options.

    The query filter and allow update options can be configured as address match lists.

    • To add an element, click Add. Specify the element to be added, then click OK.

    • To delete elements from the list, select the element to be deleted, then click Delete.

    The also notify option can be configured as a list of IP addresses.

    • To add an address to the list, click Add. Specify the IP address, then click OK.

    • To delete an address from the list, select the address to be deleted, then click Delete.

    The update policy option specifies the policy to update the measure to implement security for a zone object. This is implemented by the default DNS server administering the zone. Addition of TSIG Key at server level and zone level for Secured updates to DNS Zones and servers. The keys are added to the KeyList for DNS Zones and DNS servers by the user for associating with the ACLs.The update policy is a five-token string where each token has a definite function to perform. It can be configured by specifying the following syntax:

    Permission Identity MatchType TName RR
    
    • To add an update policy, click Add. Specify the following values:

      • Permission: Refers to a grant or deny option.

      • Identity: Refers to the name of the key used to sign the update. Identity field may have Wildcard characters. Only "*" is the allowed wildcard character. As a valid entry for Identity field, only valid keyCN is allowed, "*", or "*" followed by "." and a character string, matching atleast one of the associated Keys for the DNS zone. Any invalid value entry will throw an error.

      • MatchType:

        The MatchType can be one of the following:

        • name: Matches when the domain name being updated is the same as the name in the name field.

        • subdomain: Matches when the domain name being updated is a subdomain of the name in the name field (The domain name must still be in the zone.)

        • wildcard: Matches when the domain name being updated matches the wildcard expression in the name field.

        • self: Matches when the domain name being updated is the same as the name in the identity (not name) field; that is when the domain name being updated is the same as the name of the key used to sign the update. If nametype is self, then the name field is ignored; however you must include the name field when using a nametype of self.

      • TName: Specify the TName, which is the domain name appropriate to the MatchType specified. For Update Policy entries with the MatchType field mentioned as wildcard, only wildcard entries are allowed for the Tname field. Otherwise character strings are not allowed.

      • (Optional): Specify the RR (Resource Record) which can contain any valid record type.

        NOTE:Creation of keys with same CN is not allowed in the same Linux tree.

  • Advanced This page displays all advanced configuration options for the zone. It displays the configured values for each option. If any option is not configured at the zone level, the default behavior is server-specific. The value configured for the zone overrides the server value. If no value is configured at the server, the default value specified for the server is used.

    The following are the advanced options for the zone:

    • allow-notify: Specifies the list of hosts that are allowed to notify the slaves of zone changes in addition to the zone masters. You can configure this option only for a secondary zone.

      Allow-notify specified at the server level is overridden by the settings of this zone.

    • check-names: Verifies if any resource record for a zone is in compliance with RFC 952 and RFC 1123 and take the defined action.

    • forward: Specifies the forwarder address. This option can be configured only if the Forwarding list is not empty. A value of first, which is the default, causes the server to query the forwarders first, and if that does not answer the query, the server then looks for the answer in itself. If only is specified, the server queries only the forwarders.

    • max-journal-size: Sets a maximum size in bytes for the journal file. This should be configured only for a Linux zone.

      NOTE:All changes made to a zone by using dynamic update are written to the zone's journal file. The server periodically flushes the complete contents of the updated zone to its zone file approximately every 15 minutes. When a server is restarted after a shutdown, it replays the journal file to incorporate into the zone any updates that took place after the last zone file update.The dynamic reconfig interval settings are immaterial for a max-journal-size event triggering.

    • notify: Specifies if the notification of any zone data changes must be sent to a slave server. You can select from the following options:

      • Yes: Notification is sent to all the name servers of the zone when the zone data changes.

      • Explicit: Notification is sent explicitly to the servers specified in the also-notify list when the zone data changes.

      • No: Notification is not sent.

      Notify specified at the server level will be overridden by the settings of this zone.

    • notify-source: Specifies the local source address. You also have the option to specify the UDP ports that are used to send notify messages. The local source address must appear in the masters list of the slave server or in the allow-notify list. The slave should also be configured to receive notify messages from this address.

      Notify-source specified at the server level is overridden by the settings of this zone.

    • transfer-source: Specifies the local addresses that are bound to the IPv4 TCP connections used by the zones that are transferred inbound by the server. It also specifies the source IPv4 address and optionally, the UDP port. The UDP port is used to refresh queries and forward any dynamic updates.

      If you have not set a value, it defaults to a system-controlled value, usually the address of the interface closest to the remote end.

      Transfer-source specified at the server level is overridden by the settings of this zone

    • zone-statistics: Specifies the statistical information that is dumped to the statistics-file for all zones in the server. Values can be either Yes or No. If you set the value to Yes, the server collects statistical data on all zones in the server. Zone-statistics specified at the server level is overridden by the settings of this zone.

    Modifying Advanced Zone Options

    • To modify the option, click Modify, specify the value, then click OK.

    • To add an element, specify the address, then click Add. This populates the new entry into the list.

    • To delete elements from the list, select the elements to be deleted, then click Delete. Click OK to populate the Configured Value column with the elements.

    • To clear the configured values for the options, select the option, then click Clear.

Associating a Zone to Specific DNS Servers

A DNS server can be configured to serve only the queries by specifying the role of a zone as secondary or passive secondary.

To associate the existing DNS zone to a specific DNS server and specify the role of the zone by using the Java Management Console:

  • In the Java Management Console, select the zone that you want to configure for a specific DNS server.

  • In the Attributes page of this zone, select the Authoritative DNS Server for this zone as the specific DNS server that will serve this zone.

  • Click Save.

Deleting a Zone Object

  1. Select the Zone object you want to delete.

  2. Click Delete delete on the toolbar.

    A warning message is displayed to confirm the zone deletion. You can also delete subzones by selecting the option from the message window.

NOTE:Creation, modification or deletion of a forward zone is not supported.

Importing a Zone Object

Use the Import dialog box to convert BIND-formatted DNS files and transfer them into the eDirectory database.

NOTE:Reimporting the same configuration file does not work for DNS Java Console for a DSfW server.

To import a Zone object:

  1. Click the DNS Service tab of the Management Console.

  2. Click Import DNS Database import on the toolbar.

  3. Specify the DNS BIND formatted filename in the field provided. You can browse to select filenames from the File Selection dialog box.

  4. Click Next to select the context where the zone object should be created.

  5. Click Next to select the server name that manages the zone.

    You can select an existing DNS server or an NCP server where the DNS server object will be created. The selected DNS server must have DNS/DHCP services installed on it. If you select this zone type as primary, this DNS server acts as a designated primary; or if you select zone type as secondary, it acts as a designated secondary.

    If you do not want to assign a DNS server for this zone at this point, leave this field blank.

  6. Click Next to specify this zone type.

    If you select the zone type as primary, Novell DNS servers act as primary servers for this zone; if you select secondary, they act as secondary DNS servers.

  7. Click Next to view the configuration that you have selected.

  8. Click Import to start the import operation.

    If the import operation encounters any errors while transferring data, the Details button is enabled. Click Details to view the errors.

    If some resource records are not transferred because of incorrect data, you can create them by clicking Create create on the toolbar.

  9. Click Finish to complete the import operation.

Exporting a Zone Object

Use the Export dialog box to copy the eDirectory database to a text file. The text file enables you to save the DNS zone data to BIND master file format files. These files can be imported to other applications, including BIND servers, or they can be imported back into the eDirectory database by using the Management Console.

  1. Click the DNS Service tab of the Management Console.

  2. In the DNS Service window, select the zone you want to export and click Export Database export on the toolbar.

  3. In the Export - DNS window, specify the name of the destination file or browse to select a filename from the dialog box.

  4. Click Export to export the database into a file.

NOTE:Importing or exporting of forward zone is not supported.

13.1.4 Resource Record Management

Creating Resource Records

A resource record is a piece of information about a domain name that contains information about a particular piece of data within the domain.

Every domain name in the zone has a corresponding RRset object under that zone container object. An RRset is not created directly. Initially, when a resource record is created and is assigned a unique domain name within a zone, the corresponding RRset is created first; then, the RR is associated with the RRset.

If you select an existing RRset and click Create on the toolbar to create a new RR, the Management Console sets the new RR domain name to read-only and assigns the newly created resource record to the selected RRset. Resource records cannot be created in a secondary zone. All changes to the resource record data should be done at the master server; the secondary servers receive the changes through zone transfers.

To create resource records:

  1. In the DNS Service window, select the zone in which the resource record will be created. If you want to add another resource record to an already existing RRset, select that RRset.

  2. Click Create create on the toolbar.

  3. In the Create New DNS Object window, select the resource record, then click OK.

  4. Provide information in the fields:

    If you have selected an RRset, the owner name field is filled with the RRset name. This field does not need to be edited.

    If you have selected a zone and want to create a new RRset, specify the domain name of that resource record in the owner name field.

    The zone name part of the domain name already filled. Only the remaining portion needs to be filled.

    If you are creating a resource record to zone domain name, the owner name field does not need to be filled because the zone domain name is already present.

  5. In the Create Resource Record window, select the RR type to be created.

  6. Specify the required data for the selected resource record, then click Create.

NOTE:Start of Authority (SOA) is defined as part of a Zone object attribute. A Pointer (PTR) record is created automatically when any new A resource record is created and if a primary INADDR.ARPA zone exists to which the IP address belongs. Similarly, an A type resource is created when any new PTR record is created and if a primary zone exists to which the domain name pointed by PTR record belongs.

Several resource record types correspond with a variety of data stored in the domain namespace. For a list and description of resource record types, see Section A.2, Types of Resource Records.

Viewing or Modifying Resource Records

When you select an existing resource record in the left pane of the DNS Service window, the detailed information for the object is displayed in the right pane. You can modify the resource record data and save changes by clicking Save on the toolbar.

You can modify resource record data and the associated comments for all resource records except the AAA, A6, SRV, LOC, and HINFO records.

Deleting Resource Records

You can delete one, more than one, or all resource records and RRsets, using the multi-select deletion feature in the Java Management Console. RRsets and resource records in a secondary zone cannot be deleted. They should be deleted from a primary server.

  1. Click the DNS Service tab of the Management Console.

  2. From All Zones, select the domain that contains the host or RRSet.

  3. Select the item to be deleted.

    You can delete either the entire RRSet or one or more resource records in the RRSet.

    To delete one or more objects:

    • Press the Shift key and select the objects.

    • Click Delete.

    NOTE:When the A and PTR type resource records are deleted, the corresponding PTR and A resource records also deleted.

13.1.5 DNS Key Management

A DNS server supports secure updates and secure queries by using the TSIG-key mechanism. TSIG key can be used with allow-update or update policy to secure updates between a DNS server and its client. For a successful secure DNS update you must ensure the following:

  • TSIG key is created and assigned properly to the zone.

  • Client sends the update information with TSIG key and it's secret.

The DNS Key Management role consists of tasks that allow you to create, modify, and delete DNS Key objects. A DNS key provides a means of authentication for dynamic DNS updates and for queries to a secured DNS server. A DNS key uses shared secret keys as a cryptographically secure means of authenticating a DNS update/query.

NOTE:DNS keys can now be created with ‘.’ and ‘_’ in their names.

Unsupported dnssec-keygen features

  • -a: RSA, RSAMD5, DH, DSA, RSASHA1 are not supported by novell-named.

  • -n: ZONE nametype.

  • -f: setting the flag in DNSKEY record.

  • -p: protocol support is not affirmed as it is used in conjunction with DNSKEY for DNSSEC.

Example: 
dnssec-keygen -v 
Usage: 
dnssec-keygen -a HMAC-MD5 -b 218 -n HOST mykey 
Version: 9.3.4 
Required options: 
-a algorithm: RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 
-b key size, in bits: 
RSAMD5: [512..4096] 
RSASHA1: [512..4096] 
DH: [128..4096] 
DSA: [512..1024] and divisible by 64 
HMAC-MD5: [1..512] 
-n nametype: ZONE | HOST | ENTITY | USER | OTHER 
name: owner of the key

The following sections give details on DNS key management:

Creating a DNS Key

  1. Click Create create on the toolbar.

  2. In the Create New DNS Record window, select the DNS Key, then click OK.

  3. In the Create DNS Key window, specify a name to identify the DNS key in the DNS key Name field.

  4. Specify the Algorithm used to hash the DNS data. The HMAC-MD5 algorithm is the only supported algorithm for the DNS key.

  5. Specify the Secret Key generated by the dnssec-keygen. This is used by the DNS server to encrypt/decrypt the hashed data. Secret-456errt4545= is the secret key generated by dnssec-keygen.

    The secret key provided must be Base64 encoded, or the DNS server fails to start.

  6. Specify or browse to select the NDS context.

  7. Click Create. The DNS key is now created.

    Example: DNS KeyName-Key1,Alorithm-HMAC-MD5,Key Secret-456errt4545=

Modifying a DNS Key

When you select an existing DNS key in the left pane of the DNS Service window, the detailed information for the object is displayed in the right pane. You can modify the DNS key data and save changes by clicking Save on the toolbar.

You can modify DNS key data such as secret key, and the associated Comments.

Deleting a DNS Key

You can delete one, more than one, or all DNS keys, using the multi-select deletion feature in the Java Management Console.

NOTE:Deleting DNS key objects, deletes the references to key objects (if any) in Zone and DNS server objects.

To delete one key:

  1. Click the DNS Service tab of the Management Console.

  2. Select the DNS key to be deleted.

  3. Click create on the toolbar.

  4. Click Yes to confirm the deletion in the Delete Record window.

To delete more than one DNS key:

  1. Click the DNS Service tab of the Management Console.

  2. Select the DNS key to be deleted.

  3. Press the Shift key and select the Keys.

  4. Click create on toolbar. Click Yes to confirm the deletion in the Delete Record window.

NOTE:For further details, please refer to the dnssec-keygen man page.