1 <?xml version="1.0" encoding="utf-8"?>
3 - Copyright (C) 2010, 2014 Internet Systems Consortium, Inc. ("ISC")
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
18 <sect1 id="bind9.library">
19 <title>BIND 9 DNS Library Support</title>
20 <para>This version of BIND 9 "exports" its internal libraries so
21 that they can be used by third-party applications more easily (we
22 call them "export" libraries in this document). In addition to
23 all major DNS-related APIs BIND 9 is currently using, the export
24 libraries provide the following features:</para>
27 <para>The newly created "DNS client" module. This is a higher
28 level API that provides an interface to name resolution,
29 single DNS transaction with a particular server, and dynamic
30 update. Regarding name resolution, it supports advanced
31 features such as DNSSEC validation and caching. This module
32 supports both synchronous and asynchronous mode.</para>
35 <para>The new "IRS" (Information Retrieval System) library.
36 It provides an interface to parse the traditional resolv.conf
37 file and more advanced, DNS-specific configuration file for
38 the rest of this package (see the description for the
39 dns.conf file below).</para>
42 <para>As part of the IRS library, newly implemented standard
43 address-name mapping functions, getaddrinfo() and
44 getnameinfo(), are provided. They use the DNSSEC-aware
45 validating resolver backend, and could use other advanced
46 features of the BIND 9 libraries such as caching. The
47 getaddrinfo() function resolves both A and AAAA RRs
48 concurrently (when the address family is unspecified).</para>
51 <para>An experimental framework to support other event
52 libraries than BIND 9's internal event task system.</para>
56 <title>Prerequisite</title>
57 <para>GNU make is required to build the export libraries (other
58 part of BIND 9 can still be built with other types of make). In
59 the reminder of this document, "make" means GNU make. Note that
60 in some platforms you may need to invoke a different command name
61 than "make" (e.g. "gmake") to indicate it's GNU make.</para>
64 <title>Compilation</title>
66 $ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput>
67 $ <userinput>make</userinput>
70 This will create (in addition to usual BIND 9 programs) and a
71 separate set of libraries under the lib/export directory. For
72 example, <filename>lib/export/dns/libdns.a</filename> is the archive file of the
73 export version of the BIND 9 DNS library. Sample application
74 programs using the libraries will also be built under the
75 lib/export/samples directory (see below).</para>
78 <title>Installation</title>
80 $ <userinput>cd lib/export</userinput>
81 $ <userinput>make install</userinput>
84 This will install library object files under the directory
85 specified by the --with-export-libdir configure option (default:
86 EPREFIX/lib/bind9), and header files under the directory
87 specified by the --with-export-includedir configure option
88 (default: PREFIX/include/bind9).
89 Root privilege is normally required.
90 "<command>make install</command>" at the top directory will do the
94 To see how to build your own
95 application after the installation, see
96 <filename>lib/export/samples/Makefile-postinstall.in</filename>.</para>
99 <title>Known Defects/Restrictions</title>
102 <!-- TODO: what about AIX? -->
103 <para>Currently, win32 is not supported for the export
104 library. (Normal BIND 9 application can be built as
108 <para>The "fixed" RRset order is not (currently) supported in
109 the export library. If you want to use "fixed" RRset order
110 for, e.g. <command>named</command> while still building the
111 export library even without the fixed order support, build
114 $ <userinput>./configure --enable-fixed-rrset <replaceable>[other flags, but not --enable-exportlib]</replaceable></userinput>
115 $ <userinput>make</userinput>
116 $ <userinput>./configure --enable-exportlib <replaceable>[other flags, but not --enable-fixed-rrset]</replaceable></userinput>
117 $ <userinput>cd lib/export</userinput>
118 $ <userinput>make</userinput>
123 <para>The client module and the IRS library currently do not
124 support DNSSEC validation using DLV (the underlying modules
125 can handle it, but there is no tunable interface to enable
129 <para>RFC 5011 is not supported in the validating stub
130 resolver of the export library. In fact, it is not clear
131 whether it should: trust anchors would be a system-wide
132 configuration which would be managed by an administrator,
133 while the stub resolver will be used by ordinary applications
134 run by a normal user.</para>
137 <para>Not all common <filename>/etc/resolv.conf</filename>
138 options are supported
139 in the IRS library. The only available options in this
140 version are "debug" and "ndots".</para>
145 <title>The dns.conf File</title>
146 <para>The IRS library supports an "advanced" configuration file
147 related to the DNS library for configuration parameters that
148 would be beyond the capability of the
149 <filename>resolv.conf</filename> file.
150 Specifically, it is intended to provide DNSSEC related
151 configuration parameters. By default the path to this
152 configuration file is <filename>/etc/dns.conf</filename>.
154 experimental and the configuration syntax or library interfaces
155 may change in future versions. Currently, only the
156 <command>trusted-keys</command>
157 statement is supported, whose syntax is the same as the same name
158 of statement for <filename>named.conf</filename>. (See
159 <xref linkend="trusted-keys" /> for details.)</para>
162 <title>Sample Applications</title>
163 <para>Some sample application programs using this API are
164 provided for reference. The following is a brief description of
168 <title>sample: a simple stub resolver utility</title>
170 It sends a query of a given name (of a given optional RR type) to a
171 specified recursive server, and prints the result as a list of
172 RRs. It can also act as a validating stub resolver if a trust
173 anchor is given via a set of command line options.</para>
175 Usage: sample [options] server_address hostname
178 Options and Arguments:
186 specify the RR type of the query. The default is the A RR.
191 [-a algorithm] [-e] -k keyname -K keystring
194 specify a command-line DNS key to validate the answer. For
195 example, to specify the following DNSKEY of example.com:
197 example.com. 3600 IN DNSKEY 257 3 5 xxx
199 specify the options as follows:
202 -e -k example.com -K "xxx"
205 -e means that this key is a zone's "key signing key" (as known
206 as "secure Entry point").
207 When -a is omitted rsasha1 will be used by default.
212 -s domain:alt_server_address
215 specify a separate recursive server address for the specific
216 "domain". Example: -s example.com:2001:db8::1234
220 <term>server_address</term>
222 an IP(v4/v6) address of the recursive server to which queries
227 <term>hostname</term>
229 the domain name for the query
235 <title>sample-async: a simple stub resolver, working asynchronously</title>
237 Similar to "sample", but accepts a list
238 of (query) domain names as a separate file and resolves the names
239 asynchronously.</para>
241 Usage: sample-async [-s server_address] [-t RR_type] input_file</para>
243 Options and Arguments:
251 an IPv4 address of the recursive server to which queries are sent.
252 (IPv6 addresses are not supported in this implementation)
260 specify the RR type of the queries. The default is the A
269 a list of domain names to be resolved. each line
270 consists of a single domain name. Example:
281 <title>sample-request: a simple DNS transaction client</title>
283 It sends a query to a specified server, and
284 prints the response with minimal processing. It doesn't act as a
285 "stub resolver": it stops the processing once it gets any
286 response from the server, whether it's a referral or an alias
287 (CNAME or DNAME) that would require further queries to get the
288 ultimate answer. In other words, this utility acts as a very
289 simplified <command>dig</command>.
292 Usage: sample-request [-t RRtype] server_address hostname
295 Options and Arguments:
304 specify the RR type of
305 the queries. The default is the A RR.
316 address of the recursive server to which the query is sent.
326 the domain name for the query
333 <title>sample-gai: getaddrinfo() and getnameinfo() test code</title>
335 This is a test program
336 to check getaddrinfo() and getnameinfo() behavior. It takes a
337 host name as an argument, calls getaddrinfo() with the given host
338 name, and calls getnameinfo() with the resulting IP addresses
339 returned by getaddrinfo(). If the dns.conf file exists and
340 defines a trust anchor, the underlying resolver will act as a
341 validating resolver, and getaddrinfo()/getnameinfo() will fail
342 with an EAI_INSECUREDATA error when DNSSEC validation fails.
345 Usage: sample-gai hostname
349 <title>sample-update: a simple dynamic update client program</title>
351 It accepts a single update command as a
352 command-line argument, sends an update request message to the
353 authoritative server, and shows the response from the server. In
354 other words, this is a simplified <command>nsupdate</command>.
357 Usage: sample-update [options] (add|delete) "update data"
360 Options and Arguments:
368 An IP address of the authoritative server that has authority
369 for the zone containing the update name. This should normally
370 be the primary authoritative server that accepts dynamic
371 updates. It can also be a secondary server that is configured
372 to forward update requests to the primary server.
380 A TSIG key file to secure the update transaction. The keyfile
381 format is the same as that for the nsupdate utility.
389 A prerequisite for the update (only one prerequisite can be
390 specified). The prerequisite format is the same as that is
391 accepted by the nsupdate utility.
399 An IP address of a recursive server that this utility will
400 use. A recursive server may be necessary to identify the
401 authoritative server address to which the update request is
410 The domain name of the zone that contains
418 Specify the type of update operation. Either "add" or "delete"
427 Specify the data to be updated. A typical example of the data
428 would look like "name TTL RRtype RDATA".
433 <note>In practice, either -a or -r must be specified. Others can
434 be optional; the underlying library routine tries to identify the
435 appropriate server and the zone name for the update.</note>
438 Examples: assuming the primary authoritative server of the
439 dynamic.example.com zone has an IPv6 address 2001:db8::1234,
442 $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</userinput></screen>
444 adds an A RR for foo.dynamic.example.com using the given key.
447 $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</userinput></screen>
449 removes all A RRs for foo.dynamic.example.com using the given key.
452 $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</userinput></screen>
454 removes all RRs for foo.dynamic.example.com using the given key.
458 <title>nsprobe: domain/name server checker in terms of RFC 4074</title>
461 of domains to see the name servers of the domains behave
462 correctly in terms of RFC 4074. This is included in the set of
463 sample programs to show how the export library can be used in a
464 DNS-related application.
467 Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
479 run in the "debug" mode. with this option nsprobe will dump
480 every RRs it receives.
488 increase verbosity of other normal log messages. This can be
489 specified multiple times
497 specify an IP address of a recursive (caching) name server.
498 nsprobe uses this server to get the NS RRset of each domain and
499 the A and/or AAAA RRsets for the name servers. The default
508 a file name containing a list of domain (zone) names to be
509 probed. when omitted the standard input will be used. Each
510 line of the input file specifies a single domain name such as
511 "example.com". In general this domain name must be the apex
512 name of some DNS zone (unlike normal "host names" such as
513 "www.example.com"). nsprobe first identifies the NS RRsets for
514 the given domain name, and sends A and AAAA queries to these
515 servers for some "widely used" names under the zone;
516 specifically, adding "www" and "ftp" to the zone name.
523 <title>Library References</title>
524 <para>As of this writing, there is no formal "manual" of the
525 libraries, except this document, header files (some of them
526 provide pretty detailed explanations), and sample application
530 <!-- Id: libdns.xml,v 1.3 2010/02/03 23:49:07 tbox Exp -->