Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Administrator's Manual
This software and documentation is subject to and made available pursuant to the terms of the
Nominum License Agreement, and may be used or copied only in accordance with the terms of
that Agreement. This manual, in whole or in part, may not be reproduced, translated or
reduced to any machine-readable form without prior written approval from Nominum,
Incorporated.
Nominum, Incorporated
2000 Seaport Boulevard
Suite 400
Redwood City, CA 94063
USA
http://www.nominum.com
Chapter 1: Introduction 13
High performance 13
Migration guidelines 15
Migration procedure 15
Notable features 21
Changed features 22
Removed features 23
Changed fields 24
Removed fields 24
Changed commands 25
Removed commands 25
Changed events 25
Removed events 26
Changed statistics 26
Removed statistics 27
Engine Interaction 29
Using nom_tell 32
Interactive Mode 34
NXDOMAIN redirection 35
In CacheServe 5 43
In CacheServe 7 43
Caveats 54
--channel 56
-c, --configuration 56
--directory 56
--dns-port 56
--fd-limit 56
-F, --foreground-with-syslog 57
-f, --foreground 57
-h, --help 57
--license 57
--no-statmon 57
-r, --root 57
--statmon-directory 58
-s, --syslog-facility 58
--usage 58
-u, --user 58
-v, --version 59
Supported objects 61
cacheserve-deleteconf 68
cacheserve-stats 69
address-list 73
address-node 75
binding 77
connection 79
dns64 80
layer 83
name-list 86
name-node 88
policy 90
ratelimiter 92
resolver 94
server 105
view 110
view-selector 112
address-list.load 120
address-list.mget 121
address-list.replace 123
address-list.update 124
address-node.add 125
address-node.delete 126
address-node.get 126
address-node.list 127
address-node.mget 129
address-node.replace 130
address-node.update 131
binding.add 132
binding.delete 135
binding.get 136
binding.list 137
binding.mget 138
binding.replace 140
binding.update 142
connection.get 145
connection.replace 145
connection.subscribe-all 146
connection.update 146
dns64.add 147
dns64.delete 148
dns64.get 149
dns64.list 150
dns64.mget 151
dns64.replace 152
dns64.update 154
instance-information 156
layer.add 157
layer.clear-fault 158
layer.delete 158
layer.get 159
layer.list 159
layer.mget 161
layer.reimage 162
layer.replace 162
layer.update 164
name-list.add 165
name-list.delete 166
name-list.dump 167
name-list.get 167
name-list.list 168
name-list.load 169
name-list.mget 170
name-list.replace 172
name-list.update 173
name-node.add 174
name-node.delete 175
name-node.get 176
name-node.list 177
name-node.mget 178
name-node.replace 179
name-node.update 181
policy.add 182
policy.delete 184
policy.get 184
policy.list 185
policy.mget 186
policy.replace 188
policy.simulate 189
policy.update 191
process-information 192
ratelimiter.add 193
ratelimiter.delete 195
ratelimiter.get 196
ratelimiter.list 196
ratelimiter.mget 198
ratelimiter.replace 199
ratelimiter.statistics 201
ratelimiter.update 202
resolver.add 204
resolver.delete 215
resolver.flush 216
resolver.get 217
resolver.inspect 217
resolver.inspect-delegation 220
resolver.list 221
resolver.mget 223
resolver.recursing 224
resolver.replace 225
resolver.statistics 235
resolver.update 237
restart 248
server.add 248
server.all-errors 252
server.block-checkpoints 252
server.checkpoint 252
server.get 253
server.replace 260
server.statistics 263
server.unblock-checkpoints 265
server.update 266
stop 269
uuid 270
version 270
view-selector.add 271
view-selector.delete 272
view-selector.get 273
view-selector.list 274
view-selector.mget 275
view-selector.query 276
view-selector.replace 277
view-selector.update 278
view.add 280
view.delete 281
view.get 282
view.list 282
view.mget 284
view.replace 285
view.update 286
address-list.changed 289
address-node.changed 289
binding.changed 290
dns64.changed 290
layer.changed 290
layer.provisioning-connected 291
layer.provisioning-connection-failure 291
layer.provisioning-disconnected 291
layer.provisioning-reimaging 292
layer.provisioning-update-failure 292
layer.provisioning-update-success 292
name-list.changed 292
name-node.changed 293
policy.changed 293
policy.hit 293
ratelimiter.abate 294
ratelimiter.changed 296
ratelimiter.onset 296
resolver.changed 298
resolver.flush 298
resolver.id-spoofing-suspected 299
server.changed 299
server.configuration-error 299
server.formerr-loop 300
server.restart 300
server.stop 300
server.tcp-client-limit 300
server.udp-recursion-limit 300
view-selector.changed 300
view.changed 301
ACLs 303
exclude-fields 303
fields 303
acl-element 304
acl-element4 304
acl-element6 304
addr 304
addr-or-name 304
addr6 304
addrpat 305
addrpat6 305
addrport 305
addrport4 305
addrport6 305
addrrange 305
anonymization-key-file-path 305
boolean 305
dns-flag 306
dns-rcode 306
edns-flag 307
event-name 307
float-seconds-since-epoch 307
inspect-delegation-servers 307
integer 308
ipv4netlen 308
ipv6netlen 308
monitor-log-switch 308
name 309
name-empty-ok 309
name-label-count 309
policy-action 309
policy-calendar-selector 312
policy-result-type 313
policy-selector 313
positive-integer 317
provisioning-status 317
ratelimiter-statistics 318
rdata 319
rdataclass 319
rdatatype 319
report-max-memory-arg 319
resolver-statistics 319
seconds-since-epoch 321
server-statistics 321
sizeval 322
std-layered-edit-operation 322
string 323
string-empty-ok 323
threshold-abate 323
threshold-duration 323
threshold-onset 323
time-in-microseconds 323
time-in-seconds 323
ttl 324
uint16 324
uint64 324
unparsed 324
uuid 324
versioncheck-days 324
Index 325
While the data is cached, the caching server doesn't need to go back and re-query authoritative
servers, and this increases the efficiency of local DNS responses (like those that come from your
end-users).
High performance
Vantio CacheServe is the next generation of caching name server in the Vantio line, re-
engineered to take advantage of multi-core hardware. In testing environments, CacheServe
has performed at 2,000,000 queries per second.
We've put together some performance tuning guidelines to help you take advantage of
CacheServe's capabilities.
1. Create the directory in which you're going to run CacheServe. You can use
/var/nom/cacheserve if that's convenient.
2. Choose the user as which you're going to run CacheServe (create the user, if necessary).
3. Make sure that the chroot directory and all the files in it are owned by that user:
%> chown -R username chroot-directory
4. Make sure that the directory has the right permissions for that user:
%> chmod 700 chroot-directory
5. Edit the /usr/local/nom/etc/sysconfig/cacheserve file, and add or edit the following entries:
CACHESERVE_OPTIONS="--directory /"
CACHESERVE_ROOTDIR="chroot-directory"
CACHESERVE_USER="username"
6. Start CacheServe.
Note: If you stop the server and modify files in the chroot directory using something like
cacheserve-loadconf, you should repeat steps 3 and 4 to make sure ownership and
permissions are correct.
It also includes:
Migration guidelines
1. Don't convert your database in the working directory. Convert your database some-
where other than /var/nom/cacheserve, like /tmp. Only move the converted database once
you're sure the conversion is complete and the results are to your liking.
2. Not all parts of a Vantio configuration can be automatically converted; more com-
plicated Vantio configurations may require additional help.
Migration procedure
To migrate from Vantio 5.x to Vantio CacheServe 7.0:
where <file> represents the name of the file containing the dumped Vantio data.
4. If you are satisfied with the results of the import, stop Vantio and start CacheServe:
5. If you encounter unresolvable problems, you can revert to your previous Vantio install-
ation by restoring any changes that you made to startup scripts in step 1, and starting
Vantio.
If this rate limiting involves responses being truncated, the caching server can rapidly exhaust
its supply of file descriptors. The resolver max-tcp-recursions option limits the number of
TCP connections the server can make at one time during resolution. The default value is 1000,
which should be sufficient for most use cases
Configure the number of recursion contexts with the server's max-recursive-clients setting, up
to a maximum of 50,000:
cacheserve> server.update max-recursive-clients=50000
A good rule of thumb for the number of sockets is to use the number of "real" CPU cores
available to you (versus the number of real cores plus virtual, hyperthreaded cores). On Linux
systems, an easy way to find out how many cores you have is:
[shell ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 1
On-line CPU(s) list: 0
Thread(s) per core: 1
Core(s) per socket: 1
CPU socket(s): 1
NUMA node(s): 1
Vendor ID: AuthenticAMD
CPU family: 16
Model: 8
Stepping: 1
CPU MHz: 2100.147
BogoMIPS: 4200.29
L1d cache: 64K
L1i cache: 64K
L2 cache: 512K
L3 cache: 6144K
NUMA node0 CPU(s): 0
Multiply the number of cores by the sockets to get the number of cores. In this case, there's 1
core (1*1).
Notable features
The following features have been added or improved in CacheServe:
listen-on-matching
Listen-on-matching has replaced listen-on, and provides the ability to listen on multiple
interfaces. See listen-on-matching for details.
Rate-limiting
Ratelimiting is discussed in two places:
Many of the ratelimiting features from earlier CacheServe releases have changed:
Changed features
The following features have been changed in CacheServe from their Vantio equivalents:
Monitoring changes
Monitoring functions are now provided entirely by the Nominum statmon utility, supported by
CacheServe with the auth-monitoring and monitoring configuration elements.
For detailed information about monitoring in CacheServe, including the commands available
for both the auth-monitoring and monitoring elements, please consult the Nominum
monitoring manuals: Monitoring Query and Request Data on Nominum Engines and Nominum
statmon Utility and Query Store Command Reference.
l The default DNS port may only be specified on the command line.
l EDNS0 defaults to "on".
l You cannot configure a single address/port combination to accept both queries and
responses.
l Only IN classes are supported (with the exception of magic CHAOS TXT queries)
l Statistics other than simple counters should be obtained using the Nominum statmon
utility.
l QNAME case randomization has been simplified:
l off, unenforced and silent-enforced default to "off".
l Immortal's value is now a boolean value, and the unknown name response is now
Removed features
The following features have been removed entirely from CacheServe:
Changed fields
The following fields have been changed in CacheServe from their Vantio equivalents:
Removed fields
The following fields have been removed entirely from CacheServe:
Changed commands
The following commands have been changed in CacheServe from their Vantio equivalents:
Removed commands
The following commands have been removed entirely from CacheServe:
Changed events
The following events have been changed in CacheServe from their Vantio equivalents:
Removed events
The following events have been removed entirely from CacheServe:
Changed statistics
The following statistics have been changed in CacheServe from their Vantio equivalents:
l log-id-spoofing
l inspect
l inspect-type-info
l inspect-delegation
Removed statistics
The following statistics have been removed entirely from CacheServe:
Proxy comes with a Nominum-provided Command Channel client called nom_tell, which is used
in examples throughout the manual.
CC Message Types
RESPONSES are messages sent from servers in response to requests from clients. A response is
sometimes a sequence of several messages. Responses to failed requests contain an err tag
indicating the error that led to the failure.
EVENTS are messages sent from servers with no expectation of a response and cannot be
responded to.
CC Message Formats
Command Channel messages are formatted three ways: as strings, lists, or tables.
STRINGS are a sequence of zero or more octets, and can take several forms.
LISTS are parenthesized values, optionally separated by commas, containing any of the basic
Command Channel formats (strings, lists, or tables).
(foobarbaz)
(1, 2, 3)
TABLES are key/value pairs, optionally separated by commas, = or =>, inside curly braces ( { } ).
Table keys are strings, and table values can be any of the basic Command Channel formats
(strings, lists, or tables).
Command Usage
stop Shuts down the server
version Retrieves version information for the server
instance-information Retrieves instance id
Retrieves process information for the server, including licens-
process-information
ing, working directory, process id, and system time
Add
The add method creates a new object. The arguments needed for this command are the initial
values of the object's required fields and any optional fields that you want to set when creating
the object.
Delete
The delete method deletes an object. Depending on the type of object, you will need to specify a
name or other key field to determine which object to delete.
Get
The get method retrieves the values of an object's fields. Depending on the type of object, you
will need to specify a name or other key field to determine which objects to retrieve.
List
The list method retrieves all instances of a specific class of objects. This method will return a
sequence of one or more responses, depending on the number of objects listed.
Mget
The mget method retrieves all instances of a specific class of objects and the values of their
fields. This method will return a sequence of one or more responses, depending on the
number of objects listed.
Replace
The replace method will create a new object in place of a chosen object, with the new object's
fields set to the specified values. Any unspecified fields will either be unset or set to the default
value, even if they were set in the original object.
Update
The update method will update the values for the specified fields for a chosen object while
leaving any unspecific fields unchanged.
+/Append
When using the update method, you can use the append syntax to add new values to the end
of a list in an object's fields.
-/Remove
When using the update method, you can use the remove syntax to remove specified values
from a list in an object's fields.
Using nom_tell
The nom_tell Command Channel client ships with the Proxy. All of the examples in this manual
use nom_tell in its interactive mode, which is the simplest way to send Command Channel
messages to a Nominum engine.
When sending parameters in a list using nom_tell from the shell prompt, you will need to
enclose each list entry in quotes, in order for the command to be parsed properly.
Interactive Mode
In order to enter nom_tell interactive mode, send a nom_tell command with an engine or service
name specified, but no further commands or paramters. This will open a Command Channel
connection which will be used for subsequent commands.
# nom_tell nom-proxy
nom-proxy>
From this prompt, you can send commands to the Proxy by typing them at the prompt, and
nom_tell will return to the interactive prompt after the Command Channel response is returned.
When using interactive mode, you do not need to enclose field values in quotes.
nom_tell also features tab completion when accessed in its interactive mode, which can be
useful when entering commands with complex syntax.
Note: If you leave your nom_tell interactive mode window idle for a few minutes, you may
receive this message:
error: 'nom-proxy' closed the connection
This is normal behavior. The next command you send via the nom_tell prompt will automatically
reopen the connection.
A channel.conf file is formatted as a sequence of lines, where blank lines and lines starting with
the # character are ignored. Each configuration line defines a service-name, followed by an
addrport, followed by a secret, followed by optional properties (each item is separated by
whitespace):
l service-name—A string used to identify the service. Each server has a default service
name, and can also be configured to use alternative service names.
l addrport—An address taking the form address [%scope]#port. For example, 9253 and
10.0.0.1#1111 are both valid addrports. If no address is specified, the loopback address
(127.0.0.1) is used. An address of 0.0.0.0 indicates that a server should listen on all
interfaces, and that a client should use the loopback address to communicate with that
server.
l secret—A string, specified with double quotes if it contains whitespace and within which
explicit quotation marks or backslashes are quoted with a backslash. Specifying a secret
of * is interpreted as no secret.
l acl—A list of addresses and/or networks that may make connections to this
channel. The list is a comma-separated list of addresses with optional prefix length
specifiers. For example: acl=127.0.0.1,10.0.0.0/8
Interactive Mode
nom_tell’s interactive mode opens a single Command Channel connection and uses it for
subsequent Command Channel messages:
[testbed etc]# nom_tell cacheserve
nom_tell 3.0.39.0.d, interactive mode
cacheserve>
In interactive mode, send commands to ANS by typing them at the prompt—note that nom_tell
returns to the interactive prompt after the Command Channel response is returned:
cacheserve> version
{
type => 'version'
vendor => 'Nominum'
product => 'Vantio CacheServe'
platform => 'rhel-6-x86_64'
version => '7.0.1.0.d'
expiration => 'Fri Aug 1 00:03:03 2014'
}
cacheserve>
In CacheServe, the same abilities are provided by a single feature, the policy engine. This section
shows you how to achieve those same features with the policy engine, and provides a good
foundation for more advanced goals, like defending against DNS amplification attacks.
NXDOMAIN redirection
Vantio used the NXR module to redirect NXDOMAIN responses. In CacheServe, the policy
engine provides this functionality.
The following example configures CacheServe to redirect everything except queries and
prefixes that match entries on two lists.
l Creating a policy.
l Adding a redirection policy-action to the policy.
l Making lists of domains and prefixes that you don't want to redirect.
l Adding a policy-selector that executes the redirection for anything that isn't on the
"don't-redirect" lists.
l Binding the policy to a view.
1. In Vantio, retrieve the view that contains the redirection you want to accomplish, and
look for the redirect-nxdomain-replace value:
vantio> view.get name=nxdomain-redirect-view
{
type => 'view.get'
name => 'nxdomain-redirect-view'
class => 'IN'
redirect-nxdomain-replace => ((('.') ('192.168.1.1')))
redirect-nxdomain-prefix-only-prefixes => ('www')
}
2. You will need both the IPv4 and IPv6 addresses (you may need to convert the IPv4
address. In this case, those addresses are:
192.168.1.1
2001:db8:f61:a1ff:0:0:0:80
3. In CacheServe, add the redirection action to the policy you created earlier, using the IPv4
and IPv6 addresses you looked up:
cacheserve> policy.update name=nxdomain-redirect-policy action=
(answer ((A 192.168.1.1)(AAAA 2001:db8:f61:a1ff:0:0:0:80)))
{
type => 'policy.update'
}
1. In Vantio, retrieve the view that contains the redirection you want to accomplish, and, this
time, look for the redirect-nxdomain-exclusions value:
vantio> view.get name=nxdomain-redirect-view
{
type => 'view.get'
name => 'nxdomain-redirect-view'
class => 'IN'
redirect-nxdomain-replace => ((('.') ('192.168.1.1')))
redirect-nxdomain-exclusions => ("example.org" "example.net"
"example.com")
redirect-nxdomain-prefix-exclusions => ("www" "ldap" "smtp")
}
2. In CacheServe, create a name-list. This name-list will contain the names of queries you
want to exempt from redirection:
cacheserve> name-list.add name=nxdomain-redirect-domains
{
type => 'name-list.add'
}
3. In CacheServe, add the names you want to exempt as name-nodes in the name-list you
just created (for large lists, you should consider extracting the list contents into a file and
using name-list.load to populate the list):
cacheserve> name-node.add list=nxdomain-redirect-domains
name=example.com
{
type => 'name-node.add'
}
5. In CacheServe, create another name-list. This name-list will contain the names of prefixes
you want to exempt:
cacheserve>name-list.add name=nxdomain-do-not-redirect-prefixes
{
type => 'name-list.add'
}
6. In CacheServe, add the prefixes you want to exempt as name-nodes in the name-list you
just created (for large lists, you should consider extracting the list contents into a file and
using name-list.load to populate the list):
cacheserve> name-node.add list=nxdomain-do-not-redirect-prefixes
name=www
{
type => 'name-node.add'
}
Since this policy is implementing NXDOMAIN redirection, we want it to apply only to A/AAAA
queries that received "organic" NXDOMAIN results; that is, NXDOMAIN results came from
resolution, but that weren't synthesized by other policies.
Now you need to link them together in the policy you created in the beginning.
1. Add a policy-selector that combines the action you created (redirect A and AAAA queries)
with the lists you created, and associate the selector with a policy:
cacheserve> policy.update name=nxdomain-redirect-policy selector=(and
((result (nxdomain)) (qtype (A AAAA)) (not (synthesized)) (not
((qname (nxdomain-redirect-domains subdomain )))) (not ((qname-prefix
nxdomain-do-not-redirect-prefixes)))))
{
type => 'policy.update'
}
1. Bind the policy you created to the appropriate view, having the policy execute post-query
(because that's when you'll get an NXDOMAIN response from resolution) and giving the
policy a high priority:
cacheserve> binding.add view=world policy=nxdomain-redirect-policy
when=postquery priority=1
{
type => 'binding.add'
}
The following examples will look similar to the NXDOMAIN examples; that's because most of the
elements that we use in NXDOMAIN redirection, we also use to redirect malicious domains:
The following example configures CacheServe to redirect queries and prefixes that match
entries on two lists.
l Creating a policy.
l Adding a redirection action to the policy.
l Making a list of domains that you want to redirect.
l Adding a policy selector that executes the redirection for anything that's on the "mali-
cious domains" list.
l Binding the policy to a view.
Create the malicious redirection policy
As before, since we're implementing malicious domain redirection, we'll use the name mdr-
redirect-policy.
2. You will need both the IPv4 and IPv6 addresses (you may need to convert the IPv4
address. In this case, those addresses are:
192.168.1.1
2001:db8:f61:a1ff:0:0:0:80
3. In CacheServe, add the redirection action to the policy you created earlier, using the IPv4
and IPv6 addresses you looked up:
cacheserve> cacheserve> policy.update name=malicious-redirect-policy
action=(answer ((A 192.168.1.1)(AAAA 2001:db8:f61:a1ff:0:0:0:80)))
{
type => 'policy.update'
}
2. In CacheServe, create a name-list. This name-list will contain the names of queries you
want to redirect:
cacheserve> name-list.add name=redirect-malicious-domains
{
type => 'name-list.add'
}
3. In CacheServe, add the names you want to redirect as name-nodes in the name-list you
just created (for large lists, you should consider extracting the list contents into a file and
using name-list.load to populate the list):
cacheserve> name-node.add list=redirect-malicious-domains
name=infect-internet-explorer.com
{
type => 'name-node.add'
}
Note: You can redirect any query type; just substitute the appropriate type for A or AAAA in
the example.
Now you need to link them together in the policy you created in the beginning.
1. Add a selector that combines the action you created (redirect A and AAAA queries) with
the list you created, and associate the selector with a policy:
cacheserve> policy.update name=malicious-redirect-policy selector=
(and ((qtype (A AAAA)) (qname (redirect-malicious-domains
subdomain))))
{
type => 'policy.update'
}
1. Bind the policy you created to the appropriate view, having the policy execute prequery
(because you want to redirect before the query is resolved) and giving the policy a high
priority:
cacheserve> binding.add view=world policy=malicious-redirect-policy
when=prequery priority=1
{
type => 'binding.add'
}
In CacheServe 5
In CacheServe 5, traffic was rate-limited using the following configuration (please note that the
return has been edited for conciseness):
vantio> server.get
{
rate-limiting => 'true'
rate-limiting-max-qps => '10'
rate-limiting-unenforced => 'false'
rate-limiting-truncate-factor => '0'
}
This configuration limits traffic to 10qps, and does not truncate traffic.
In CacheServe 7
In CacheServe 7, rate-limiting is accomplished using policies.
1. Define a ratelimiter that constrains QPS to 10, and applies to each client:
cacheserve> ratelimiter.add name=overall-qps10 qps=10 \
fields=((client-network (32 128)))
2. Define a policy to drop traffic which exceeds the qps limit, using the new ratelimiter:
Amplification attacks center on the response size; it's particularly important to note that a DNS
amplification attack may have a low queries-per-second (qps) rate, but still consume a
tremendous amount of bandwidth.
l "Purpose-built" attack domains with large numbers of A or TXT records that hover right
around the 4000-byte boundary.
l Domains with large numbers of A or TXT records that only make sense in the context of
an attack. For instance, large quantities of A records pointing to the same IP, or large
quantities of TXT records containing bizarre or arbitrary counters.
3. Managing dual-use domains that are legitimate, but can also be used for an attack:
l Rate limiting dual-use domain traffic
4. Rate-limiting traffic that exceeds a certain qps threshold or maximum response size.
Note: The full capabilities of the statmon utility are beyond the scope of this manual; consult
the "Monitoring Query and Request Data on Nominum Engines" manual for comprehensive
details.
The best time to identify purpose-built amplification domains is when you suspect an attack is
in progress.
statmon>
2. Identify the top domains by response size over the last hour:
statmon> querystore.top-domains-by-response-size duration=1h
If you see domains that you wouldn't expect to see in your top querying domains, make
note of them.
2. Further constrain results to just large packets (over 1024 bytes in size):
3. Identify which query types these domains are being asked for:
statmon> querystore.group-count group-by=(name query-type) filter=
((response-size-ge (true (1024))))
Using lists allows you to easily keep the list of domains updated, and to preemptively drop all
queries to any domain on the list, as well as any subdomains of a domain on the list.
1. Create a source file for the domains (for the file syntax, see name-list.load), and put it
somewhere you can find it. For the purposes of this example, we'll assume the list is /tm-
p/droppurpose-exact-list.
2. Make sure you're using the cacheserve command-line interface:
[testbed etc]# nom_tell cacheserve
nom_tell 3.0.39.0.d, interactive mode
cacheserve>
4. Using name-list.load, add the contents of your domain-name file to the name-list:
cacheserve> name-list.load name=droppurpose-exact
file=/tmp/droppurpose-exact-list
{
type => 'name-list.add'
}
1. Create a source file for the subdomains (for the file syntax, see name-list.load), and put it
somewhere you can find it. For the purposes of this example, we'll assume the list is /tm-
p/droppurpose-sub-list.
2. Make sure you're using the cacheserve command-line interface:
4. Using name-list.load, add the contents of your subdomain file to the name-list:
cacheserve> name-list.load name=droppurpose-sub
file=/tmp/droppurpose-sub-list
{
type => 'name-list.add'
}
1. Create the policy, which will drop any query that matches an entry on the droppurpose-
exact or droppurpose-sub lists:
cacheserve> policy.add name=droppurpose action=drop selector=(or
((qname (droppurpose-exact exact)) (qname (droppurpose-sub subdomain
)) ))
{
type => 'policy.add'
}
Unfortunately, these queries can be directed to legitimate domains, which makes it difficult to
exclude these queries purely on the basis of size. For example, a legitimate domain could be
using DNSSEC, which would result in a lot of records at the top of the zone, some of them very
large (like DNSKEY).
A good workaround is to limit ANY queries on the basis of queries per second (qps). Although
limiting ANY queries on the basis of qps will cause those responses to be truncated, a querying
server that really needs the information can repeat the query over TCP.
2. Add a policy that truncates any response to a query that matches the ratelimiter:
cacheserve> policy.add name=truncate-rate-any selector=(and ((qtype
(ANY))(ratelimiter rateany))) action=truncate
l Identifying certain types of queries that are likely to be used in amplification attacks.
l Truncating responses to those query types when the qps rate exceeds a given threshold.
In this example, you'll create exact-match lists and subdomain lists, and associate them with a
qps-rate-based ratelimiter.
Here's how you add and delete entries from that list.
3. Add a policy that truncates large responses to any domain on either of the lists:
cacheserve> policy.add name=truncacteratelarge action=truncate
selectors=(and ((qtype (A)) (or ((qname (ratelarge-a-exact exact))
(qname (ratelarge-a-sub subdomain ) ) )) (ratelimiter ratelarge)))
1. First, create a ratelimiter that applies to the entire client population, and constrain it to
100 qps:
cacheserve> ratelimiter.add name=clientlimiter qps=100
unenforced=true fields=((client-network (32 128)))
2. Next, add the ratelimiter to a policy that drops the response to any client matching the
rate limiter:
cacheserve> policy.add name=droprate-limitedclients action=drop
selector=(ratelimiter clientlimiter)
1. First, create a ratelimiter that applies to all query types, and constrain it to 250 qps:
cacheserve> ratelimiter.add name=ratesize qps=250 fields=(query-type
)
2. Next, add the ratelimiter to a policy that truncates the response if any query exceeds
1500 bytes:
cacheserve> policy.add name=truncateoversize action=truncate
selector=(and ((response-size 1500) (ratelimiter ratesize)))
3. Finally, bind the policy to the server, specifying that the policy should execute before the
response is sent:
cacheserve> binding.add when=presend policy=truncateoversize server=1
priority=40
The attack only succeeds if the random 16-bit value in the ID field of a forged packet matches
that of a legitimate packet. Therefore, an extremely large number of packets are required, each
containing a different guess for the ID value.
CacheServe sends each outgoing query from a randomly chosen port , selected from a pool of
ports.
This makes the server more resilient against ID spoofing attacks, as the attacker has to guess
both the query ID and the port.
Caveats
Under normal circumstances, CacheServe gets some responses with incorrect IDs even
though no attack is in progress. This can be attributed to things like software errors in
authoritative servers, or extreme network delays that cause a response to show up long after
CacheServe has forgotten about the original query.
To prevent lots of spurious log messages, the conditions for issuing a log message are
necessarily more stringent than those for activating the defense mechanism itself. As a result,
it's normal for the ID spoofing defense mechanism to be triggered every so often, and you
shouldn't take it as ironclad evidence that an attack is underway. You should start investigating
if you start seeing log messages.
These scripts are installed in /etc/init.d, and are executed as arguments to the cacheserve
initialization script.
Script Description
cacheserve
Starts CacheServe.
start
cacheserve
Stops CacheServe.
stop
cacheserve
Displays CacheServe's operational status.
status
cacheserve con- Restarts CacheServe if CacheServe is running, but does not restart
drestart CacheServe if CacheServe isn't running.
cacheserve
Restarts CacheServe.
restart
--channel
shell# /usr/local/nom/sbin/cacheserve --channel channel-name
Specifies one or more Command Channel services on which CacheServe will listen. Each service
specified must be defined in the /etc/channel.conf file.
-c, --configuration
shell# /usr/local/nom/sbin/cacheserve --configuration /path/to/file
Use the specified configuration database instead of the default configuration database,
/var/nom/cacheserve/cacheserve.vdb2.
--directory
shell> /usr/local/nom/sbin/cacheserve --directory directory
If CacheServe is operating in a chroot() jail, directory is interpreted relative to the chroot() jail.
--dns-port
shell# /usr/local/nom/sbin/cacheserve --dns-port port-number
Sets the default UDP/TCP port CacheServe will use for DNS protocol traffic.
This option is mainly intended for server testing; a server us ing a port other than 53 will not be
able to communicate with the global DNS.
--dns-port controls both the port upon which the server listens for DNS queries and the port to
which outbound DNS queries (to other DNS servers) are sent.
--fd-limit
shell# /usr/local/nom/sbin/cacheserve --fd-limit 1000
Sets the maximum number of open file descriptors to the specified value, or fail.
If --fd-limit isn't specified, CacheServe will try to raise the limit to an appropriate value. If that
fails, CacheServe will raise the soft limit to the hard limit.
-F, --foreground-with-syslog
shell# /usr/local/nom/sbin/cacheserve --foreground-with-syslog
Configures CacheServe to run in the foreground and log messages to both standard error and
syslog.
-f, --foreground
shell# /usr/local/nom/sbin/cacheserve --foreground
Configures CacheServe to run in the foreground and log messages to standard error.
-h, --help
shell# /usr/local/nom/sbin/cacheserve --help
--license
shell# /usr/local/nom/sbin/cacheserve --license license-path
Specifies a path to the product license file. The default license location is
/usr/local/nom/etc/cacheserve.license.
--no-statmon
shell> /usr/local/nom/sbin/cacheserve --directory directory
-r, --root
shell# /usr/local/nom/sbin/cacheserve --rootdirectory
Configures CacheServe to run under the specified directory. All paths, including that of the
configuration database, are interpreted relative to the specified root.
A nanny process continues to run with the original root di- rectory, and changes the server's
root directory before starting the server.
Warning! -root provides no added security unless you also specify a non-root user with the -u,
--user option.
--statmon-directory
shell# /usr/local/nom/sbin/cacheserve --statmon-directorydirectory
Configures the directory that the Nominum statmon utility should use for locks and IPC files. By
default, this is /var/nom/statmon.
--directory must be set to the same value for the statmon process.
This argument has no effect on the location of querystore files; those settings are controlled
using querystore configuration in statmon and the CacheServe monitoring objects.
-s, --syslog-facility
shell# /usr/local/nom/sbin/cacheserve --syslog-facility facility
The supported facilities are cron, daemon, kern, lpr, mail, news, user, uucp, local0, local1, local2,
local3, local4, local5, local6, local7, and on some plaforms ftp.
--usage
shell# /usr/local/nom/sbin/cacheserve --usage
-u, --user
shell# /usr/local/nom/sbin/cacheserve --user username
A nanny process continues to run as the original user, and changes the user ID of the server
process before starting the server.
-v, --version
shell# /usr/local/nom/sbin/cacheserve --version
Supported objects
All of the CacheServe utilities support changes to the following configuration objects.
Note: Some of these objects may not be available unless you have a license for them.
Element Description
Element Description
name-list.
The full configuration is surrounded by curly braces ({ and }), and each field is displayed as
key => value
value can be anything from a simple string all the way up to complicated data structures like
policy-actions or policy-selectors.
Whether it's a string or something more complicated, the value of each field consists of three
types of entry:
l lists, which are variable-length lists of elements where each element is of the same type;
l tuples, which are fixed-length elements where each element is of a different type;
l tables, which are variable-length tables of fields where each field is a key => value pair.
Each element in a list or tuple, and each value in a table, can also be a string, list, tuple, or table.
{
preload => ((’localhost’ ’A’ ’127.0.0.1’))
log−dnssec => "true"
}
The preload field's single element is a tuple of 3 values (the name, the type, and the data):
{
preload => ((’localhost’ ’A’ ’127.0.0.1’))
log−dnssec => "true"
}
By default, cacheserve-editconf updates a running server; if you want to edit the configuration
database instead, use the --configuration option.
How it works
You use cacheserve-editconf from the command line, using command-line arguments to
specify the CacheServe configuration element you want to edit.
cacheserve-editconf options
--address
--address Changes the value of the element's address field.
value
--destination-
--destination- Changes the value of the element's destination-address
address
address field.
address
Required. -t type or
-t or
Instructs cacheserve-editconf to edit an element of this --object-type
--object-type
type. type
--policy Changes the value of the element's policy field. --policy policy
--server Changes the value of the element's server field. --server server
--source-
--source-
Changes the value of the element's source-address field. address
address
address
--view Changes the value of the element's view field. --view view
By default, cacheserve-loadconf updates a running server; if you want to load data to the
configuration database instead, use the --configuration option.
How it works
You use cacheserve-loadconf from the command line, using command-line arguments to
specify the CacheServe configuration element you want to load.
This means it's possible for non-working configuration data to be accepted by cacheserve-
loadconf, but not be executeable by CacheServe.
If this happens, CacheServe will flag the problem in the errors field, but it reinforces the best
practice of making changes to your configuration database only when absolutely necessary,
and even then as infrequently as possible.
the default.
Required. -t type or
-t or
--object-type
--object-type Instructs cacheserve-loadconf to edit an element of this type. type
By default, cacheserve-dumpconf gets data from a running server; if you want to get
information from the configuration database instead, use the --configuration option.
How it works
You use cacheserve-dumpconf from the command line, using command-line arguments to
specify the CacheServe configuration element you want to retrieve.
--address
--address Retrieves the value of the element's address field.
value
--des-
--des-
Retrieves the value of the element's destination-address tination-
tination-
field. address
address
address
Required. -t type or
-t or
Instructs cacheserve-editconf to retrieve data for an --object-type
--object-type
element of a single type. type
--policy Retrieves the value of the element's policy field. --policy policy
--server
--server Retrieves the value of the element's server field.
server
--source-
--source-
Retrieves the value of the element's source-address field. address
address
address
--view Retrieves the value of the element's view field. --view view
cacheserve-deleteconf
cacheserve-deleteconf gives you a way to delete an element's configuration from without using
nom_tell.
How it works
You use cacheserve-deleteconf from the command line, using command-line arguments to
specify the CacheServe configuration element you want to remove.
cacheserve-deleteconf options
--address
The address value of the element to be deleted..
address
--destination-
The element's destination-address field.
address address
-t type
or Required.
--object-type Instructs cacheserve-deleteconf to remove an element of this type.
type
--source-
The value of the element's source-address field.
address address
cacheserve-stats
The cacheserve-stats utility program retrieves statistics from a running CacheServe instance
and displays them in a tabular, human-readable form, emitting a new header every 24 lines.
Options
Option Description
--channel Communicate with the running server using the specified channel as
channel configured in /etc/channel.conf) instead of the default, cacheserve.
-c, --
Specify that cacheserve-stats should display statistics at most this many times,
count
rather than running until interrupted.
count
Generate output in comma separated value form, rather than a table. In CSV
--csv form, a single header line is emitted, and the full statistics names are used, not
the abbreviated versions.
Specify which statistics to display. The names of the statistics are given as a
comma-separated list of statistic names.
l requests-received
-o, -- l responses-sent
statistics l requests-sent
statistics- l responses-received
list l user-time
l system-time
l cpu-time
l efficiency
l recursion-contexts-in-use
-v, --
Display the version of the server and exit.
version
-w, --wait Specify how long to wait between consecutive measurements, in seconds. The
interval default is 1 second.
Statistics
CacheServe provides the following statistics. Each statistic is documented with the name of the
statistic and the abbreviated description that's displayed as a column heading in the
cacheserve-stats output.
Most of the statistic names correspond directly to fields returned in server-statistics; the
exceptions are noted below.
address-list
address-lists contain nodes that represent addresses and networks. The contents of address-
lists are made up of address-nodes.
Commands
address-lists accept the following commands:
Command Description
Command Description
Supported Fields
address-lists support the following fields:
count
integer
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
name
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
Events
address-lists report the following events:
l address-list.changed
address-node
address-nodes represent all data associated with a single network in an address-list.
Command Description
Supported Fields
address-nodes support the following fields:
address
Required
addrpat
count
integer
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
list
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
tag
Optional
string
Events
address-nodes report the following events:
l address-node.changed
binding
bindings represent bindings between policies and the server or views.
Command Description
binding.update Updates a binding with new values or resets values to their defaults.
Supported Fields
Bindings take the following fields:
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
policy
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
priority
Required
integer
The priority of a policy-binding operation. Priorities affect the execution order of policies.
Priorities are ranked by the lowest value, with 0 being the most important priority. Policies with
a lower priority value are executed before policies with a higher priority value.
As some policies execute before DNS resolution is performed, and other policies execute after
DNS resolution is performed, policies are only compared to other policies that are executing at
the same time.
If multiple bindings specify the same priority, the order of execution is considered undefined.
Therefore, you should consider specifying priorities with some flexibility to them. For example,
instead of using the priorities 0, 1, 2, 3, 4 and so on, you may want to consider using 0, 10, 20, 30,
40 or even 0, 100, 200, 300, 400.
server
Optional
boolean
view
Optional
string
when
Optional
postquery prequery | presend
Specifies the time in the DNS processing cycle when a policy-binding operation should execute.
prequery
bindings are executed prior to cache lookup and/or resolution. DNS processing is aborted if a
prequery binding produces a response. If a CNAME or DNAME is followed, prequery bindings
may be executed multiple times for a single query.
postquery
bindings are executed after prequery bindings and/or normal DNS processing. If a CNAME or
DNAME is followed, postquery bindings may be executed multiple times for a single query.
presend
bindings are executed after the full DNS response has been constructed, immediately prior to
sending the response.
Events
bindings report the following events:
l binding.changed
connection
connections represent the properties of a Nominum Command Channel connection.
Connections never persist, and always refer to the Command Channel connection on which its
commands are sent.
Command Description
SupportedFields
Connections take the following fields:
all-events
event-name
events
Optional
event-name
idle-timeout
Optional
time-in-seconds
Specifies the amount of time before a connection will be closed in the absence of traffic.
Defaults to 5 minutes (300 seconds). If any events are specified for the connection, there is no
timeout.
dns64
dns64 objects represent DNS64 translation layers. dns64 objects only have an effect when
they're paired with active policies.
DNS64 translation layers map IPv4 addresses into IPv6 addresses as defined in RFC6147.
This enables additional processing for DNS AAAA queries; if no AAAA records exist for a queried
name, but A records exist, AAAA records can be generated from A records according to a set of
mapping rules. The synthesized answer is then returned to the client.
DNS64 also provides additional processing for PTR queries; if a PTR query is received for a
name that matches a defined DNS64 prefix, CacheServe will synthesize a CNAME which points
at the reverse map entry in the IPv4 reverse space.
Command Description
dns64.update Updates a dns64 object with new values or resets values to their defaults.
Supported Fields
dns64 objects take the following fields:
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
mapped
Optional
(acl-element ...)
Specifies an ACL instructing CacheServe to map only certain IPv4 A records into IPv6 AAAA
records.
name
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
prefix
Required
addrpat6
The prefix must exactly match one of the following bit lengths:
l 32
l 40
l 48
l 56
l 64
l 96
suffix
Optional
addr6
An addr6 specifying the bits that will trail IPv6 addresses constructed from IPv4 addresses.
Any bits specified in the suffix must not overlap bits in the prefix, reserved bits, or the mapped
IPv4 address.
Events
dns64 objects report the following events:
l dns64.changed
layer
layers are sets of configuration information that can be selectively enabled or disabled. One of
the primary uses for layers is to store CacheServe's critical configuration in an "operational
layer" that remains unchanged, and add services by adding layers that contain the
configuration for that service.
This operational layer is the operator layer, , it has a priority of 0 (the highest priority) and it
cannot be deleted.
Command Description
Erases all data from the layer, and reloads layer data
layer.reimage
from the provisioning server.
Command Description
When a layer is reimaged, either because it's the initial transfer of content or the database ID
has changed, CacheServe sends a layer.provisioning-reimaging event.
If you want to disable communications with a provisining server, unset the channel field on the
layer. The layer content will remain, and if you re-enable the channel field, provisioning will pick
up where it left off.
Supported Fields
Layers support the following fields:
channel
string
A Command Channel service name, as defined in the local channel configuration file (usually
/etc/channel.conf).
This service should point to a provisioning server, and may not coexist with the server field.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
hidden
Optional
boolean
A value that indicates whether or not a layer affects the server's active configuration. Changing
this value forces an automatic server restart.
If hidden is set to true, the layer's contents do NOT affect the server's active configuration. For
provisioned layers, provisioning changes will be applied, but have no visible effect until the layer
is unhidden.
If hidden is set to false (the default), the layer's contents affect the server's active configuration.
name
Required
string
priority
Required
integer
The priority of a layer. Layers are ranked by the lowest value, with 0 being the most important
layer. Layers with a lower priority value take precedence over layers with a higher priority value.
The operator layer is always priority 0 and has precedence over all other layers: the operator
layer cannot be deleted.
provisioning
provisioning-status
server
Optional
addr-or-nameuint16, string-empty-ok
The system's resolver configuration is used to resolve the server's DNS name.
Events
layers report the following events:
l layer.changed
l layer.provisioning-connected
l layer.provisioning-connection-failure
l layer.provisioning-disconnected
l layer.provisioning-reimaging
l layer.provisioning-update-failure
l layer.provisioning-update-success
name-list
name-lists contain nodes that represent DNS names. The contents of name-lists are made up
of name-nodes.
Command Description
Supported Fields
name-lists support the following fields:
count
integer
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
name
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
Events
name-lists report the following events:
l name-list.changed
name-node
name-nodes represent all data associated with a single name in an name-list.
Command Description
Supported Fields
name-nodes support the following fields:
encrypted
Optional
boolean
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
list
Optional
string
name
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
tag
Optional
string
Events
name-nodes report the following events:
l name-node.changed
policy
policies are a way for CacheServe to execute specific actions based on the results from
processing a DNS query. They are connected to the server or views with bindings.
l A selector, which determines whether or not the policy should be applied to a query;
l An action, which is a CacheServe operation;
l Child policies, which are policies related to the current policy, and that execute after the
current policy completes.
Command Description
policy.update Updates a policy with new values or resets values to their defaults.
Supported Fields
Policies support the following fields:
action
Optional
policy-action
The policy-action the policy should run when applied to a query. If this field is empty, no action
is taken.
children
Optional
string
A list of strings identifying child policies attached to the current policy. All children are executed
immediately after the parent policy.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
name
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
Events
policies report the following events:
l policy.changed
l policy.hit
ratelimiter
ratelimiters constrain traffic; they use query or response fields to group queries into buckets,
and apply limits to those buckets.
Command Description
ratelimiter.update Updates a ratelimiter with new values or resets values to their defaults.
Supported Fields
Ratelimiters support the following fields:
bps
Optional
integer
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
fields
Required
((’client‐network’ (ipv4netlen, ipv6netlen)) | (’query‐name’ (name-label-
count)) | ’query‐type’ ...)
string
Specifies the fields to use when grouping requests into entries. Each field specified increases
granularity.
For example, (client-network (32 128)) groups each client into its own entry.
If both client-network and query-type are used, a new entry is generated for that specific
combination, and the defined rate limits are applied to the combination.
maximum-entries
Optional
positive-integer
Specifies the maximum number of entries to track, which indicates how many field
combinations can be tracked.
name
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
qps
Optional
integer
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually dropping or
truncating answers. Defaults to false.
Events
ratelimiters report the following events:
l ratelimiter.abate
l ratelimiter.changed
l ratelimiter.onset
resolver
resolvers represent a DNS cache and a set of properties related to DNS resolution.
Command Description
resolver.update Updates a resolver with new values or resets values to their defaults.
Supported Fields
Resolvers support the following fields:
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default is
false.
Requesting and caching DNSSEC information will significantly increase the amount of network
traffic.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
forward
Optional
(( name , 'first' | 'off' | 'only', (addrport...)) ...)
Causes queries within a specific domain to be forwarded to one or more specific recursive
name servers.
name specifies the domain; first, off or only specify the forwarding mode; and the final addrport is
a list of recursive name servers.
l first: First attempt to use the forwarders. If they do not respond, attempt to resolve the
query.
l off: Disable forwarding for a subdomain. If you specify off, you must leave the server
addrport empty.
l only: Use only the forwarders. If they do not respond, do not attempt to resolve the
query, and let it fail.
hints
Optional
(name, ((name, (addr ...)) ...))
These servers are queried to discover the current set of root servers. If there is no hints field,
this re- solver will use a compiled-in set of root hints. The name must always be . (the root
name), as providing hints for domains other than the root is meaningless.
ignore-first-referral
Optional
boolean
Although it results in a small increase in network traffic, ignore-first-referral reduces the risk of
delegation-spoofing attacks.
log-dnssec
Optional
boolean
When set to true, log-dnssec configures CacheServe to log detailed information about DNSSEC
validation failures. All messages related to DNSSEC validation are logged at priority LOG_INFO,
and log entries are prefixed with "dnssec:".
For log-dnssec to work, you must have DNSSEC trust anchors defined.
log-id-spoofing
Optional
boolean
Configures CacheServe to issue a log message when it suspects an ID spoofing attack. The log
message is only issued when there's a relatively strong suspicion that an actual attack is taking
place.
The id-spoofing-defense-queries statistic tracks the number of times the defense mechanism
has been triggered.
log-lame
Optional
(name ...)
A list of names. Causes CacheServe to log lame delegations and other configuration errors
detected in authoritative servers during resolution. log-lame domains should belong to your
own organization.
When log-lame is enabled, CacheServe will log other errors from authoritative servers in
addition to lame delegations, such as malformed responses, RCODES indicating a server error,
and NS records pointing at CNAMEs.
managed-keys
Optional
(( name , (rdata...)) ...)
A tuple of domain name and rdata that defines DNSSEC managed keys. Each managed-key
domain may include one or more keys, formatted as DNSKEYs (RFC4034).
Managed-keys are similar to trusted-keys, but are automatically maintained (as described in
RFC5011). The set of keys (as well as state) is persistently stored, and maintained over time,
including a periodic refetch of the DNSKEY set.
When managed-keys is initially configured, if there are any keys present for a domain,
CacheServe tries to verify signatures in the retrieved DNSKEY set. If it can't verify any of the
signatures, CacheServe considers the domain insecure.
Managed-keys are normally used only for the root zone, so CacheServe has the current root
key compiled in. If the root domain is specified in the managed-keys field, but no keys are
specified, CacheServe will use that root key to verify the root DNSKEY set.
managed-keys-state
Optional, read-only
((name, { expire => time-in-seconds
has-validated => boolean
keys => ({
created => time-in-seconds
key => string
keyid => integer
next => time-in-seconds
state => 'add-pending' | 'missing' |
'removed' | 'revoked' | 'start' | 'valid'
updated => time-in-seconds
} ...)
last-fetch => time-in-seconds
next-fetch => time-in-seconds
}) ...)
max-cache-size
Optional
sizeval
specifies the maximum amount of memory which can be used by this resolver's cache. The
default is 200M.
Values larger than 16G are treated as 16G, and values smaller than 64M are treated as 64M.
max-cache-ttl
Optional
time-in-seconds
Sets the maximum amount of time for which the server will cache ordinary (positive) answers.
The default is 604800 (7 days).
max-client-ttl
Optional
time-in-seconds
max-client-ttl only affects responses to DNS clients, not actual caching; a DNS record can
remain in the cache for the full amount of time even if clients receive a smaller value.
max-edns-udp-size
Optional
integer
When this field is configured, CacheServe, when sending EDNS queries, advertises that packets
of up to this length (in bytes) can be reassembled. Values smaller than 512 and larger than 4096
are treated as 512 and 4096, respectively.
This option is particularly useful if a firewall or other network device is dropping IP fragments,
because for large packets, this would effectively result in timeouts and resolution failures.
max-ncache-ttl
Optional
time-in-seconds
Specifies the maximum amount of time that CacheServe will cache negative answers. Defaults
to 10800 (3 hours).
max-tcp-recursions
Optional
integer
name
Required
string
negative-trust-anchors
Optional
(name ...)
Turns off DNSSEC validation for a domain, even if that domain is under a security root.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
prefetch-ratio
Optional
integer
Adjusts CacheServe's criteria for whether or not it issues prefetch queries. The default is 16.
Prefetching is normally performed when a query requests data that's already cached but is set
to expire soon from the cache. This prevents commonly-accessed data from ever expiring.
Note: Changing this value is not recommended, and you should only change it under the
direction of Nominum support.
preload
Optional
(( name , rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name, rdatatype
and rdata.
Note: preload is specifically intended to predefine reverse and/or forward mapping of either
localhost or the local host name, and should not be used for any other purpose.
preload-nxdomain
Optional
(name ...)
Warning! preload-nxdomain is an option included for the sake of completeness. Don't use it
unless you're specifically told to by Nominum support!
Note: preload-nxdomain affects only a single name; if you want to affect an entire domain, use
synthesize-nxdomain.
preload-nxrrset
Optional
((name, rdatatype) ...)
Note: preload-nxrrset is an option included for the sake of completeness. Don't use it unless
you're specifically told to by Nominum support!
Preloads CacheServe with an indication that no resource record of a given name and type
exists.
For example, to specify that no AAAA record exists for the local hostname:
preload-nxrrset host.domain AAAA
qname-case-randomization
Optional
'enforced' | 'off' | 'silent-enforced' | 'unenforced'
Indicates whether CacheServe should randomize letters in a query name when sending
queries to authoritative servers or forwarders. Defaults to off.
qname-case-randomization-exclusions
Optional
(name ...)
query-source-pool
Optional
(uint16, addrport4)
Sets the address CacheServe will use to send outgoing IPv4 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport4 is nonzero, ports are allocated sequentially, starting at that number.
l If the addrport4 is zero or empty, ports are chosen randomly.
If you don't specify query-source-pool, CacheServe creates a query source pool with a number
of ports that's appropriate for the OS.
Warning! When you're choosing the number of ports to use, make sure you don't exceed the
OS's file-descriptor limit. Each port uses a file descriptor, and additional file descriptors are
needed for listen-on-matching and things like outgoing and incoming TCP connections.
query-source-pool-v6
Optional
(uint16, addrport6)
Sets the address CacheServe uses to send outgoing IPv6 UDP queries, configuring CacheServe
to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport6 is nonzero, ports are allocated sequentially, starting at that number.
l If the addrport6 is zero or empty, ports are chosen randomly.
If you don't specify query-source-pool-v6 and CacheServe has been configured to use IPv6
transport (by including type AAAA in server-address-lookup-order), CacheServe creates a
query source pool with an appropriate number of ports for the OS.
Format:
Warning! When you're choosing the number of ports to use, make sure you don't exceed the
OS's file-descriptor limit. Each port uses a file descriptor, and additional file descriptors are
needed for listen-on-matching and things like outgoing and incoming TCP connections.
rrset-order
Optional
'cyclic' | 'fixed' | 'random'
Sets the order in which resource records (RRs) in a resource record set (RRset) are added to a
response. The default is cyclic.
l cyclic configures CacheServe to use a random starting point in the list of RRs and wrap
around to the beginning of the list when the end is reached.
l fixed configures CacheServe to always emit RRs in the order in which they are stored.
l random configures CacheServe to use a random permutation of the RRs.
server-address-lookup-order
Optional
('A' | 'AAAA' ...)
Defines the order in which CacheServe should use IPv4 or IPv6 server addresses.
The argument is a list of address record types that may be either A or AAAA.
The default is A, which configures CacheServe to use only IPv4 addresses for nameserver
addresses, and thus IPv4 transport only for communications with the authoritative server.
The same value may not occur multiple times in the list, and only nameserver addresses of the
specified types are used, in the listed order.
For example, if your site has some IPv6 connectivity to the Internet, you can specify (A AAAA),
and CacheServe will attempt IPv4 first; if your site has mostly IPv6 connectivity, you can specify
(AAAA A) and CacheServe will attempt IPv6 first.
stub
Optional
(( boolean , (( boolean , (addrport ...)) ...)) ...)
Queries within each domain are resolved as if the specified servers were delegated authority
for that domain.
Warning! A specific domain may only appear once per stub per resolver, and you can't have
the same entry in both stub and synthesize-nxdomain.
The main use for stub resolution is in situations where you need to resolve a domain using a
particular set of servers that haven't actually been delegated authority.
For example, if you're using RFC1918 private addresses (10.*), you might want to define a stub
for 10.in-addr.arpa, so that queries for that domain get directed to your own set of internal
authoritative servers.
synthesize-nxdomain
Optional
(name ...)
Configures CacheServe to return synthetic NXDOMAIN responses for all queries within the
specified domains.
Note: If you need to return PTR records for RFC1918 addresses, use a stub pointing at one or
more authoritative servers configured with the right reverse mapping data!
trusted-keys
Optional
((name, (rdata ...)) ...)
Defines DNSSEC trusted keys. Enabling this option automatically enables dnssec-aware, and
configures CacheServe to perform DNSSEC verification on all DNS data in a subdomain of a
security root.
The trusted−keys field can contain multiple key entries,each consisting of the key’s domain
name and rdata. If any trusted-keys are defined, DNSSEC information will be requested and
cached as if the dnssec−aware option were enabled.
Events
resolvers report the following events:
l resolver.changed
l resolver.flush
l resolver.id-spoofing-suspected
server
servers represent complete CacheServe configurations, and changes made to a server will
globally affect all other configuration elements within the scope of that server's influence.
Command Description
Command Description
Supported Fields
Servers support the following fields:
commands-not-logged
Optional
boolean
Specifies whether or not DNSSEC information should be requested and cached when log-
command-channel is enabled.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
listen-on-matching
Optional
({
instances => integer
patterns => (acl-element ...)
port => uint16
} ...)
Configures CacheServe to listen for incoming DNS queries on addresses which match specified
patterns and ports. If no listen-on-matching value is given, CacheServe listens on all interfaces
on the default port (53).If port is 0 or not specified, CacheServe listens on the port specified by
the --dns-port command-line option, which defaults to the standard DNS port of 53.
listen-on-matching can contain multiple elements, which allows different listener ports to be
specified.patterns defaults to an ACL which matches any address.To listen on all interfaces, use
a pattern of 0.0.0.0/0 (IPv4) or ::/0 (IPv6).instances takes advantage of certain relatively new Linux
features, which permit multiple sockets listening on a single address and port. If you have this
capability, set instances to the number of desired UDP sockets.
instances defaults to 0, which configures CacheServe to use the best number of UDP sockets for
maximum concurrency. If instances is set to 0 and the interface is a loopback interface, or an
IPv6 link-local address, only 1 socket will be created.
For example, here's how you specify listen-on-matching to use 16 instances on the IP address
192.168.1.1 and 1 instance on 127.0.0.1, port 5334:
cacheserve> server.update listen-on-matching=({patterns=(192.168.1.1)
instances=16}{patterns=(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
patterns => ('192.168.1.1/32')
instances => '16'
}
{
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
log-command-channel
Optional
boolean
Controls whether or not Command Channel messages are logged. When set to true,
commands are logged at the LOG_INFO priority, and large commands are truncated.
max-recursive-clients
Optional
integer
An integer that specifies the maximum number of recursive UDP lookups that can occur at any
one time. The default is 5000, and values over 50,000 are capped at 50,000.
The limit applies equally to recursive lookups coming from UDP clients and lookups that are
generated internally.
max-tcp-clients
Optional
integer
Controls the maximum number of TCP client connections at any one time. The default is 4.
preload
Optional
(( name , rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name, rdatatype
and rdata.
Note: preload is specifically intended to predefine reverse and/or forward mapping of either
localhost or the local host name, and should not be used for any other purpose.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
server-id
Optional
string-empty-ok
The server ID used to populate the server.id and bind.id values in responses to DNS CH TXT
queries for the server's ID, as well as NSID EDNS responses.
If server-id is empty or set to the literal string "none", CacheServe will refuse all queries for the
server ID, and ignore NSID requests.
server-version
Optional
string-empty-ok
The server version used to populate the version.server and version.bind values in responses to
DNS CH TXT queries for version.server and version.bind.
If server-version is set to the literal string "none", CacheServe will refuse all queries for the
server version. If server-version is empty, CacheServe will respond with the actual software
version.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column of
the IANA tzdb.
versioncheck-interval
Optional
versioncheck-days
Specifies how often CacheServe should check for a newer version. Defaults to 7, with a
minimum of 1 and a maximum of 30.
Events
servers report the following events:
l server.changed
l server.configuration-error
l server.formerr-loop
l server.restart
l server.stop
l server.tcp-client-limit
l server.udp-recursion-limit
view
views represent a customizable DNS namespace.
Command Description
view.update Updates a view with new values or resets values to their defaults.
Supported Fields
Views support the following fields:
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
name
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column of
the IANA tzdb.
Events
views report the following events:
l view.changed
view-selector
view-selectors map DNS requests to views based on the source and destination addresses of
the request.
Command Description
Supported Fields
View-selectors take the following fields:
destination-address
Optional
addrport
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
source-address
Optional
addrpat
view
Optional
string
Events
view-selectors report the following events:
l view-selector.changed
Fields
name
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
Examples
cacheserve> address-list.add name=my-list
{
address-list.delete
Description and usage
Deletes an address-list.
Fields
name
Required
string
layer
Optional
string
Examples
cacheserve> address-list.delete name=my-list
{
type => 'address-list.delete'
}
address-list.dump
Description and usage
Dumps the contents of the specified list to the file address-list.dump in cacheserve's working
directory.
Fields
name
Required
string
Examples
cacheserve> address-list.dump name=my-list
{
type => 'address-list.dump'
}
cacheserve> quit
[root@test cacheserve]# pwd
/var/nom/cacheserve
[root@test cacheserve]# ls -al
total 1589004
drwxr-xr-x 3 root root 4096 Jun 24 11:13 .
drwxr-xr-x 6 root root 4096 Jun 24 02:28 ..
-rw-r--r-- 1 root root 0 Jun 24 13:27 address-list.dump
address-list.get
Description and usage
Retrieves an address-list, returning details of the list.
Fields
name
Required
string
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
Examples
cacheserve> address-list.get name=my-list
{
type => 'address-list.get'
name => 'my-list'
count => '0'
}
address-list.list
Description and usage
Lists address-lists, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
address => string
list => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
address => string
list => string
}
Examples
cacheserve> address-list.list
{
address-list.load
Description and usage
Loads a set of address-lists from a file designated by the file parameter, optionally replacing
existing entries.
Each line of file must contain a single entry, consisting of a sequence of two whitespace-
delimited tokens:
For example:
192.168.1.2/24
192.168.1.1/24 -
If there are any errors in file, the entire operation is cancelled and an error is returned.
To have address-list.load add the contents of file to the existing entries, and silently ignore
existing entries, set replace to false (the default).
To have address-list.load replace all existing entries with the contents of file, set replace to true.
Fields
name
Required
string
file
Required
string
replace
Optional
boolean
Indicates whether the contents of file should merge with or replace existing entries.
Examples
cacheserve> address-list.load name=loadlist file=/tmp/address-list-load-file
{
type => 'address-list.load'
}
address-list.mget
Description and usage
Retrieves multiple address-lists.
Fields
descending
Optional
string
end
Optional
{
name => string
}
exclude-fields
Optional
string
fields
Optional
string
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
name
Required
string
Examples
cacheserve> address-list.mget
{
type => 'address-list.mget'
name => 'loadlist'
count => '1'
}
{
name => 'my-list'
count => '0'
}
address-list.replace
Description and usage
Replaces all fields of an address-list.
Fields
name
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
address-list.update
Description and usage
Updates one or more fields of an address-list.
Fields
name
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
Examples
cacheserve> address-list.update name=my-list layer=operator
{
type => 'address-list.update'
}
address-node.add
Description and usage
Creates a new address-node.
Fields
address
Required
addrpat
layer
Optional
string
list
Required
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
tag
Optional
string
address-node.delete
Description and usage
Deletes an address-node.
Fields
list
Required
string
name
Required
string
layer
Optional
string
address-node.get
Description and usage
Retrieves an address-node.
Fields
address
Required
addrpat
list
Required
string
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
address-node.list
Description and usage
Lists address-nodes, optionally sorted by various criteria.
Fields
list
Optional
string
descending
Optional
string
end
Optional
{
address => addrpat
list => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
address => addrpat
list => string
}
address-node.mget
Description and usage
Retrieves multiple address-nodes.
Fields
list
Optional
string
descending
Optional
string
end
Optional
{
address => addrpat
list => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
address => addrpat
list => string
}
address-node.replace
Description and usage
Replaces all fields of an address-node.
Fields
address
Required
addrpat
list
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
tag
Optional
string
address-node.update
Description and usage
Updates one or more fields of an address-node.
Fields
address
Required
addrpat
list
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
tag
Optional
string
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
binding.add
Description and usage
Creates a new binding.
Fields
name
Required
string
priority
Required
integer
The priority of a policy-binding operation. Priorities affect the execution order of policies.
Priorities are ranked by the lowest value, with 0 being the most important priority. Policies with
a lower priority value are executed before policies with a higher priority value.
As some policies execute before DNS resolution is performed, and other policies execute after
DNS resolution is performed, policies are only compared to other policies that are executing at
the same time.
If multiple bindings specify the same priority, the order of execution is considered undefined.
Therefore, you should consider specifying priorities with some flexibility to them. For example,
instead of using the priorities 0, 1, 2, 3, 4 and so on, you may want to consider using 0, 10, 20, 30,
40 or even 0, 100, 200, 300, 400.
layer
Optional
string
policy
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
server
Optional
boolean
view
Optional
string
when
Optional
postquery prequery | presend
Specifies the time in the DNS processing cycle when a policy-binding operation should execute.
prequery
bindings are executed prior to cache lookup and/or resolution. DNS processing is aborted if a
prequery binding produces a response. If a CNAME or DNAME is followed, prequery bindings
may be executed multiple times for a single query.
postquery
bindings are executed after prequery bindings and/or normal DNS processing. If a CNAME or
DNAME is followed, postquery bindings may be executed multiple times for a single query.
presend
bindings are executed after the full DNS response has been constructed, immediately prior to
sending the response.
binding.delete
Description and usage
Deletes a binding.
Fields
policy
Optional
string
layer
Optional
string
server
Optional
boolean
view
Optional
string
binding.get
Description and usage
Retrieves a policy binding.
Fields
policy
Optional
string
exclude-fields
Optional
string
fields
string
layer
Optional
string
server
Optional
boolean
view
Optional
string
binding.list
Description and usage
Lists policy bindings, optionally sorted by various criteria.
Fields
policy
Optional
string
descending
Optional
string
end
Optional
{
policy => string
server => '1'
view => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
server
Optional
boolean
skip-first
start
Optional
{
policy => string
server => '1'
view => string
}
view
Optional
string
binding.mget
Description and usage
Retrieves multiple bindings.
Fields
policy
Optional
string
descending
Optional
string
end
Optional
{
policy => string
server => '1'
view => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
server
Optional
boolean
skip-first
start
Optional
{
policy => string
server => '1'
view => string
}
view
Optional
string
binding.replace
Description and usage
Replaces all fields of a policy binding.
Fields
name
Required
string
priority
Required
integer
The priority of a policy-binding operation. Priorities affect the execution order of policies.
Priorities are ranked by the lowest value, with 0 being the most important priority. Policies with
a lower priority value are executed before policies with a higher priority value.
As some policies execute before DNS resolution is performed, and other policies execute after
DNS resolution is performed, policies are only compared to other policies that are executing at
the same time.
If multiple bindings specify the same priority, the order of execution is considered undefined.
Therefore, you should consider specifying priorities with some flexibility to them. For example,
instead of using the priorities 0, 1, 2, 3, 4 and so on, you may want to consider using 0, 10, 20, 30,
40 or even 0, 100, 200, 300, 400.
layer
Optional
string
policy
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
server
Optional
boolean
view
Optional
string
when
Optional
postquery prequery | presend
Specifies the time in the DNS processing cycle when a policy-binding operation should execute.
prequery
bindings are executed prior to cache lookup and/or resolution. DNS processing is aborted if a
prequery binding produces a response. If a CNAME or DNAME is followed, prequery bindings
may be executed multiple times for a single query.
postquery
bindings are executed after prequery bindings and/or normal DNS processing. If a CNAME or
DNAME is followed, postquery bindings may be executed multiple times for a single query.
presend
bindings are executed after the full DNS response has been constructed, immediately prior to
sending the response.
binding.update
Description and usage
Updates the fields of a policy binding.
Fields
name
Required
string
priority
Required
integer
The priority of a policy-binding operation. Priorities affect the execution order of policies.
Priorities are ranked by the lowest value, with 0 being the most important priority. Policies with
a lower priority value are executed before policies with a higher priority value.
As some policies execute before DNS resolution is performed, and other policies execute after
DNS resolution is performed, policies are only compared to other policies that are executing at
the same time.
If multiple bindings specify the same priority, the order of execution is considered undefined.
Therefore, you should consider specifying priorities with some flexibility to them. For example,
instead of using the priorities 0, 1, 2, 3, 4 and so on, you may want to consider using 0, 10, 20, 30,
40 or even 0, 100, 200, 300, 400.
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
policy
Optional
string
server
Optional
boolean
when
Optional
postquery prequery | presend
Specifies the time in the DNS processing cycle when a policy-binding operation should execute.
prequery
bindings are executed prior to cache lookup and/or resolution. DNS processing is aborted if a
prequery binding produces a response. If a CNAME or DNAME is followed, prequery bindings
may be executed multiple times for a single query.
postquery
bindings are executed after prequery bindings and/or normal DNS processing. If a CNAME or
DNAME is followed, postquery bindings may be executed multiple times for a single query.
presend
bindings are executed after the full DNS response has been constructed, immediately prior to
sending the response.
view
Optional
string
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
connection.get
Description and usage
Retrieves a connection configuration.
Fields
exclude-fields
Optional
string
fields
Optional
string
connection.replace
Description and usage
Replaces field values for a Command Channel connection configuration.
Fields
events
Optional
event-name
idle-timeout
Optional
time-in-seconds
Specifies the amount of time before a connection will be closed in the absence of traffic.
Defaults to 5 minutes (300 seconds). If any events are specified for the connection, there is no
timeout.
connection.subscribe-all
A boolean that when specified, subscribes this connection to all events, overriding any previous
list of requested events.
connection.update
Description and usage
Updates the fields of a Command Channel connection.
Fields
events
Optional
event-name
idle-timeout
Optional
time-in-seconds
Specifies the amount of time before a connection will be closed in the absence of traffic.
Defaults to 5 minutes (300 seconds). If any events are specified for the connection, there is no
timeout.
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
dns64.add
Description and usage
Creates a new dns64 layer.
Fields
name
Required
string
prefix
Required
addrpat6
The prefix must exactly match one of the following bit lengths:
l 32
l 40
l 48
l 56
l 64
l 96
exclude
Optional
(acl-element6 ...)
If present, removes any IPv6 addresses (in AAAA records) matching this acl from responses
that contain them.
If no AAAA records remain after exclusion, the response is processed as if the original AAAA
query returned a NOERROR or NODATA response.
layer
Optional
string
mapped
Optional
(acl-element ...)
Specifies an ACL instructing CacheServe to map only certain IPv4 A records into IPv6 AAAA
records.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
suffix
Optional
addr6
An addr6 specifying the bits that will trail IPv6 addresses constructed from IPv4 addresses.
Any bits specified in the suffix must not overlap bits in the prefix, reserved bits, or the mapped
IPv4 address.
dns64.delete
Description and usage
Deletes a dns64 configuration.
Fields
name
Required
string
layer
Optional
string
dns64.get
Description and usage
Retrieves a dns64 configuration.
Fields
name
Required
string
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
dns64.list
Description and usage
Lists dns64 configurations, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
name => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
dns64.mget
Description and usage
Retrieves multiple DNS64 configurations.
Fields
descending
Optional
string
end
Optional
{
name => string
}
exclude-fields
Optional
string
fields
Optional
string
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
dns64.replace
Description and usage
Replaces values for a dns64 layer.
Fields
name
Required
string
prefix
Required
addrpat6
The prefix must exactly match one of the following bit lengths:
l 32
l 40
l 48
l 56
l 64
l 96
exclude
Optional
(acl-element6 ...)
If present, removes any IPv6 addresses (in AAAA records) matching this acl from responses
that contain them.
If no AAAA records remain after exclusion, the response is processed as if the original AAAA
query returned a NOERROR or NODATA response.
layer
Optional
string
mapped
Optional
(acl-element ...)
Specifies an ACL instructing CacheServe to map only certain IPv4 A records into IPv6 AAAA
records.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
suffix
Optional
addr6
An addr6 specifying the bits that will trail IPv6 addresses constructed from IPv4 addresses.
Any bits specified in the suffix must not overlap bits in the prefix, reserved bits, or the mapped
IPv4 address.
dns64.update
Description and usage
Updates fields for a dns64 layer.
Fields
name
Required
string
exclude
Optional
(acl-element6 ...)
If present, removes any IPv6 addresses (in AAAA records) matching this acl from responses
that contain them.
If no AAAA records remain after exclusion, the response is processed as if the original AAAA
query returned a NOERROR or NODATA response.
layer
Optional
string
mapped
Optional
(acl-element ...)
Specifies an ACL instructing CacheServe to map only certain IPv4 A records into IPv6 AAAA
records.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
prefix
Required
addrpat6
The prefix must exactly match one of the following bit lengths:
l 32
l 40
l 48
l 56
l 64
l 96
suffix
Optional
addr6
An addr6 specifying the bits that will trail IPv6 addresses constructed from IPv4 addresses.
Any bits specified in the suffix must not overlap bits in the prefix, reserved bits, or the mapped
IPv4 address.
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
instance-information
Description and usage
Retrieves the server's instance ID and information about all instances of the server's partners.
Returns
instance-id
uuid
partners
integer
Returns instance information about the server's partners as a combination of (uuid, string,
string), where:
layer.add
Description and usage
Creates a new layer.
Fields
name
Required
string
priority
Required
integer
The priority of a layer. Layers are ranked by the lowest value, with 0 being the most important
layer. Layers with a lower priority value take precedence over layers with a higher priority value.
The operator layer is always priority 0 and has precedence over all other layers: the operator
layer cannot be deleted.
channel
string
A Command Channel service name, as defined in the local channel configuration file (usually
/etc/channel.conf).
This service should point to a provisioning server, and may not coexist with the server field.
hidden
Optional
boolean
A value that indicates whether or not a layer affects the server's active configuration. Changing
this value forces an automatic server restart.
If hidden is set to true, the layer's contents do NOT affect the server's active configuration. For
provisioned layers, provisioning changes will be applied, but have no visible effect until the layer
is unhidden.
If hidden is set to false (the default), the layer's contents affect the server's active configuration.
server
Optional
addr-or-nameuint16, string-empty-ok
The system's resolver configuration is used to resolve the server's DNS name.
Examples
cacheserve> layer.add name=second-layer priority=10
{
type => 'layer.add'
}
layer.clear-fault
Description and usage
If the layer's provisioning session has entered the faulted state, layer.clear-fault forces the
server to clear the fault and make an attempt to reestablish communications with the
provisioning server.
Fields
name
Required
string
layer.delete
Description and usage
Deletes a layer.
Fields
name
Required
string
layer.get
Description and usage
Retrieves a layer.
Fields
name
Required
string
exclude-fields
Optional
string
fields
Optional
string
layer.list
Description and usage
Lists layers, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
name => string
}
key
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
layer.mget
Description and usage
Retrieves multiple layers.
Fields
descending
Optional
string
end
Optional
{
name => string
}
exclude-fields
Optional
string
fields
Optional
string
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
layer.reimage
Description and usage
Reimages a layer, erasing all configuration data from the layer and then reloading the layer's
configuration from the provisioning server.
Fields
name
Required
string
layer.replace
Description and usage
Replaces values for a layer.
Fields
name
Required
string
priority
Required
integer
The priority of a layer. Layers are ranked by the lowest value, with 0 being the most important
layer. Layers with a lower priority value take precedence over layers with a higher priority value.
The operator layer is always priority 0 and has precedence over all other layers: the operator
layer cannot be deleted.
channel
string
A Command Channel service name, as defined in the local channel configuration file (usually
/etc/channel.conf).
This service should point to a provisioning server, and may not coexist with the server field.
hidden
Optional
boolean
A value that indicates whether or not a layer affects the server's active configuration. Changing
this value forces an automatic server restart.
If hidden is set to true, the layer's contents do NOT affect the server's active configuration. For
provisioned layers, provisioning changes will be applied, but have no visible effect until the layer
is unhidden.
If hidden is set to false (the default), the layer's contents affect the server's active configuration.
server
Optional
addr-or-nameuint16, string-empty-ok
The system's resolver configuration is used to resolve the server's DNS name.
layer.update
Description and usage
Updates values for a layer.
Fields
name
Required
string
priority
Required
integer
The priority of a layer. Layers are ranked by the lowest value, with 0 being the most important
layer. Layers with a lower priority value take precedence over layers with a higher priority value.
The operator layer is always priority 0 and has precedence over all other layers: the operator
layer cannot be deleted.
channel
string
A Command Channel service name, as defined in the local channel configuration file (usually
/etc/channel.conf).
This service should point to a provisioning server, and may not coexist with the server field.
hidden
Optional
boolean
A value that indicates whether or not a layer affects the server's active configuration. Changing
this value forces an automatic server restart.
If hidden is set to true, the layer's contents do NOT affect the server's active configuration. For
provisioned layers, provisioning changes will be applied, but have no visible effect until the layer
is unhidden.
If hidden is set to false (the default), the layer's contents affect the server's active configuration.
server
Optional
addr-or-nameuint16, string-empty-ok
The system's resolver configuration is used to resolve the server's DNS name.
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
name-list.add
Description and usage
Creates a new name-list.
Fields
name
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
name-list.delete
Description and usage
Deletes a name-list.
Fields
name
Required
string
layer
Optional
string
name-list.dump
Description and usage
Dumps the content of a list to the file name-list.dump in the server's current working directory.
Fields
name
Required
string
name-list.get
Description and usage
Retrieves a name-list.
Fields
name
Required
string
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
name-list.list
Description and usage
Lists name-list configurations, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
name => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
name-list.load
Description and usage
Loads a set of names to a name-list from a file designated by the file parameter, optionally
replacing existing entries.
Each line of file must contain a single entry, consisting of a sequence of two whitespace-
delimited tokens:
1. A DNS name (names containing whitespace must be quoted or have their whitespace
escaped).
2. One or two optional parameters:
1. A '-', which indicates that the IP network should be deleted, or
2. X:t if the name has been encrypted.
For example:
example.net
example.org -
If there are any errors in file, the entire operation is cancelled and an error is returned.
To have name-list.load add the contents of file to the existing entries, and silently ignore existing
entries, set replace to false (the default).
To have name-list.load replace all existing entries with the contents of file, set replace to true.
Fields
name
Required
string
file
Required
string
replace
Optional
boolean
Indicates whether the contents of file should merge with or replace existing entries.
Examples
cacheserve> name-list.load name=loadlist file=/tmp/name-list-load-file
{
type => 'name-list.load'
}
name-list.mget
Description and usage
Retrieves multiple name-lists.
Fields
descending
Optional
string
end
Optional
{
name => string
}
exclude-fields
Optional
string
fields
Optional
string
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
name
Required
string
name-list.replace
Description and usage
Replaces all fields of an name-list.
Fields
name
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
name-list.update
Description and usage
Updates one or more fields of a name-list.
Fields
name
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
name-node.add
Description and usage
Creates a new name-node.
Fields
list
Required
string
name
Required
string
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
encrypted
Optional
boolean
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
tag
Optional
string
name-node.delete
Description and usage
Deletes a name-node.
Fields
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
layer
Optional
string
name
Required
string
name-node.get
Description and usage
Retrieves a name-node.
Fields
list
Required
string
name
Required
string
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
name-node.list
Description and usage
Lists name-nodes, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
list => string
name => name
}
key
Optional
string
layer
Optional
string
list
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
list => string
name => name
}
name-node.mget
Description and usage
Retrieves multiple name-nodes.
Fields
descending
Optional
string
end
Optional
{
list => string
name => name
}
key
Optional
string
layer
Optional
string
list
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
list => string
name => name
}
name-node.replace
Description and usage
Replaces all fields of a name-node.
Fields
list
Required
string
name
Required
string
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
encrypted
Optional
boolean
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
tag
Optional
string
name-node.update
Description and usage
Updates one or more fields of a name-node.
Fields
list
Required
string
name
Required
string
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
encrypted
Optional
boolean
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
tag
Optional
string
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
policy.add
Description and usage
Creates a new policy.
Fields
action
Optional
policy-action
The policy-action the policy should run when applied to a query. If this field is empty, no action
is taken.
layer
Optional
string
children
Optional
string
A list of strings identifying child policies attached to the current policy. All children are executed
immediately after the parent policy.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
selector
Required
policy-selector
A policy-selector that identifies selection criteria. The associated policy is applied to a query if
the selector criteria match, and the policy is bound to either the server object or the view
matching the query.
The boolean AND and OR selectors support lists of selectors, and the NOT selector inverts the
result of another selector.
The default is (qtype (A AAAA)), which matches all A and AAAA queries.
policy.delete
Description and usage
Deletes a policy.
Fields
name
Required
string
layer
Optional
string
policy.get
Description and usage
Retrieves a policy.
Fields
name
Required
string
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
policy.list
Description and usage
Lists policy configurations, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
name => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
policy.mget
Description and usage
Retrieves multiple policies.
Fields
descending
Optional
string
end
Optional
{
name => string
}
key
Optional
string
layer
Optional
string
list
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
policy.replace
Description and usage
Replaces all fields of a policy.
Field
action
Optional
policy-action
The policy-action the policy should run when applied to a query. If this field is empty, no action
is taken.
layer
Optional
string
children
Optional
string
A list of strings identifying child policies attached to the current policy. All children are executed
immediately after the parent policy.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
selector
Required
policy-selector
A policy-selector that identifies selection criteria. The associated policy is applied to a query if
the selector criteria match, and the policy is bound to either the server object or the view
matching the query.
The boolean AND and OR selectors support lists of selectors, and the NOT selector inverts the
result of another selector.
The default is (qtype (A AAAA)), which matches all A and AAAA queries.
policy.simulate
Description and usage
Simulates the execution of a policy, reporting on the result of each policy.
Note: Policy simulation isn't quite the same thing as policy execution. The key differences:
simulation only performs a single lookup (it doesn't follow CNAMEs), and simulation doesn't
actually construct the DNS response, which means the response-size policy-selector won't
work.
Fields
client
Optional
addr
The client address of the simulated query. If no client is specified, the client-address policy-
selector will never match.
initial-qname
Optional
name
The initial query name of the simulated query. You only need this if you're attempting to
simulate the subsequent part of a query that has followed a CNAME.
qname
Optional
name
qtype
Required
rdatatype
start-time
Optional
seconds-since-epoch
tcp
Optional
boolean
Indicates whether or not the simulated query should be processed as if it were received via
TCP.
view
Optional
string
Returns
policy.simulate returns, in order, a list of evaluated policies, identifying the policy name and
whether it matched or not.
Policies directly associated with bindings return the object to which it's bound (view or server),
as well as the time at which it executes (prequery, postquery, or presend) and the priority.
Format:
({
match => boolean
parent => string
policy => string
priority => integer
server => string
view => string
when => 'postquery' | 'prequery' | 'presend'
} ...)
policy.update
Description and usage
Updates all fields of a policy.
Field
action
Optional
policy-action
The policy-action the policy should run when applied to a query. If this field is empty, no action
is taken.
children
Optional
string
A list of strings identifying child policies attached to the current policy. All children are executed
immediately after the parent policy.
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
selector
Required
policy-selector
A policy-selector that identifies selection criteria. The associated policy is applied to a query if
the selector criteria match, and the policy is bound to either the server object or the view
matching the query.
The boolean AND and OR selectors support lists of selectors, and the NOT selector inverts the
result of another selector.
The default is (qtype (A AAAA)), which matches all A and AAAA queries.
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
process-information
Description and usage
Retrieves process information for the server.
Returns
arguments
string
current-time
float-seconds-since-epoch
The server's current time, in seconds and microseconds since the UNIX epoch (January 1, 1970,
0:00:00 UTC).
instance
integer
The instance identifier of this process, if any. The instance identifier can be set by passing the --
instance option to the server, if the server supports it.
license
unparsed
node-id
uuid
The node identifier of the system on which the server process is running.
pid
integer
start-time
float-seconds-since-epoch
The time the server was started, in seconds and microseconds since the UNIX epoch (January
1, 1970, 0:00:00 UTC).
working-directory
string
ratelimiter.add
Description and usage
Adds a ratelimiter.
Fields
name
Required
string
fields
Required
string
bps
Optional
integer
layer
Optional
string
maximum-entries
Optional
positive-integer
Specifies the maximum number of entries to track, which indicates how many field
combinations can be tracked.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
qps
Optional
integer
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually dropping or
truncating answers. Defaults to false.
ratelimiter.delete
Description and usage
Deletes a rate limiter.
Fields
name
Required
string
layer
Optional
string
ratelimiter.get
Description and usage
Retrieves a ratelimiter.
Fields
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
ratelimiter.list
Description and usage
Lists ratelimiters, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
name => string
}
exclude-fields
Optional
string
fields
Optional
string
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
ratelimiter.mget
Description and usage
Retrieves multiple rate limiters.
Fields
descending
Optional
string
end
Optional
{
name => string
}
exclude-fields
Optional
string
fields
Optional
string
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
ratelimiter.replace
Description and usage
Replaces all values for a ratelimiter.
Fields
name
Required
string
fields
Required
string
bps
Optional
integer
layer
Optional
string
maximum-entries
Optional
positive-integer
Specifies the maximum number of entries to track, which indicates how many field
combinations can be tracked.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
qps
Optional
integer
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually dropping or
truncating answers. Defaults to false.
ratelimiter.statistics
Description and usage
Returns the current values for ratelimiter statistics along with general process statistics.
Fields
all
Optional
boolean
If set to true, instructs CacheServe to return the values of all tracked statistics, even those with a
value of 0.
reset
Optional
boolean
If set to true, instructs CacheServe to reset all counters to 0 after returning them.
Returns
current-time
float-seconds-since-epoch
memory-in-use
uint64
This value represents the amount of memory requested from the memory allocator and
memory used by the cache; it does not include overhead for allocator bookkeeping, rounding,
fragmentation or free lists.
name
string
reset-time
float-seconds-since-epoch
server-start-time
float-seconds-since-epoch
statistics
{
all-indications => uint64
current-entry-count => uint64
current-limited-count => uint64
expiring-entry-age => uint64
indications-by-bps => uint64
indications-by-qps => uint64
uses => uint64
}
system-time
time-in-microseconds
user-time
time-in-microseconds
The amount of user CPU time used since the server started.
ratelimiter.update
Description and usage
Updates or resets values for a ratelimiter.
Fields
name
Required
string
fields
Optional
string
bps
Optional
integer
layer
Optional
string
maximum-entries
Optional
positive-integer
Specifies the maximum number of entries to track, which indicates how many field
combinations can be tracked.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
qps
Optional
integer
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually dropping or
truncating answers. Defaults to false.
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
resolver.add
Description and usage
Creates a new resolver.
Fields
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default is
false.
Requesting and caching DNSSEC information will significantly increase the amount of network
traffic.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
forward
Optional
(( name , 'first' | 'off' | 'only', (addrport...)) ...)
Causes queries within a specific domain to be forwarded to one or more specific recursive
name servers.
name specifies the domain; first, off or only specify the forwarding mode; and the final addrport is
a list of recursive name servers.
l first: First attempt to use the forwarders. If they do not respond, attempt to resolve the
query.
l off: Disable forwarding for a subdomain. If you specify off, you must leave the server addr-
port empty.
l only: Use only the forwarders. If they do not respond, do not attempt to resolve the
query, and let it fail.
hints
Optional
(name, ((name, (addr ...)) ...))
These servers are queried to discover the current set of root servers. If there is no hints field,
this re- solver will use a compiled-in set of root hints. The name must always be . (the root
name), as providing hints for domains other than the root is meaningless.
ignore-first-referral
Optional
boolean
Although it results in a small increase in network traffic, ignore-first-referral reduces the risk of
delegation-spoofing attacks.
layer
Optional
string
log-dnssec
Optional
boolean
When set to true, log-dnssec configures CacheServe to log detailed information about DNSSEC
validation failures. All messages related to DNSSEC validation are logged at priority LOG_INFO,
and log entries are prefixed with "dnssec:".
For log-dnssec to work, you must have DNSSEC trust anchors defined.
log-id-spoofing
Optional
boolean
Configures CacheServe to issue a log message when it suspects an ID spoofing attack. The log
message is only issued when there's a relatively strong suspicion that an actual attack is taking
place.
The id-spoofing-defense-queries statistic tracks the number of times the defense mechanism
has been triggered.
log-lame
Optional
(name ...)
A list of names. Causes CacheServe to log lame delegations and other configuration errors
detected in authoritative servers during resolution. log-lame domains should belong to your
own organization.
When log-lame is enabled, CacheServe will log other errors from authoritative servers in
addition to lame delegations, such as malformed responses, RCODES indicating a server error,
and NS records pointing at CNAMEs.
The most common type of authoritative server configuration error is a lame delegation. Lame
delegations occur when a server's had authority over a zone delegated to it, but doesn't
actually have authoritative data for the zone.
It's technically possible to log errors occurring in any domain by specifying the root domain, but
this is a really bad idea.
First, you're going to get hammered with a huge volume of log message, and second, lame
servers are unfortunately very common, and a busy caching server will easily detect and log
lots of lame servers per second.
Logging these free-range lame servers generally doesn't serve any purpose, because it's not
practical to contact the administrators of all those domains and ask them to correct the error.
managed-keys
Optional
(( name , (rdata...)) ...)
A tuple of domain name and rdata that defines DNSSEC managed keys. Each managed-key
domain may include one or more keys, formatted as DNSKEYs (RFC4034).
Managed-keys are similar to trusted-keys, but are automatically maintained (as described in
RFC5011). The set of keys (as well as state) is persistently stored, and maintained over time,
including a periodic refetch of the DNSKEY set.
When managed-keys is initially configured, if there are any keys present for a domain,
CacheServe tries to verify signatures in the retrieved DNSKEY set. If it can't verify any of the
signatures, CacheServe considers the domain insecure.
Managed-keys are normally used only for the root zone, so CacheServe has the current root
key compiled in. If the root domain is specified in the managed-keys field, but no keys are
specified, CacheServe will use that root key to verify the root DNSKEY set.
managed-keys-state
Optional, read-only
((name, { expire => time-in-seconds
has-validated => boolean
keys => ({
created => time-in-seconds
key => string
keyid => integer
next => time-in-seconds
state => 'add-pending' | 'missing' |
'removed' | 'revoked' | 'start' | 'valid'
updated => time-in-seconds
} ...)
last-fetch => time-in-seconds
next-fetch => time-in-seconds
}) ...)
max-cache-size
Optional
sizeval
specifies the maximum amount of memory which can be used by this resolver's cache. The
default is 200M.
Values larger than 16G are treated as 16G, and values smaller than 64M are treated as 64M.
max-cache-ttl
Optional
time-in-seconds
Sets the maximum amount of time for which the server will cache ordinary (positive) answers.
The default is 604800 (7 days).
max-client-ttl
Optional
time-in-seconds
max-client-ttl only affects responses to DNS clients, not actual caching; a DNS record can
remain in the cache for the full amount of time even if clients receive a smaller value.
max-edns-udp-size
Optional
integer
When this field is configured, CacheServe, when sending EDNS queries, advertises that packets
of up to this length (in bytes) can be reassembled. Values smaller than 512 and larger than 4096
are treated as 512 and 4096, respectively.
This option is particularly useful if a firewall or other network device is dropping IP fragments,
because for large packets, this would effectively result in timeouts and resolution failures.
max-ncache-ttl
Optional
time-in-seconds
Specifies the maximum amount of time that CacheServe will cache negative answers. Defaults
to 10800 (3 hours).
max-tcp-recursions
Optional
integer
negative-trust-anchors
Optional
(name ...)
Turns off DNSSEC validation for a domain, even if that domain is under a security root.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
prefetch-ratio
Optional
integer
Adjusts CacheServe's criteria for whether or not it issues prefetch queries. The default is 16.
Prefetching is normally performed when a query requests data that's already cached but is set
to expire soon from the cache. This prevents commonly-accessed data from ever expiring.
Note: Changing this value is not recommended, and you should only change it under the
direction of Nominum support.
The default value of 16 is the thoroughly tested balance point betweeen improved
performance and the impact of additional queries; it results in a higher cache rate and better
average latency.
preload
Optional
(( name , rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name, rdatatype
and rdata.
Note: preload is specifically intended to predefine reverse and/or forward mapping of either
localhost or the local host name, and should not be used for any other purpose.
preload-nxdomain
Optional
(name ...)
Warning! preload-nxdomain is an option included for the sake of completeness. Don't use it
unless you're specifically told to by Nominum support!
Note: preload-nxdomain affects only a single name; if you want to affect an entire domain, use
synthesize-nxdomain.
preload-nxrrset
Optional
((name, rdatatype) ...)
Note: preload-nxrrset is an option included for the sake of completeness. Don't use it unless
you're specifically told to by Nominum support!
Preloads CacheServe with an indication that no resource record of a given name and type
exists.
For example, to specify that no AAAA record exists for the local hostname:
preload-nxrrset host.domain AAAA
qname-case-randomization
Optional
'enforced' | 'off' | 'silent-enforced' | 'unenforced'
Indicates whether CacheServe should randomize letters in a query name when sending
queries to authoritative servers or forwarders. Defaults to off.
qname-case-randomization-exclusions
Optional
(name ...)
query-source-pool
Optional
(uint16, addrport4)
Sets the address CacheServe will use to send outgoing IPv4 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport4 is nonzero, ports are allocated sequentially, starting at that number.
l If the addrport4 is zero or empty, ports are chosen randomly.
If you don't specify query-source-pool, CacheServe creates a query source pool with a number
of ports that's appropriate for the OS.
Warning! When you're choosing the number of ports to use, make sure you don't exceed the
OS's file-descriptor limit. Each port uses a file descriptor, and additional file descriptors are
needed for listen-on-matching and things like outgoing and incoming TCP connections.
query-source-pool-v6
Optional
(uint16, addrport6)
Sets the address CacheServe uses to send outgoing IPv6 UDP queries, configuring CacheServe
to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport6 is nonzero, ports are allocated sequentially, starting at that number.
l If the addrport6 is zero or empty, ports are chosen randomly.
If you don't specify query-source-pool-v6 and CacheServe has been configured to use IPv6
transport (by including type AAAA in server-address-lookup-order), CacheServe creates a
query source pool with an appropriate number of ports for the OS.
Format:
Warning! When you're choosing the number of ports to use, make sure you don't exceed the
OS's file-descriptor limit. Each port uses a file descriptor, and additional file descriptors are
needed for listen-on-matching and things like outgoing and incoming TCP connections.
rrset-order
Optional
'cyclic' | 'fixed' | 'random'
Sets the order in which resource records (RRs) in a resource record set (RRset) are added to a
response. The default is cyclic.
l cyclic configures CacheServe to use a random starting point in the list of RRs and wrap
around to the beginning of the list when the end is reached.
l fixed configures CacheServe to always emit RRs in the order in which they are stored.
l random configures CacheServe to use a random permutation of the RRs.
server-address-lookup-order
Optional
('A' | 'AAAA' ...)
Defines the order in which CacheServe should use IPv4 or IPv6 server addresses.
The argument is a list of address record types that may be either A or AAAA.
The default is A, which configures CacheServe to use only IPv4 addresses for nameserver
addresses, and thus IPv4 transport only for communications with the authoritative server.
The same value may not occur multiple times in the list, and only nameserver addresses of the
specified types are used, in the listed order.
For example, if your site has some IPv6 connectivity to the Internet, you can specify (A AAAA),
and CacheServe will attempt IPv4 first; if your site has mostly IPv6 connectivity, you can specify
(AAAA A) and CacheServe will attempt IPv6 first.
stub
Optional
(( boolean , (( boolean , (addrport ...)) ...)) ...)
Queries within each domain are resolved as if the specified servers were delegated authority
for that domain.
Warning! A specific domain may only appear once per stub per resolver, and you can't have
the same entry in both stub and synthesize-nxdomain.
The main use for stub resolution is in situations where you need to resolve a domain using a
particular set of servers that haven't actually been delegated authority.
For example, if you're using RFC1918 private addresses (10.*), you might want to define a stub
for 10.in-addr.arpa, so that queries for that domain get directed to your own set of internal
authoritative servers.
synthesize-nxdomain
Optional
(name ...)
Configures CacheServe to return synthetic NXDOMAIN responses for all queries within the
specified domains.
Note: If you need to return PTR records for RFC1918 addresses, use a stub pointing at one or
more authoritative servers configured with the right reverse mapping data!
trusted-keys
Optional
((name, (rdata ...)) ...)
Defines DNSSEC trusted keys. Enabling this option automatically enables dnssec-aware, and
configures CacheServe to perform DNSSEC verification on all DNS data in a subdomain of a
security root.
The trusted−keys field can contain multiple key entries,each consisting of the key’s domain
name and rdata. If any trusted-keys are defined, DNSSEC information will be requested and
cached as if the dnssec−aware option were enabled.
resolver.delete
Description and usage
Deletes a resolver.
Fields
name
Required
string
layer
Optional
string
resolver.flush
Description and usage
Flushes entries from the resolver's cache.
Fields
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default is
false.
Requesting and caching DNSSEC information will significantly increase the amount of network
traffic.
target
Optional
('domain' name | 'name' name )
resolver.get
Description and usage
Retrieves a resolver.
Fields
name
Required
string
exclude-fields
Optional
string
fields
Optional
string
resolver.inspect
Description and usage
Retrieves information about a name in the resolver’s cache, returning the information in
various forms.
Fields
name
Required
string
domain
Required
name
Returns
domain
Required
name
exists
Optional
boolean
immortal
Optional
boolean
name
Optional
name
nonexistence-proof
Optional
((name, {
<type> => {
data => (string ...)
sigs => (string ...)
ttl => integer
validated => boolean
}
...
}) ...)
For negative entries, nonexistence-proof displays the information that the server uses to prove
that the entry doesn't exist.
ttl
Optional
integer
An integer representing the number of seconds until the data expires. If there's no ttl, the data
never expires.
types
Optional
{ <type> => {
data => (string ...)
exists => boolean
immortal => boolean
nonexistence-proof => ((name, {
<type> => {
data => (string ...)
sigs => (string...)
ttl => integer
validated => boolean
}
...
}) ...)
origin => addr
prefetches => integer
sigs => (string ...)
ttl => integer
validated => boolean
wildcard-proof => ((name, {
<type> => {
data => (string ...)
sigs => (string ...)
ttl => integer
validated => boolean
}
...
}) ...)
}
...
}
A table mapping DNS record types to subtables which contain information about those types.
validated
Optional
boolean
If the data has been DNSSEC validated, this field will be present and true.
resolver.inspect-delegation
Description and usage
Retrieves information about a delegation point in the resolver’s cache, returning the
information in various forms.
Fields
name
Required
string
domain
Required
name
Returns
domain
Required
name
immortal
Optional
boolean
name
string
servers
Optional
inspect-delegation-servers
stub
Optional
boolean
synthetic
Optional
boolean
ttl
Optional
integer
Represents the number of seconds until the NS set data expires. If there's no ttl, the data never
expires.
resolver.list
Description and usage
Lists resolvers, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
name => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
resolver.mget
Description and usage
Retrieves multiple resolvers.
Fields
descending
Optional
string
end
Optional
{
name => string
}
exclude-fields
Optional
string
fields
Optional
string
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
resolver.recursing
List the resolutions currently in progress.
Fields
name
Required
string
Returns
resolutions
Required
({
name => name
type => rdatatype
} ...)
resolver.replace
Replaces all values on a resolver with new values.
Fields
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default is
false.
Requesting and caching DNSSEC information will significantly increase the amount of network
traffic.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
forward
Optional
(( name , 'first' | 'off' | 'only', (addrport...)) ...)
Causes queries within a specific domain to be forwarded to one or more specific recursive
name servers.
name specifies the domain; first, off or only specify the forwarding mode; and the final addrport is
a list of recursive name servers.
l first: First attempt to use the forwarders. If they do not respond, attempt to resolve the
query.
l off: Disable forwarding for a subdomain. If you specify off, you must leave the server addr-
port empty.
l only: Use only the forwarders. If they do not respond, do not attempt to resolve the
query, and let it fail.
hints
Optional
(name, ((name, (addr ...)) ...))
These servers are queried to discover the current set of root servers. If there is no hints field,
this re- solver will use a compiled-in set of root hints. The name must always be . (the root
name), as providing hints for domains other than the root is meaningless.
ignore-first-referral
Optional
boolean
Although it results in a small increase in network traffic, ignore-first-referral reduces the risk of
delegation-spoofing attacks.
layer
Optional
string
log-dnssec
Optional
boolean
When set to true, log-dnssec configures CacheServe to log detailed information about DNSSEC
validation failures. All messages related to DNSSEC validation are logged at priority LOG_INFO,
and log entries are prefixed with "dnssec:".
For log-dnssec to work, you must have DNSSEC trust anchors defined.
log-id-spoofing
Optional
boolean
Configures CacheServe to issue a log message when it suspects an ID spoofing attack. The log
message is only issued when there's a relatively strong suspicion that an actual attack is taking
place.
The id-spoofing-defense-queries statistic tracks the number of times the defense mechanism
has been triggered.
log-lame
Optional
(name ...)
A list of names. Causes CacheServe to log lame delegations and other configuration errors
detected in authoritative servers during resolution. log-lame domains should belong to your
own organization.
When log-lame is enabled, CacheServe will log other errors from authoritative servers in
addition to lame delegations, such as malformed responses, RCODES indicating a server error,
and NS records pointing at CNAMEs.
managed-keys
Optional
(( name , (rdata...)) ...)
A tuple of domain name and rdata that defines DNSSEC managed keys. Each managed-key
domain may include one or more keys, formatted as DNSKEYs (RFC4034).
Managed-keys are similar to trusted-keys, but are automatically maintained (as described in
RFC5011). The set of keys (as well as state) is persistently stored, and maintained over time,
including a periodic refetch of the DNSKEY set.
When managed-keys is initially configured, if there are any keys present for a domain,
CacheServe tries to verify signatures in the retrieved DNSKEY set. If it can't verify any of the
signatures, CacheServe considers the domain insecure.
Managed-keys are normally used only for the root zone, so CacheServe has the current root
key compiled in. If the root domain is specified in the managed-keys field, but no keys are
specified, CacheServe will use that root key to verify the root DNSKEY set.
managed-keys-state
Optional, read-only
((name, { expire => time-in-seconds
has-validated => boolean
keys => ({
created => time-in-seconds
key => string
keyid => integer
next => time-in-seconds
state => 'add-pending' | 'missing' |
'removed' | 'revoked' | 'start' | 'valid'
updated => time-in-seconds
} ...)
last-fetch => time-in-seconds
next-fetch => time-in-seconds
}) ...)
max-cache-size
Optional
sizeval
specifies the maximum amount of memory which can be used by this resolver's cache. The
default is 200M.
Values larger than 16G are treated as 16G, and values smaller than 64M are treated as 64M.
max-cache-ttl
Optional
time-in-seconds
Sets the maximum amount of time for which the server will cache ordinary (positive) answers.
The default is 604800 (7 days).
max-client-ttl
Optional
time-in-seconds
max-client-ttl only affects responses to DNS clients, not actual caching; a DNS record can
remain in the cache for the full amount of time even if clients receive a smaller value.
max-edns-udp-size
Optional
integer
When this field is configured, CacheServe, when sending EDNS queries, advertises that packets
of up to this length (in bytes) can be reassembled. Values smaller than 512 and larger than 4096
are treated as 512 and 4096, respectively.
This option is particularly useful if a firewall or other network device is dropping IP fragments,
because for large packets, this would effectively result in timeouts and resolution failures.
max-ncache-ttl
Optional
time-in-seconds
Specifies the maximum amount of time that CacheServe will cache negative answers. Defaults
to 10800 (3 hours).
max-tcp-recursions
Optional
integer
negative-trust-anchors
Optional
(name ...)
Turns off DNSSEC validation for a domain, even if that domain is under a security root.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
prefetch-ratio
Optional
integer
Adjusts CacheServe's criteria for whether or not it issues prefetch queries. The default is 16.
Prefetching is normally performed when a query requests data that's already cached but is set
to expire soon from the cache. This prevents commonly-accessed data from ever expiring.
Note: Changing this value is not recommended, and you should only change it under the
direction of Nominum support.
The default value of 16 is the thoroughly tested balance point betweeen improved
performance and the impact of additional queries; it results in a higher cache rate and better
average latency.
preload
Optional
(( name , rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name, rdatatype
and rdata.
Note: preload is specifically intended to predefine reverse and/or forward mapping of either
localhost or the local host name, and should not be used for any other purpose.
preload-nxdomain
Optional
(name ...)
Warning! preload-nxdomain is an option included for the sake of completeness. Don't use it
unless you're specifically told to by Nominum support!
Note: preload-nxdomain affects only a single name; if you want to affect an entire domain, use
synthesize-nxdomain.
preload-nxrrset
Optional
((name, rdatatype) ...)
Note: preload-nxrrset is an option included for the sake of completeness. Don't use it unless
you're specifically told to by Nominum support!
Preloads CacheServe with an indication that no resource record of a given name and type
exists.
For example, to specify that no AAAA record exists for the local hostname:
preload-nxrrset host.domain AAAA
qname-case-randomization
Optional
'enforced' | 'off' | 'silent-enforced' | 'unenforced'
Indicates whether CacheServe should randomize letters in a query name when sending
queries to authoritative servers or forwarders. Defaults to off.
qname-case-randomization-exclusions
Optional
(name ...)
query-source-pool
Optional
(uint16, addrport4)
Sets the address CacheServe will use to send outgoing IPv4 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport4 is nonzero, ports are allocated sequentially, starting at that number.
l If the addrport4 is zero or empty, ports are chosen randomly.
If you don't specify query-source-pool, CacheServe creates a query source pool with a number
of ports that's appropriate for the OS.
Warning! When you're choosing the number of ports to use, make sure you don't exceed the
OS's file-descriptor limit. Each port uses a file descriptor, and additional file descriptors are
needed for listen-on-matching and things like outgoing and incoming TCP connections.
query-source-pool-v6
Optional
(uint16, addrport6)
Sets the address CacheServe uses to send outgoing IPv6 UDP queries, configuring CacheServe
to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport6 is nonzero, ports are allocated sequentially, starting at that number.
l If the addrport6 is zero or empty, ports are chosen randomly.
If you don't specify query-source-pool-v6 and CacheServe has been configured to use IPv6
transport (by including type AAAA in server-address-lookup-order), CacheServe creates a
query source pool with an appropriate number of ports for the OS.
Format:
Warning! When you're choosing the number of ports to use, make sure you don't exceed the
OS's file-descriptor limit. Each port uses a file descriptor, and additional file descriptors are
needed for listen-on-matching and things like outgoing and incoming TCP connections.
rrset-order
Optional
'cyclic' | 'fixed' | 'random'
Sets the order in which resource records (RRs) in a resource record set (RRset) are added to a
response. The default is cyclic.
l cyclic configures CacheServe to use a random starting point in the list of RRs and wrap
around to the beginning of the list when the end is reached.
l fixed configures CacheServe to always emit RRs in the order in which they are stored.
l random configures CacheServe to use a random permutation of the RRs.
server-address-lookup-order
Optional
('A' | 'AAAA' ...)
Defines the order in which CacheServe should use IPv4 or IPv6 server addresses.
The argument is a list of address record types that may be either A or AAAA.
The default is A, which configures CacheServe to use only IPv4 addresses for nameserver
addresses, and thus IPv4 transport only for communications with the authoritative server.
The same value may not occur multiple times in the list, and only nameserver addresses of the
specified types are used, in the listed order.
For example, if your site has some IPv6 connectivity to the Internet, you can specify (A AAAA),
and CacheServe will attempt IPv4 first; if your site has mostly IPv6 connectivity, you can specify
(AAAA A) and CacheServe will attempt IPv6 first.
stub
Optional
(( boolean , (( boolean , (addrport ...)) ...)) ...)
Queries within each domain are resolved as if the specified servers were delegated authority
for that domain.
Warning! A specific domain may only appear once per stub per resolver, and you can't have
the same entry in both stub and synthesize-nxdomain.
The main use for stub resolution is in situations where you need to resolve a domain using a
particular set of servers that haven't actually been delegated authority.
For example, if you're using RFC1918 private addresses (10.*), you might want to define a stub
for 10.in-addr.arpa, so that queries for that domain get directed to your own set of internal
authoritative servers.
synthesize-nxdomain
Optional
(name ...)
Configures CacheServe to return synthetic NXDOMAIN responses for all queries within the
specified domains.
Note: If you need to return PTR records for RFC1918 addresses, use a stub pointing at one or
more authoritative servers configured with the right reverse mapping data!
trusted-keys
Optional
((name, (rdata ...)) ...)
Defines DNSSEC trusted keys. Enabling this option automatically enables dnssec-aware, and
configures CacheServe to perform DNSSEC verification on all DNS data in a subdomain of a
security root.
The trusted−keys field can contain multiple key entries,each consisting of the key’s domain
name and rdata. If any trusted-keys are defined, DNSSEC information will be requested and
cached as if the dnssec−aware option were enabled.
resolver.statistics
Description and usage
Returns the current values for resolver statistics along with general process statistics.
Fields
all
Optional
boolean
If set to true, instructs CacheServe to return the values of all tracked statistics, even those with a
value of 0.
reset
Optional
boolean
If set to true, instructs CacheServe to reset all counters to 0 after returning them.
Returns
current-time
float-seconds-since-epoch
memory-in-use
uint64
This value represents the amount of memory requested from the memory allocator and
memory used by the cache; it does not include overhead for allocator bookkeeping, rounding,
fragmentation or free lists.
name
string
reset-time
float-seconds-since-epoch
server-start-time
float-seconds-since-epoch
statistics
{
cache-misses => uint64
dnssec-validations-failure => uint64
dnssec-validations-insecure => uint64
dnssec-validations-success => uint64
id-spoofing-defense-queries => uint64
ignored-referral-lookups => uint64
system-time
time-in-microseconds
user-time
time-in-microseconds
The amount of user CPU time used since the server started.
resolver.update
Updates all values on a resolver with new values.
Fields
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default is
false.
Requesting and caching DNSSEC information will significantly increase the amount of network
traffic.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
forward
Optional
(( name , 'first' | 'off' | 'only', (addrport...)) ...)
Causes queries within a specific domain to be forwarded to one or more specific recursive
name servers.
name specifies the domain; first, off or only specify the forwarding mode; and the final addrport is
a list of recursive name servers.
l first: First attempt to use the forwarders. If they do not respond, attempt to resolve the
query.
l off: Disable forwarding for a subdomain. If you specify off, you must leave the server addr-
port empty.
l only: Use only the forwarders. If they do not respond, do not attempt to resolve the
query, and let it fail.
hints
Optional
(name, ((name, (addr ...)) ...))
These servers are queried to discover the current set of root servers. If there is no hints field,
this re- solver will use a compiled-in set of root hints. The name must always be . (the root
name), as providing hints for domains other than the root is meaningless.
ignore-first-referral
Optional
boolean
Although it results in a small increase in network traffic, ignore-first-referral reduces the risk of
delegation-spoofing attacks.
layer
Optional
string
log-dnssec
Optional
boolean
When set to true, log-dnssec configures CacheServe to log detailed information about DNSSEC
validation failures. All messages related to DNSSEC validation are logged at priority LOG_INFO,
and log entries are prefixed with "dnssec:".
For log-dnssec to work, you must have DNSSEC trust anchors defined.
log-id-spoofing
Optional
boolean
Configures CacheServe to issue a log message when it suspects an ID spoofing attack. The log
message is only issued when there's a relatively strong suspicion that an actual attack is taking
place.
The id-spoofing-defense-queries statistic tracks the number of times the defense mechanism
has been triggered.
log-lame
Optional
(name ...)
A list of names. Causes CacheServe to log lame delegations and other configuration errors
detected in authoritative servers during resolution. log-lame domains should belong to your
own organization.
When log-lame is enabled, CacheServe will log other errors from authoritative servers in
addition to lame delegations, such as malformed responses, RCODES indicating a server error,
and NS records pointing at CNAMEs.
managed-keys
Optional
(( name , (rdata...)) ...)
A tuple of domain name and rdata that defines DNSSEC managed keys. Each managed-key
domain may include one or more keys, formatted as DNSKEYs (RFC4034).
Managed-keys are similar to trusted-keys, but are automatically maintained (as described in
RFC5011). The set of keys (as well as state) is persistently stored, and maintained over time,
including a periodic refetch of the DNSKEY set.
When managed-keys is initially configured, if there are any keys present for a domain,
CacheServe tries to verify signatures in the retrieved DNSKEY set. If it can't verify any of the
signatures, CacheServe considers the domain insecure.
Managed-keys are normally used only for the root zone, so CacheServe has the current root
key compiled in. If the root domain is specified in the managed-keys field, but no keys are
specified, CacheServe will use that root key to verify the root DNSKEY set.
managed-keys-state
Optional, read-only
((name, { expire => time-in-seconds
has-validated => boolean
keys => ({
created => time-in-seconds
key => string
keyid => integer
next => time-in-seconds
state => 'add-pending' | 'missing' |
'removed' | 'revoked' | 'start' | 'valid'
updated => time-in-seconds
} ...)
last-fetch => time-in-seconds
next-fetch => time-in-seconds
}) ...)
max-cache-size
Optional
sizeval
specifies the maximum amount of memory which can be used by this resolver's cache. The
default is 200M.
Values larger than 16G are treated as 16G, and values smaller than 64M are treated as 64M.
max-cache-ttl
Optional
time-in-seconds
Sets the maximum amount of time for which the server will cache ordinary (positive) answers.
The default is 604800 (7 days).
max-client-ttl
Optional
time-in-seconds
max-client-ttl only affects responses to DNS clients, not actual caching; a DNS record can
remain in the cache for the full amount of time even if clients receive a smaller value.
max-edns-udp-size
Optional
integer
When this field is configured, CacheServe, when sending EDNS queries, advertises that packets
of up to this length (in bytes) can be reassembled. Values smaller than 512 and larger than 4096
are treated as 512 and 4096, respectively.
This option is particularly useful if a firewall or other network device is dropping IP fragments,
because for large packets, this would effectively result in timeouts and resolution failures.
max-ncache-ttl
Optional
time-in-seconds
Specifies the maximum amount of time that CacheServe will cache negative answers. Defaults
to 10800 (3 hours).
max-tcp-recursions
Optional
integer
negative-trust-anchors
Optional
(name ...)
Turns off DNSSEC validation for a domain, even if that domain is under a security root.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
prefetch-ratio
Optional
integer
Adjusts CacheServe's criteria for whether or not it issues prefetch queries. The default is 16.
Prefetching is normally performed when a query requests data that's already cached but is set
to expire soon from the cache. This prevents commonly-accessed data from ever expiring.
Note: Changing this value is not recommended, and you should only change it under the
direction of Nominum support.
The default value of 16 is the thoroughly tested balance point betweeen improved
performance and the impact of additional queries; it results in a higher cache rate and better
average latency.
preload
Optional
(( name , rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name, rdatatype
and rdata.
Note: preload is specifically intended to predefine reverse and/or forward mapping of either
localhost or the local host name, and should not be used for any other purpose.
preload-nxdomain
Optional
(name ...)
Warning! preload-nxdomain is an option included for the sake of completeness. Don't use it
unless you're specifically told to by Nominum support!
Note: preload-nxdomain affects only a single name; if you want to affect an entire domain, use
synthesize-nxdomain.
preload-nxrrset
Optional
((name, rdatatype) ...)
Note: preload-nxrrset is an option included for the sake of completeness. Don't use it unless
you're specifically told to by Nominum support!
Preloads CacheServe with an indication that no resource record of a given name and type
exists.
For example, to specify that no AAAA record exists for the local hostname:
preload-nxrrset host.domain AAAA
qname-case-randomization
Optional
'enforced' | 'off' | 'silent-enforced' | 'unenforced'
Indicates whether CacheServe should randomize letters in a query name when sending
queries to authoritative servers or forwarders. Defaults to off.
qname-case-randomization-exclusions
Optional
(name ...)
query-source-pool
Optional
(uint16, addrport4)
Sets the address CacheServe will use to send outgoing IPv4 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport4 is nonzero, ports are allocated sequentially, starting at that number.
l If the addrport4 is zero or empty, ports are chosen randomly.
If you don't specify query-source-pool, CacheServe creates a query source pool with a number
of ports that's appropriate for the OS.
Warning! When you're choosing the number of ports to use, make sure you don't exceed the
OS's file-descriptor limit. Each port uses a file descriptor, and additional file descriptors are
needed for listen-on-matching and things like outgoing and incoming TCP connections.
query-source-pool-v6
Optional
(uint16, addrport6)
Sets the address CacheServe uses to send outgoing IPv6 UDP queries, configuring CacheServe
to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport6 is nonzero, ports are allocated sequentially, starting at that number.
l If the addrport6 is zero or empty, ports are chosen randomly.
If you don't specify query-source-pool-v6 and CacheServe has been configured to use IPv6
transport (by including type AAAA in server-address-lookup-order), CacheServe creates a
query source pool with an appropriate number of ports for the OS.
Format:
Warning! When you're choosing the number of ports to use, make sure you don't exceed the
OS's file-descriptor limit. Each port uses a file descriptor, and additional file descriptors are
needed for listen-on-matching and things like outgoing and incoming TCP connections.
rrset-order
Optional
'cyclic' | 'fixed' | 'random'
Sets the order in which resource records (RRs) in a resource record set (RRset) are added to a
response. The default is cyclic.
l cyclic configures CacheServe to use a random starting point in the list of RRs and wrap
around to the beginning of the list when the end is reached.
l fixed configures CacheServe to always emit RRs in the order in which they are stored.
l random configures CacheServe to use a random permutation of the RRs.
server-address-lookup-order
Optional
('A' | 'AAAA' ...)
Defines the order in which CacheServe should use IPv4 or IPv6 server addresses.
The argument is a list of address record types that may be either A or AAAA.
The default is A, which configures CacheServe to use only IPv4 addresses for nameserver
addresses, and thus IPv4 transport only for communications with the authoritative server.
The same value may not occur multiple times in the list, and only nameserver addresses of the
specified types are used, in the listed order.
For example, if your site has some IPv6 connectivity to the Internet, you can specify (A AAAA),
and CacheServe will attempt IPv4 first; if your site has mostly IPv6 connectivity, you can specify
(AAAA A) and CacheServe will attempt IPv6 first.
stub
Optional
Queries within each domain are resolved as if the specified servers were delegated authority
for that domain.
Warning! A specific domain may only appear once per stub per resolver, and you can't have
the same entry in both stub and synthesize-nxdomain.
The main use for stub resolution is in situations where you need to resolve a domain using a
particular set of servers that haven't actually been delegated authority.
For example, if you're using RFC1918 private addresses (10.*), you might want to define a stub
for 10.in-addr.arpa, so that queries for that domain get directed to your own set of internal
authoritative servers.
synthesize-nxdomain
Optional
(name ...)
Configures CacheServe to return synthetic NXDOMAIN responses for all queries within the
specified domains.
Note: If you need to return PTR records for RFC1918 addresses, use a stub pointing at one or
more authoritative servers configured with the right reverse mapping data!
trusted-keys
Optional
((name, (rdata ...)) ...)
Defines DNSSEC trusted keys. Enabling this option automatically enables dnssec-aware, and
configures CacheServe to perform DNSSEC verification on all DNS data in a subdomain of a
security root.
The trusted−keys field can contain multiple key entries,each consisting of the key’s domain
name and rdata. If any trusted-keys are defined, DNSSEC information will be requested and
cached as if the dnssec−aware option were enabled.
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
restart
Restarts CacheServe.
server.add
Description and usage
Creates a new server.
Fields
layer
Optional
string
commands-not-logged
Optional
boolean
Specifies whether or not DNSSEC information should be requested and cached when log-
command-channel is enabled.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
listen-on-matching
Optional
({
instances => integer
patterns => (acl-element ...)
port => uint16
} ...)
Configures CacheServe to listen for incoming DNS queries on addresses which match specified
patterns and ports. If no listen-on-matching value is given, CacheServe listens on all interfaces
on the default port (53).If port is 0 or not specified, CacheServe listens on the port specified by
the --dns-port command-line option, which defaults to the standard DNS port of 53.
listen-on-matching can contain multiple elements, which allows different listener ports to be
specified.patterns defaults to an ACL which matches any address.To listen on all interfaces, use
a pattern of 0.0.0.0/0 (IPv4) or ::/0 (IPv6).instances takes advantage of certain relatively new Linux
features, which permit multiple sockets listening on a single address and port. If you have this
capability, set instances to the number of desired UDP sockets.
instances defaults to 0, which configures CacheServe to use the best number of UDP sockets for
maximum concurrency. If instances is set to 0 and the interface is a loopback interface, or an
IPv6 link-local address, only 1 socket will be created.
For example, here's how you specify listen-on-matching to use 16 instances on the IP address
192.168.1.1 and 1 instance on 127.0.0.1, port 5334:
cacheserve> server.update listen-on-matching=({patterns=(192.168.1.1)
instances=16}{patterns=(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
patterns => ('192.168.1.1/32')
instances => '16'
}
{
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
log-command-channel
Optional
boolean
Controls whether or not Command Channel messages are logged. When set to true,
commands are logged at the LOG_INFO priority, and large commands are truncated.
max-recursive-clients
Optional
integer
An integer that specifies the maximum number of recursive UDP lookups that can occur at any
one time. The default is 5000, and values over 50,000 are capped at 50,000.
The limit applies equally to recursive lookups coming from UDP clients and lookups that are
generated internally.
max-tcp-clients
Optional
integer
Controls the maximum number of TCP client connections at any one time. The default is 4.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
server-id
Optional
string-empty-ok
The server ID used to populate the server.id and bind.id values in responses to DNS CH TXT
queries for the server's ID, as well as NSID EDNS responses.
If server-id is empty or set to the literal string "none", CacheServe will refuse all queries for the
server ID, and ignore NSID requests.
server-version
Optional
string-empty-ok
The server version used to populate the version.server and version.bind values in responses to
DNS CH TXT queries for version.server and version.bind.
If server-version is set to the literal string "none", CacheServe will refuse all queries for the
server version. If server-version is empty, CacheServe will respond with the actual software
version.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column of
the IANA tzdb.
versioncheck-interval
Optional
versioncheck-days
Specifies how often CacheServe should check for a newer version. Defaults to 7, with a
minimum of 1 and a maximum of 30.
server.all-errors
Description and usage
Displays all misconfigured CacheServe elements. Individual elements also return
troubleshooting information in the errors field.
Fields
max-results
Optional
integer
server.block-checkpoints
Prevents database checkpoints for a specified amount of time, which permits the database to
be backed up.
Fields
timeout
Optional
time-in-seconds
The duration in seconds for which checkpoints should be suspended. The default is 3600 (1
hour).
server.checkpoint
Forces CacheServe to immediately perform a database checkpoint operation.
server.get
Description and usage
Retrieves the server object's configuration.
Fields
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
server.query
Description and usage
Processes a DNS query as if the server had received it.
All of the query attributes can be configured, along with additional configuration beyond the
normal parameters of a DNS query. For example, you can specify a view or resolver.
The response contains all of the normal DNS query response data along with:
Warning! Do not use "live" customer IPs for test queries against a sensitive domain, as this will
be logged. Use a test IP address instead (such as a 192.168.* or 10.* address).
Fields
client-address
Optional
addrport
edns-buffer-size
Optional
uint16
Indicates the advertised EDNS buffer size, limiting the size of the response.
If this field is present, it enables EDNS in the request as needed; if some other field enables
EDNS and edns-buffer-size is not present, CacheServe uses a buffer size of 4096.
edns-flags
Optional
edns-flag
flags
Optional
dns-flag
force-resolution
Optional
boolean
Indicates whether or not CacheServe should force resolution to occur. The default is false.
If force-resolution is true, CacheServe does not perform the initial cache lookup, and existing
resolutions are not joined.
Note: This does not exclude policy effects: if a terminal policy executes prior to the point at
which resolution would normally occur, it will prevent resolution.
qclass
Optional
rdataclass
qname
Optional
name
qtype
Optional
rdatatype
resolver
Optional
string
Instructs CacheServe to process a query in the context of the named resolver, versus a context
defined by a view-selector.
server-address
Optional
addrport
Specifies the server address to match against view-selectors or policies. Defaults to the target
address of the command.
start-time
Optional
seconds-since-epoch
tcp
Optional
boolean
Indicates whether or not the simulated query should be processed as if it were received via
TCP.
tracing
Optional
boolean
Indicates whether or not tracing should be performed on this simulated query. Defaults to
false.
view
Optional
string
Instructs CacheServe to process a query in the context of the named view, versus a context
defined by a view-selector.
Returns
additional
((name, rdatatype, ttl, rdata) ...)
aliases
(name...)
answer
((name, rdatatype, ttl, rdata) ...)
authority
((name, rdatatype, ttl, rdata) ...)
dropped
boolean
flags
(dns-flag ...)
policies
({
match => boolean
parent => string
policy => string
priority => integer
server => string
view => string
when => ’postquery’ | ’prequery’ | ’presend’
} ...)
The list of policies, in order, that were evaluated when processing this query. For each policy,
the policy name and whether or not it matched is included.
If a policy directly associated with a binding, the object it’s bound to (view or server) is included,
as well as the time at which it executes (prequery, postquery, or presend) and the priority. If the
policy is the child of another policy, the parent policy name is included.
Unlike with policy.simulate, this can include the results of multiple passes through the policy
engine, if a query is restarted (such as when following a CNAME).
qclass
rdataclass
qname
name
qtype
rdatatype
rcode
dns-rcode
resolver
string
response-size
integer
The size of the response packet that would have been sent to the client, in bytes.
response-time
time-in-microseconds
result
string
trace-messages
(string...)
If tracing is enabled, this field contains tracing messages related to processing this query. These
messages contain varying levels of detail, and may or may not be useful or understandable.
The specific messages are not guaranteed to be consistent between releases; this output is
purely designed for manual inspection.
view
string
Example
cacheserve> server.query qname=www.nominum.com
{
type => 'server.query'
qname => 'www.nominum.com'
qtype => 'A'
rcode => 'NOERROR'
Example (N2 environment)
# An example of server.query in a strict Engage
# Personal Internet environment where social
# media queries get redirected to Nom Proxy.
server.replace
Description and usage
Replaces values on a server.
Fields
layer
Optional
string
commands-not-logged
Optional
boolean
Specifies whether or not DNSSEC information should be requested and cached when log-
command-channel is enabled.
listen-on-matching
Optional
({
instances => integer
patterns => (acl-element ...)
port => uint16
} ...)
Configures CacheServe to listen for incoming DNS queries on addresses which match specified
patterns and ports. If no listen-on-matching value is given, CacheServe listens on all interfaces
on the default port (53).If port is 0 or not specified, CacheServe listens on the port specified by
the --dns-port command-line option, which defaults to the standard DNS port of 53.
listen-on-matching can contain multiple elements, which allows different listener ports to be
specified.patterns defaults to an ACL which matches any address.To listen on all interfaces, use
a pattern of 0.0.0.0/0 (IPv4) or ::/0 (IPv6).instances takes advantage of certain relatively new Linux
features, which permit multiple sockets listening on a single address and port. If you have this
capability, set instances to the number of desired UDP sockets.
instances defaults to 0, which configures CacheServe to use the best number of UDP sockets for
maximum concurrency. If instances is set to 0 and the interface is a loopback interface, or an
IPv6 link-local address, only 1 socket will be created.
For example, here's how you specify listen-on-matching to use 16 instances on the IP address
192.168.1.1 and 1 instance on 127.0.0.1, port 5334:
cacheserve> server.update listen-on-matching=({patterns=(192.168.1.1)
instances=16}{patterns=(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
patterns => ('192.168.1.1/32')
instances => '16'
}
{
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
log-command-channel
Optional
boolean
Controls whether or not Command Channel messages are logged. When set to true,
commands are logged at the LOG_INFO priority, and large commands are truncated.
max-recursive-clients
Optional
integer
An integer that specifies the maximum number of recursive UDP lookups that can occur at any
one time. The default is 5000, and values over 50,000 are capped at 50,000.
The limit applies equally to recursive lookups coming from UDP clients and lookups that are
generated internally.
max-tcp-clients
Optional
integer
Controls the maximum number of TCP client connections at any one time. The default is 4.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
server-id
Optional
string-empty-ok
The server ID used to populate the server.id and bind.id values in responses to DNS CH TXT
queries for the server's ID, as well as NSID EDNS responses.
If server-id is empty or set to the literal string "none", CacheServe will refuse all queries for the
server ID, and ignore NSID requests.
server-version
Optional
string-empty-ok
The server version used to populate the version.server and version.bind values in responses to
DNS CH TXT queries for version.server and version.bind.
If server-version is set to the literal string "none", CacheServe will refuse all queries for the
server version. If server-version is empty, CacheServe will respond with the actual software
version.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column of
the IANA tzdb.
versioncheck-interval
Optional
versioncheck-days
Specifies how often CacheServe should check for a newer version. Defaults to 7, with a
minimum of 1 and a maximum of 30.
server.statistics
Description and usage
Returns the current values for server statistics along with general process statistics.
Fields
all
Optional
boolean
If set to true, instructs CacheServe to return the values of all tracked statistics, even those with a
value of 0.
reset
Optional
boolean
If set to true, instructs CacheServe to reset all counters to 0 after returning them.
Returns
current-time
float-seconds-since-epoch
memory-in-use
uint64
This value represents the amount of memory requested from the memory allocator and
memory used by the cache; it does not include overhead for allocator bookkeeping, rounding,
fragmentation or free lists.
name
string
reset-time
float-seconds-since-epoch
server-start-time
float-seconds-since-epoch
statistics
{
rate-limited-requests => uint64
recursion-contexts-in-use => uint64
requests-no-view => uint64
requests-received => uint64
requests-sent => uint64
responses-received => uint64
responses-sent => uint64
tcp-clients => uint64
tcp-requests-sent => uint64
}
system-time
time-in-microseconds
user-time
time-in-microseconds
The amount of user CPU time used since the server started.
Example
cacheserve> server.statistics
{
type => 'server.statistics'
reset-time => '1404287789.143226'
current-time => '1404288409.721157'
server-start-time => '1404287788.816544'
user-time => '1.239811'
system-time => '0.341948'
memory-in-use => '63772684'
statistics => {
}
}
server.unblock-checkpoints
Unblocks any blocked database checkpoints.
server.update
Description and usage
Updates server fields.
Fields
layer
Optional
string
commands-not-logged
Optional
boolean
Specifies whether or not DNSSEC information should be requested and cached when log-
command-channel is enabled.
errors
Optional
string
A read-only field that indicates any problems with a specific object's configuration. errors will
only be present if there's a problem.
listen-on-matching
Optional
({
instances => integer
patterns => (acl-element ...)
port => uint16
} ...)
Configures CacheServe to listen for incoming DNS queries on addresses which match specified
patterns and ports. If no listen-on-matching value is given, CacheServe listens on all interfaces
on the default port (53).If port is 0 or not specified, CacheServe listens on the port specified by
the --dns-port command-line option, which defaults to the standard DNS port of 53.
listen-on-matching can contain multiple elements, which allows different listener ports to be
specified.patterns defaults to an ACL which matches any address.To listen on all interfaces, use
a pattern of 0.0.0.0/0 (IPv4) or ::/0 (IPv6).instances takes advantage of certain relatively new Linux
features, which permit multiple sockets listening on a single address and port. If you have this
capability, set instances to the number of desired UDP sockets.
instances defaults to 0, which configures CacheServe to use the best number of UDP sockets for
maximum concurrency. If instances is set to 0 and the interface is a loopback interface, or an
IPv6 link-local address, only 1 socket will be created.
For example, here's how you specify listen-on-matching to use 16 instances on the IP address
192.168.1.1 and 1 instance on 127.0.0.1, port 5334:
cacheserve> server.update listen-on-matching=({patterns=(192.168.1.1)
instances=16}{patterns=(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
patterns => ('192.168.1.1/32')
instances => '16'
}
{
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
log-command-channel
Optional
boolean
Controls whether or not Command Channel messages are logged. When set to true,
commands are logged at the LOG_INFO priority, and large commands are truncated.
max-recursive-clients
Optional
integer
An integer that specifies the maximum number of recursive UDP lookups that can occur at any
one time. The default is 5000, and values over 50,000 are capped at 50,000.
The limit applies equally to recursive lookups coming from UDP clients and lookups that are
generated internally.
max-tcp-clients
Optional
integer
Controls the maximum number of TCP client connections at any one time. The default is 4.
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
server-id
Optional
string-empty-ok
The server ID used to populate the server.id and bind.id values in responses to DNS CH TXT
queries for the server's ID, as well as NSID EDNS responses.
If server-id is empty or set to the literal string "none", CacheServe will refuse all queries for the
server ID, and ignore NSID requests.
server-version
Optional
string-empty-ok
The server version used to populate the version.server and version.bind values in responses to
DNS CH TXT queries for version.server and version.bind.
If server-version is set to the literal string "none", CacheServe will refuse all queries for the
server version. If server-version is empty, CacheServe will respond with the actual software
version.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column of
the IANA tzdb.
versioncheck-interval
Optional
versioncheck-days
Specifies how often CacheServe should check for a newer version. Defaults to 7, with a
minimum of 1 and a maximum of 30.
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
stop
Stops CacheServe.
uuid
Retrieves CacheServe's uuid.
version
Retrieves information about CacheServe, including the vendor, product, platform and version
of the running server, as well as a list of currently loaded plugins and their expiration date, if
any.
Returns
product
Required
string
expiration
Optional
string
platform
Optional
string
The platform for which CacheServe was built. This will, with rare exceptions, be the same as the
platform CacheServe is running on, and takes the form OS name-OS version-CPU class
plugins
Optional
string
vendor
Optional
string
view-selector.add
Description and usage
Creates a new view-selector.
Fields
name
Required
string
view
Required
string
destination-address
Optional
addrport
layer
Optional
string
source-address
Optional
addrpat
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
view-selector.delete
Description and usage
Deletes a view-selector.
Fields
destination-address
Optional
addrport
layer
Optional
string
source-address
Optional
addrpat
view-selector.get
Description and usage
Retrieves a view-selector.
Fields
destination-address
Optional
addrport
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
source-address
Optional
addrpat
view-selector.list
Description and usage
Lists view-selectors, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
destination-address => addrport
source-address => addrpat
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
destination-address => addrport
source-address => addrpat
}
view-selector.mget
Description and usage
Retrieves multiple view-selectors.
Fields
descending
Optional
string
end
Optional
{
destination-address => addrport
source-address => addrpat
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
destination-address => addrport
source-address => addrpat
}
view-selector.query
Description and usage
Simulates the execution of a query, and returns the view-selector that would match.
Fields
destination-address
Optional
addrport
source-address
Optional
addrpat
Returns
resolver
string
view
string
view-selector
string
view-selector.replace
Description and usage
Replaces values on a view-selector.
Fields
name
Required
string
view
Required
string
destination-address
Optional
addrport
layer
Optional
string
source-address
Optional
addrpat
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
view-selector.update
Description and usage
Updates values for a view-selector.
Fields
name
Required
string
destination-address
Optional
addrport
layer
Optional
string
source-address
Optional
addrpat
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
view
Optional
string
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
view.add
Description and usage
Creates a new view.
Fields
name
Required
string
resolver
Required
string
The name of the resolver associated with this view. All DNS operations are performed in the
context of the resolver.
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column of
the IANA tzdb.
view.delete
Description and usage
Deletes a view.
Fields
name
Required
string
layer
Optional
string
view.get
Description and usage
Retrieves a view.
Fields
name
Required
string
exclude-fields
Optional
string
fields
Optional
string
layer
Optional
string
view.list
Description and usage
Lists views, optionally sorted by various criteria.
Fields
descending
Optional
string
end
Optional
{
name => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
view.mget
Description and usage
Retrieves multiple views.
Fields
descending
Optional
string
end
Optional
{
name => string
}
exclude-fields
Optional
string
fields
Optional
string
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
start
Optional
{
name => string
}
view.replace
Description and usage
Replace values on a view.
Fields
name
Required
string
resolver
Required
string
The name of the resolver associated with this view. All DNS operations are performed in the
context of the resolver.
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column of
the IANA tzdb.
view.update
Description and usage
Updates values on a view.
Fields
name
Required
string
layer
Optional
string
post-edits
Optional
std-layered-edit-operation
pre-edits
Optional
std-layered-edit-operation
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column of
the IANA tzdb.
unset
Optional
string
Note: When unset is invoked upon a field, the field is emptied, and CacheServe will treat the
field as required (for instance, populating the field with a default value if necessary).
Returns
name
string
address-node.changed
Indicates that an address-node has been modified.
Returns
address
addrpat
list
string
binding.changed
Indicates that a ratelimiter has been modified.
Returns
policy
string
server
'1'
Indicates that the binding target is the server, and that the binding matches all queries.
view
string
Indicates that the binding target is a view, and that this binding matches all queries handled by
that view.
dns64.changed
Indicates that a dns64 layer has been modified.
Returns
name
string
layer.changed
Signals that a layer has changed.
Returns
name
Required
string
layer.provisioning-connected
Signals that a connection was (re)established to the provisioning server. layer.provisioning-
connected is only sent when a previous layer.provisioning-connection-failure event exists.
Returns
name
Required
string
layer.provisioning-connection-failure
Signals that a connection could not be established with the provisioning server, and that
CacheServe will continue to attempt to connect.
Returns
error
string
name
string
layer.provisioning-disconnected
Signals that the connection to the provisioning server was closed by the remote end of the
connection.
Returns
name
string
layer.provisioning-reimaging
Signals that provisioning is reimaging, either because this is the first synchronization with the
provisioning server, or because the database ID of the provisioning server has changed.
Returns
name
string
layer.provisioning-update-failure
Signals that an update failed.
Returns
error
string
name
string
layer.provisioning-update-success
Signals that an update was successful.
name
string
name-list.changed
Indicates that a name-list has been modified.
Returns
name
string
name-node.changed
Indicates that a ratelimiter has been modified.
Returns
list
string
name
name
policy.changed
Indicates that a policy has been modified.
Returns
name
string
policy.hit
Indicates that a policy matched a query.
Returns
client
addrport
name
string
qname
name
qtype
rdatatype
view
string
ratelimiter.abate
Signals that a previously limited ratelimiter entry has not hit its limit(s) for 5 minutes.
Returns
bps
integer
client-network
addr
client-network-family
ipv4 | ipv6
client-network-mask-length
ipv6netlen
creation-time
float-seconds-since-epoch
entry-creation-time
float-seconds-since-epoch
fields
('client-network' | 'query-name' | 'query-type' ...)
last-limited-time
float-seconds-since-epoch
last-use-time
float-seconds-since-epoch
name
string
qps
integer
query-name
name
query-name-labels
name-label-count
query-type
rdatatype
unenforced
boolean
If this value is set, CacheServe will collect statistics, log messages and events related to rate-
limiting, but will not actually drop or truncate queries.
ratelimiter.changed
Indicates that a ratelimiter has been modified.
Returns
name
string
ratelimiter.onset
Signals that a previously limited ratelimiter entry has hit its limit(s).
Returns
bps
integer
client-network
addr
client-network-family
ipv4 | ipv6
client-network-mask-length
ipv6netlen
creation-time
float-seconds-since-epoch
entry-creation-time
float-seconds-since-epoch
fields
('client-network' | 'query-name' | 'query-type' ...)
last-limited-time
float-seconds-since-epoch
last-use-time
float-seconds-since-epoch
name
string
qps
integer
query-name
name
query-name-labels
name-label-count
query-type
rdatatype
unenforced
boolean
If this value is set, CacheServe will collect statistics, log messages and events related to rate-
limiting, but will not actually drop or truncate queries.
resolver.changed
Indicates that a resolver has been modified.
Returns
name
string
resolver.flush
Indicates that the resolver has flushed its cache.
Returns
name
string
target
('domain' name) | ('name' name)
resolver.id-spoofing-suspected
Indicates that CacheServe suspects an an ID spoofing attack; this event is issued under the
same conditions as the log message enabled by log-id-spoofing.
Returns
name
string
qname
name
qtype
rdatatype
server.changed
Indicates that the server has been modified.
server.configuration-error
Indicates that an error occurred when applying a configuration change.
Returns
errors
string
object
string
server.formerr-loop
Indicates that CacheServe has detected a FORMERR loop with another server. FORMERR loops
consist of servers sending packets back and forth, and usually occur as the result of a
misconfiguration or malicious behavior.
Returns
address
addrport
The address and port of the other end of the FORMERR loop.
server.restart
Indicates that CacheServe is restarting.
server.stop
Indicates that CacheServe is shutting down.
server.tcp-client-limit
Indicates that the number of clients with open TCP connections exceeds the configured value
for max-tcp-clients.
server.udp-recursion-limit
Indicates that the number of UDP queries requiring recursion has exceeded the configured
value of max-recursive-clients.
view-selector.changed
Indicates that a view-selector has been modified.
Returns
destination-address
addrport
The destination address required by the view-selector; all requests must match this value.
If the value includes a port number, the query's destination address must match both the port
number and the address.
source-address
addrport
The source address required by the view-selector; the client sending the request must have an
address originating within this network.
view.changed
Indicates that a view has been modified.
Returns
name
string
ACLs are evaluated by matching an IP address against each ACL element in turn.
An ACL matches if the IP address being evaluated matches the ACL element.
An ACL does not match if the IP address being evaluated either does not match the ACL element,
or the IP address being evaluated doesn't match any ACL element.
To match all IPv4 addresses, use 0.0.0.0/0. To match all IPv6 addresses, use ::/0.
exclude-fields
A string defining the fields to be excluded from a response.
fields
A string defining the fields to be included in a response.
acl-element
An Access Control List.
127.0.0.0/8
or
11:22::/16.
acl-element4
An Access Control List comprised of IPv4 addresses only, like
127.0.0.0/8
acl-element6
An Access Control List comprised of IPv6 addresses only, like
11:22::/16.
addr
An IP address.
addr-or-name
An IP address or domain name.
addr6
An IPv6 address.
addrpat
An IP address with an optional netmask length, expressed as address or address/masklength.
Unless otherwise specified, mask length defaults to the full length of the address: 32 bits for
IPv4, and 128 bits for IPv6.
addrpat6
An IPv6 address with an optional netmask length, expressed as <ad dr> or
<addr>/<masklength>. When no mask length is specified, the mask length is assumed to be the
full length of the address (128 bits). The host portion of the address must be 0.
addrport
An IP address with an (optional) port, expressed as address or address/#port
addrport4
An IPv4 address with an (optional) port, expressed as address or address/#port
addrport6
An IPv6 address with an (optional) port, expressed as address or address/#port
addrrange
A range of IP addresses expressed by a start and end address, separated by "-":
192.168.1.1-192.168.2.1
anonymization-key-file-path
The path to a key file used by CacheServe for client IP anonymization. Defaults to /etc/nom_
ipanon.key.
boolean
A true or false value.
Nominum software, when interpreting a boolean value, accepts the following values for TRUE
(all values are case-insensitive):
l "true"
l "t"
l "yes"
l positive integers
Accepts the following values for FALSE (all values are case-insensitive):
l "false"
l "f"
l "no"
l 0
dns-flag
A DNS header flag.
'aa': Authoritative answer.
dns-rcode
A DNS result code.
FORMERR: Format error.
NOERROR: No error.
NOTAUTH: Not authorized.
NOTIMP: Not implemented.
NOTZONE: Name not contained in zone.
NXDOMAIN: Non-existent domain.
NXRRSET: RRset that should exist does not.
REFUSED: Query refused.
SERVFAIL: Server failure.
YXDOMAIN: Name exists when it should not.
YXRRSET: RRset exists when it should not.
edns-flag
A DNS extended header flag.
'do'
event-name
The name of a Nominum Command Channel event. May be any of the following:
'layer.provisioning-connected'
'layer.provisioning-connection-failure'
'layer.provisioning-disconnected'
'layer.provisioning-reimaging'
'layer.provisioning-update-failure'
'layer.provisioning-update-success'
'policy.hit'
'ratelimiter.hit'
'resolver.flush'
'resolver.id-spoofing-suspected'
'server.configuration-error'
'server.formerr-loop'
'server.restart'
'server.stop'
'server.tcp-client-limit'
'server.udp-recursion-limit'
float-seconds-since-epoch
A floating-point number representing a time in seconds since the UNIX epoch (00:00 UTC,
January 1, 1970).
inspect-delegation-servers
Information about the name service at a delegation point in the cache.
Format:
({
addresses => ({
addresses => ({
address => addr
rtt => integer
} ...)
glue => boolean
immortal => boolean
origin => addr
integer
A 32-bit unsigned integer.
Integers may be signed or unsigned: signed integers may encompass negative numbers,
where unsigned integers may not.
ipv4netlen
A value between 1 and 32, representing the number of bits of for an IPv4 netmask.
ipv6netlen
A value between 1 and 128, representing the number of bits of for an IPv6 netmask.
monitor-log-switch
A Command Channel flag denoting a type of command.
name
A domain name. If the textual input is not a fully-qualified domain name, it will be converted into
an FQDN by using the root domain as the origin.
name-empty-ok
A domain name. If the textual input is not absolute, it will be converted into an absolute name
by using the root domain as the origin, with the exception of '@', which represents the empty
name and will not be made absolute.
name-label-count
A value between 0 and 128, representing the number of labels to retain in a DNS name, starting
from the least specific and moving to most specific.
The root label is included in this count. A value of 0 means to use the entire name, unaltered.
For example, if the DNS name is "www.nominum.com.", a count of 3 would use "nominum.com."
policy-action
Specifies an action to be taken on a query. Some actions only have an effect at certain points in
the query process.
Format:
Synthesizes an answer for a query. The answer is specified as a tuple of rdatatype and rdata,
where:
The returned answer will always have a TTL of 0; if you want a non-zero TTL, use answer-ttl
instead.
('answer-byname' name)
Stage: Prequery, postquery
Synthesizes an answer for a query. name is a DNS name, and CacheServe uses name instead of
the query name when determining the answer. The answer can come from cache, or it can
come as the result of a DNS resolution (as if the name was queried directly).
('answer-byresolver' string)
Stage: Prequery, postquery
Answers the query using the resolver specified by stringinstead of the resolver normally
associated with the query.
'answer-noerror'
Stage: Prequery, postquery
'answer-nxdomain'
Stage: Prequery, postquery
Synthesizes an answer for a query, specified as a tuple of (rdatatype, rdata), with an optional ttl
that affects all records in the answer.
Synthesizes an answer for a query. The answer is specified as a tuple of rdatatype and rdata,
with an optional ttl that affects all records in the answer:
('dns64' string)
Stage: Postquery
Applies DNS64 transformation, if the query is for the AAAA type, and the result is either:
l The name occurs and no AAAA records exist
('dns64-reverse' string)
Stage: Prequery, postquery
If the query is for type PTR and the qname matches the specified dns64 object, applies DNS64
reverse transformation.
'drop'
Stage: All
'no-op'
Stage: All
Do nothing. This is a non-terminal action, and has no effect; this action is useful when you want
to match a policy without taking any action.
'refuse'
Stage: All
'send-event'
Stage: All
Sorts answers according to a defined set of priorities. Priorities are defined as an ordered list of
address-lists, with the first address-list in the list having the highest priority.
The priority of each address in the answer is based on the position of the address-list that
contains it. CacheServe determines which address-list contains an address by either exactly
matching the address, or using the closest matching network.
The boolean denotes 'remove-unmatched', and controls CacheServe's behavior when some
addresses in the answer don't match any address-list:
Stops executing the current set of bindings (defined as all bindings in the current stage in the
query process).
'truncate'
Stage: All
If the query was received over UDP, returns a "truncated" response. If the query was received
over TCP, has no effect.
policy-calendar-selector
A local-time-zone-based policy selector configuration.
Format:
{
end-time => string
not-after => string
not-before => string
start-time => string
time-zone => string
week-days => (string ...)
}
l After not-before
l Prior to not-after
Both not-before and not-after are specified as yyyymmddThhmmss, where yyyy indicates the year,
mm indicates the numeric month, dd indicates the numeric day, T is a literal 'T' acting as a
delimiter, hh indicates the hour (on a 24-hour clock), mm indicates minutes, and ss indicates
seconds.
time-zone is specified as a string that matches an entry in the 'TZ' column of the IANA tzdb.
week-days takes the form of a list of strings denoting the day of the week. Valid week-days are su,
mo, tu, we, th, fr, and sa.
policy-result-type
The result of a policy.
Format:
'cname' | 'dname' | 'failure' | 'noerror' | 'nxdomain' | 'nxrrset'
Result Description
cname The lookup resulted in a CNAME, which will be followed.
dname The lookup resulted in a DNAME, which will be followed.
failure The lookup failed, which results in a SERVFAIL response.
The lookup succeeded: the queried name exists and records of the queried type
noerror
exist at the queried name.
nxdomain The lookup resulted in an NXDOMAIN response: the queried name does not exist.
The lookup resulted in an NOERROR/NODATA response: the queried name exists
nxrrset
but there are no records of the queried type.
policy-selector
Criteria for selecting a policy to apply to a query. It's important to note that some selectors have
an effect only at certain points in the query process.
Format:
Compound selector; matches only if all selectors in the set of selectors match.
('answer-address' string)
Stage: Postquery
Matches if the response contains A or AAAA records, and any address in the set of responses
matches an IP address or a network on the list.
('client-address' string)
Stage: All
Matches if the client address matches an IP address or network in the specified acl-element.
'initial-qname'
Stage: All
Matches if the current query name matches the query name in the received packet (no CNAME
or DNAME has been followed).
('not' (policy-selector))
Stage: All
Matches if the query has the corresponding flag set. RD, AD and CD correspond to flags in the
DNS header. DO corresponds to the extended flag in the EDNS OPT record. EDNS corresponds
to the presence of an EDNS OPT record.
Matches if the query name matches an entry on the name-list. exact specifies an exact match,
exact-or-www specifies an exact match where the www prefix, if present, is ignored, and
subdomain specifies a subdomain match.
l prequery or postquery, the selector refers to the current query name, which may be the
result of a followed CNAME or DNAME.
l presend, the selector refers to the query name from the DNS packet.
('qname-is' (name, 'exact' | 'exact-or-www' | 'subdomain'))
Stage: All
Matches if the query name matches name. exact specifies an exact match, exact-or-www specifies
an exact match where the www prefix, if present, is ignored, and subdomain specifies a
subdomain match.
l prequery or postquery, the selector refers to the current query name, which may be the
result of a followed CNAME or DNAME.
l presend, the selector refers to the query name from the DNS packet.
('qname-prefix' string)
Stage: All
l prequery or postquery, the selector refers to the current query name, which may be the
result of a followed CNAME or DNAME.
l presend, the selector refers to the query name from the DNS packet.
('qtype' (rdatatype ...))
Stage: All
('ratelimiter' string)
Stage: All
Matches UDP queries when the TCP and UDP query rate from matched clients exceeds the
thresholds of the specified ratelimiter.
('response-size' uint16)
Stage: Presend
Matches if the size of the response packet is greater than or equal to the specified value.
('server-address' string)
Stage: Postquery
Matches if the address of the authoritative server that originally provided the response
matches an entry in the address-list.
('type-exists-at-qname' rdatatype)
Stage: All
Matches if there are any records of the specified rdatatype at the current query name.
positive-integer
A 32-bit unsigned integer greater than 0.
provisioning-status
Identifies the status of the current provisioning session. The status value indicates the current
status.
Format:
{
current-time => seconds-since-epoch
database-id => string
error => string
last-update => seconds-since-epoch
status => string
versions => {
<name> => string-empty-ok
...
}
}
Status values
Status Description
initial Initializing
connecting Connecting to the provisioning server.
handshake Exchanging handshake with the provisioning server.
wait Waiting for update events.
update Processing an update.
faulted An unrecoverable error has occurred. No provisioning will be attempted.
When a recoverable error occurs (like a connection being dropped), the provisioning client will
close the current connection and start over with the initial state and a fresh session.
Non-recoverable errors create a faulted state, and you'll have to manually intervene to fix them,
either by issuing a layer.clear-fault command or breaking the connection to the provisioning
server.
ratelimiter-statistics
{
all-indications => uint64
current-entry-count => uint64
current-limited-count => uint64
expiring-entry-age => uint64
indications-by-bps => uint64
indications-by-qps => uint64
uses => uint64
}
all-indications
The number of times a ratelimiter has limited a query for any reason.
current-entry-count
The number of ratelimit entry slots in use. This number will increase to the maximum
configured value, and will not typically decrease unless the rate limiter is configured.
If all slots are in use, older ones will be evicted. If the older slots are evicted too quickly,
especially if they are limited when they are evicted, this indicates rate limiting may not be
effective. See expiring-entry-age and current-limited-count for more information.
current-limited-count
The number of ratelimit entry slots which are currently limited.
expiring-entry-age
The time, in microseconds, that a rate limiting tracking entry was last used before it was
destroyed. If this is cycling quickly, it indicates there may not be sufficient rate limiting entries
confgured to effectively enforce rate limiting.
indications-by-bps
The number of times a ratelimiter has limited a query based on the BPS threshold.
indications-by-qps
The number of times a ratelimiter has limited a query based on the QPS threshold.
uses
The number of times the ratelimiter has been asked to make a decision to limit a query or allow
it to proceed.
rdata
DNS RDATA (RFC1035), represented as a text string.
rdataclass
A DNS rdata class. This is typically IN for the Internet class, but other classes such as CH and HS
are also supported.
rdatatype
A DNS rdata type.
report-max-memory-arg
The maximum amount of memory statmon will use to maintain all report intervals for a single
source, in bytes. By default, there is no limit. The minimum permissible value is 1M.
resolver-statistics
{
cache-misses => uint64
dnssec-validations-failure => uint64
dnssec-validations-insecure => uint64
dnssec-validations-success => uint64
id-spoofing-defense-queries => uint64
ignored-referral-lookups => uint64
lookups => uint64
proactive-lookups => uint64
queries => uint64
rate-limited-requests => uint64
recursive-lookups => uint64
requests-sent => uint64
responses-by-rcode =>
{
<rcode> => uint64
...
}
tcp-requests-sent => uint64
}
cache-misses
The number of cache misses that have occurred as part of resolutions. The number of cache
misses is not strictly related to the number of queries received, as one query may result in zero,
one, or multiple cache misses.
dnssec-validations-failure
The number of failed DNSSEC validations.
dnssec-validations-insecure
The number of DNSSEC validations which determined that the data being validated is provably
insecure.
dnssec-validations-success
The number of successful DNSSEC validations.
id-spoofing-defense-queries
The number of times a query has been sent to an authoritative server using TCP instead of
UDP in order to defend against suspected ID spoofing attacks.
ignored-referral-lookups
The number of referrals ignored as part of subdelegation attack defenses. Ignoring some
referrals is a normal part of the server-s defense strategy and does not indicate that the server
is under attack.
lookups
The number of DNS lookups performed by this resolver. This is different from queries because
resolving a single client DNS query can involve multiple lookups due to following CNAME or
DNAME chains, looking up name server addresses and DNSSEC keys, root server priming, etc.
proactive-lookups
The number of proactive DNS queries (that is, queries done as part of prefetching) issued.
queries
The number of queries processed by this resolver.
rate-limited-requests
The number of DNS requests not sent to other DNS servers from this resolver due to server-
based rate-limiting.
recursive-lookups
The number of DNS lookups (as reported in lookups) that could not be satisfied from the cache.
requests-sent
The number of DNS requests sent to other DNS servers from this resolver.
responses-by-rcode
The number of responses sent with each DNS result code (dns-rcode). The most common
rcode values are NOERROR (the name queried for exists), NXDOMAIN (the name queried for
does not exist), and SERVFAIL (a failure occurred processing the request).
tcp-requests-sent
The number of DNS request messages sent to other DNS servers using TCP from this resolver.
This includes TCP requests made due to UDP message truncation as well as those made due to
suspected ID spoofing attacks.
seconds-since-epoch
A 64-bit unsigned integer representing a time in seconds since the epoch (00:00 UCT, January 1,
1970).
server-statistics
{
rate-limited-requests => uint64
recursion-contexts-in-use => uint64
requests-no-view => uint64
requests-received => uint64
requests-sent => uint64
responses-received => uint64
responses-sent => uint64
tcp-clients => uint64
tcp-requests-sent => uint64
}
rate-limited-requests
The number of DNS requests not sent to other DNS servers due to server-based rate-limiting.
recursion-contexts-in-use
The number of clients currently executing recursive DNS lookups. This cannot exceed the limit
configured in the server's max-recursive-clients field.
requests-no-view
The number of DNS requests refused because they did not match any of the configured view-
selectors.
requests-received
The number of DNS requests received from clients.
requests-sent
The number of DNS requests sent to other DNS servers.
responses-received
The number of DNS responses received from other DNS servers.
responses-sent
The number of DNS responses sent to clients.
tcp-clients
The current number of open TCP connections from clients. This cannot exceed the limit
configured in the server's max-tcp-clients field.
tcp-requests-sent
The number of DNS request messages sent to other DNS servers using TCP. This includes TCP
requests made due to UDP message truncation as well as those made due to suspected query
ID spoofing attacks.
sizeval
An integer optionally followed by a scaling factor: K or k for kilobytes, M or m for megabytes, and
G or g for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024, respectively.
std-layered-edit-operation
A layered configuration edit operation. Takes the form
('defaults' (string ...)) | ('hide' (string ...))
Parameter Description
The "defaults" edit takes a list of of field names and
sets them back to their default values.
('defaults' (string ...))
If the list is empty, then all fields are reset to their
default values.
('hide' (string ...)) The "hide" edit hides the object.
string
A simple text string.
string-empty-ok
A string which may be empty.
threshold-abate
A 32 bit unsigned integer representing the QPS at which a threshold will become inactive.
threshold-duration
A 32 bit unsigned integer representing the time in seconds over which to track data for a
threshold.
threshold-onset
A 32 bit unsigned integer representing the QPS at which a threshold will become active.
time-in-microseconds
A floating-point number representing a number of seconds with microsecond precision.
time-in-seconds
A 64-bit unsigned integer representing an amount of time in seconds. The integer may be
followed by a scaling factor:
ttl
A DNS TTL. This is similar to a scaled time value, except that it can contain mixed units (1d1h, for
example).
uint16
A 16-bit unsigned integer.
uint64
A 64-bit unsigned integer.
unparsed
Data with no defined structure.
uuid
A universially unique identifier (UUID).
versioncheck-days
An integer between 1 and 30.
policy field 90
address-lists 115
-
additional 256
--channel 56
address 75, 125, 127, 130-131
--configuration 56
address-node field 75
--directory 56
cacheserve-deleteconf option 68
--dns-port 56
cacheserve-dumpconf option 67
--fd-limit 56
cacheserve-editconf option 64
--foreground 57
address-list
--foreground-with-syslog 57
events 75
--help 57
supported fields 74
--license 57
address-list object 73
--no-statmon 57
address-list.add 115
--root 57
address-list.changed 289
--user and 57-58
address-list.delete 116
--statmon-directory 58
address-list.dump 117
--syslog-facility 58
address-list.dump file 117
--usage 58
address-list.get 117
--user 58
address-list.list 118
--root and 57-58
address-list.load 120
--version 59
merging or replacing entries 120
/
source file format 120
/etc/channel.conf 33, 70
address-list.mget 121
A
address-list.replace 123
aa header 306
B C
binding cache
server 78, 134-136, 138, 140, 142, 144 resolver statistic 320
errors 77 --destination-address 69
policy 77 --layer 69
post-edits 78 --list 69
pre-edits 78 --name 69
priority 78 --policy 69
server 78 --server 69
view 79 --source-address 69
when 79 --version 69
--name 67
--object-type 67 --check 66
--output 68 --configuration 66
--policy 68 --layer 66
--server 68 --object-type 66
--source-address 68 --version 66
--view 68 cacheserve-stats 69
--destination-address 64 --channel 56
--layer 64 --configuration 56
--list 64 --directory 56
--name 64 --dns-port 56
--policy 64 --foreground 57
--server 64 --foreground-with-syslog 57
--source-address 64 --help 57
--version 64 --license 57
--view 65 --no-statmon 57
cacheserve-stats 69 client‐network 93
client-network-mask-length example 62
directory events 83
fields 118, 122, 127, 145, 149, 151, 159, 161, how to
167, 171, 176, 185, 194, 196-199, 203,
add an address-list 115
217, 223, 253, 273, 282, 284, 303
control file descriptor use 17
ratelimiter field 93
control recursion contexts 17
ratelimiter object 93
delete an address-list 116
ratelimiter.abate 295
dump the configuration database 66
ratelimiter.onset 297
find monitoring help 22
file descriptors 56
load data into cacheserve 65
if you're running out 17
manage amplification attacks 45
fixing a faulted provisioning session 318
retrieve an address-list 117
flags 254, 257
run cacheserve as a specific user 58
force-resolution 254
run cacheserve under a specific dir-
foreground
ectory 57
cacheserve process argument 57
I
foreground-with-syslog
id-spoofing-defense-queries 320
cacheserve process argument 57
id-spoofing-defense-queries resolver stat-
formatting files for address-list.load 120 istic 320
formatting files for name-list.load 169 ID spoofing 53
FORMERR 306 idle-timeout 80, 146
forward 95, 205, 225, 238 connection field 80
resolver field 95 ignore-first-referral 96, 206, 226, 239
H resolver field 96
K hidden 85
list 76, 89, 125, 127, 129-131, 174, 176-177, log-lame 97, 207, 227, 240
179-181, 187
resolver field 97
address-node field 76
lookups 320
cacheserve-deleteconf option 69
lookups resolver statistic 320
cacheserve-dumpconf option 67
M
cacheserve-editconf option 64
managed-key field 98, 208, 228, 240
name-node field 89
managed-keys 97, 207, 227, 240
list-all
resolver field 97
cacheserve-dumpconf option 67
managed-keys-state 98, 208, 228, 241
listen-on-matching 106, 249, 261, 266
resolver field 98
server field 106
managed keys 98, 208, 228, 240
lists 62
mapped 82, 148, 153, 155
adding a list of domain names 115
dns64 field 81
adding address-lists 115
max-cache-size 98, 209, 228, 241 111, 113, 205, 225, 238, 249, 252, 266
resolver field 98 N
max-client-ttl 99, 209, 229, 241 name 74, 82, 85, 87, 89, 91, 93, 100, 111,
115-117, 120, 122-124, 126, 133, 140,
resolver field 99
143, 147, 149, 152, 154, 157-159, 162-
max-edns-udp-size 99, 209, 229, 242 167, 170, 172-176, 180-181, 184, 194-
resolver field 99 195, 199, 203, 216-218, 220-221, 224,
271, 277, 279-282, 285-286, 290-291
max-ncache-ttl 99, 209, 229, 242
cacheserve-deleteconf option 69
resolver field 99
cacheserve-dumpconf option 67
max-recursive-clients 17, 108, 250, 262,
267 cacheserve-editconf option 64
count 87 list 89
errors 87 name 89
name 87 post-edits 89
post-edits 87 pre-edits 89
pre-edits 87 tag 89
name-lists no-statmon
O platform 270
address-node 75 events 91
dns64 80 policy-selectors
P qflag 315
answer-byresolver 310 post-edits 74, 76, 78, 82, 87, 89, 91, 93, 100,
109, 111, 113, 115, 123-125, 131-133,
answer-noerror 310
141, 143, 148, 154-155, 166, 172-174,
answer-nxdomain 310 180, 182-183, 188, 191, 194, 200, 203,
210, 230, 242, 251, 262, 268, 272, 278-
answer-ttl 310
279, 281, 286-287
dns64 311
address-node field 76
dns64-reverse 311
binding field 78
send-event 311
dns64 field 82
sort-addresses 312
name-list field 87
stop 312
name-node field 89
truncate 312
policy field 91
policy fields
ratelimiter field 93
action 90
resolver field 100
children 90
server field 108
errors 91
view-selector field 113
name 91
view field 111
post-edits 91
pre-edits 74, 76, 78, 82, 87, 89, 91, 93, 100,
pre-edits 91 109, 111, 113, 116, 123-125, 131-132,
134, 141, 143, 148, 154-155, 166, 172-
policy object 90
173, 175, 180, 182-183, 188, 192, 195,
policy.add 182 200, 204, 210, 230, 243, 251, 262, 268,
query-name maximum-entries 93
query-name-labels pre-edits 93
increasing 17 hints 96
responses-received 322
server.add 248 skip-first 119, 122, 128, 130, 138, 140, 151-
152, 160, 162, 169, 171, 178-179, 186-
server.all-errors 252
187, 197, 199, 222, 224, 275-276, 283,
errors field and 74, 76-77, 81, 85, 87, 89, 285
91, 93, 95, 106, 111, 113, 205, 225,
sort-addresses policy action 312
238, 249, 266
source-address 113, 271-273, 277-279
server.block-checkpoints 252
cacheserve-deleteconf option 69
server.changed 299
cacheserve-dumpconf option 68
server.checkpoint 252
cacheserve-editconf option 64
server.configuration-error 299
view-selector fields 113
server.formerr-loop 300
start-time 255
server.get 253
statistics
server.query 253
all-indications 318
client-address 254
cache-misses 320
edns-buffer-size 254
current-entry-count 318
edns-flags 254
current-limited-count 318
flags 254
current-time 201, 236, 264
force-resolution 254
dnssec-validations-failure 320
server.replace 260
dnssec-validations-insecure 320
server.restart 300
dnssec-validations-success 320
server.statistics 263
expiring-entry-age 318
server.stop 300
id-spoofing-defense-queries 320
server.tcp-client-limit 300
ignored-referral-lookups 320
server.udp-recursion-limit 300
indications-by-bps 318
server.unblock-checkpoints 265
indications-by-qps 318
servers 221
view 79, 113, 134-136, 138, 140, 142, 144, view-selector.query 276
256, 258, 271, 277, 280
resolver return 277
binding field 79
view-selector return 277
cacheserve-deleteconf option 69
view return 277
cacheserve-dumpconf option 68
view-selector.replace 277
cacheserve-editconf option 65
view-selector.update 278
events 111
view fields
view-selector field 113
errors 110
view-selector.query return 277
name 111
view-selector
post-edits 111
events 113
pre-edits 111
supported fields 112
time-zone 111
view-selector.query return 277
view.add 280
view-selector fields
view.changed 301
destination-address 112
view.delete 281
errors 112
view.get 282
post-edits 113
view.list 282
pre-edits 113
view.mget 284
source-address 113
view.replace 285
view 113
view.update 286
view-selector object 112
W
view-selector.add 271
what's new
view-selector.changed 300
checkpointing 22
error reporting 22
monitoring 22
binding field 79
YXDOMAIN 306
YXRRSET 306