bind10-guide.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY mdash  "&#x2014;" >
<!ENTITY % version SYSTEM "version.ent">
%version;
]>

<!--
 - Copyright (C) 2010-2012  Internet Systems Consortium, Inc. ("ISC")
 -
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 -
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->

<book>
  <?xml-stylesheet href="bind10-guide.css" type="text/css"?>

  <bookinfo>
    <title>BIND 10 Guide</title>
    <subtitle>Administrator Reference for BIND 10</subtitle>

    <copyright>
      <year>2010-2012</year><holder>Internet Systems Consortium, Inc.</holder>
    </copyright>

    <abstract>
      <para>BIND 10 is a framework that features Domain Name System
      (DNS) suite and Dynamic Host Configuration Protocol (DHCP)
      servers with development managed by Internet Systems Consortium (ISC).
      It includes DNS libraries, modular components for controlling
      authoritative and recursive DNS servers, and experimental DHCPv4
      and DHCPv6 servers.
      </para>
      <para>
        This is the reference guide for BIND 10 version &__VERSION__;.
        The most up-to-date version of this document (in PDF, HTML,
        and plain text formats), along with other documents for
        BIND 10, can be found at <ulink url="http://bind10.isc.org/docs"/>.
        </para> </abstract>

      <releaseinfo>This is the reference guide for BIND 10 version
        &__VERSION__;.</releaseinfo>

  </bookinfo>

  <preface>
    <title>Preface</title>

    <section id="acknowledgements">
      <title>Acknowledgements</title>

<!-- TODO: acknowledge all sponsors and CNNIC and CZNIC too -->

      <para>ISC would like to acknowledge generous support for
      BIND 10 development of DHCPv4 and DHCPv6 components provided
      by <ulink url="http://www.comcast.com/">Comcast</ulink>.</para>

    </section>

  </preface>

  <chapter id="intro">
    <title>Introduction</title>
    <para>
      BIND is the popular implementation of a DNS server, developer
      interfaces, and DNS tools.
      BIND 10 is a rewrite of BIND 9 and ISC DHCP.
      BIND 10 is written in C++ and Python and provides a modular
      environment for serving, maintaining, and developing DNS and DHCP.
      BIND 10 provides a EDNS0- and DNSSEC-capable authoritative
      DNS server and a caching recursive name server which also
      provides forwarding.
      It also provides experimental DHCPv4 and DHCPv6 servers.
    </para>

    <para>
      This guide covers BIND 10 version &__VERSION__;.
    </para>

    <section>
      <title>Supported Platforms</title>
      <para>
  BIND 10 builds have been tested on (in no particular order)
  Debian GNU/Linux 6 and unstable, Ubuntu 9.10, NetBSD 5,
  Solaris 10 and 11, FreeBSD 7 and 8, CentOS Linux 5.3,
  MacOS 10.6 and 10.7, and OpenBSD 5.1.

  It has been tested on Sparc, i386, and amd64 hardware
  platforms.

        It is planned for BIND 10 to build, install and run on
        Windows and standard Unix-type platforms.
      </para>
    </section>

    <section id="required-software">
      <title>Required Software at Run-time</title>

      <para>
        Running BIND 10 uses various extra software which may
        not be provided in some operating systems' default
        installations nor standard packages collections. You may
        need to install this required software separately.
        (For the build requirements, also see
        <xref linkend="build-requirements"/>.)
      </para>

      <para>
        BIND 10 requires at least Python 3.1
        (<ulink url="http://www.python.org/"/>).
        It also works with Python 3.2.
      </para>

      <para>
        BIND 10 uses the Botan crypto library for C++
        (<ulink url="http://botan.randombit.net/"/>).
        It requires at least Botan version 1.8.
      </para>

      <para>
        BIND 10 uses the log4cplus C++ logging library
        (<ulink url="http://log4cplus.sourceforge.net/"/>).
        It requires at least log4cplus version 1.0.3.
<!-- TODO: It is recommended to use at least version .... -->
      </para>

      <para>
        The authoritative DNS server uses SQLite3
        (<ulink url="http://www.sqlite.org/"/>).
<!-- TODO: is this still required? -->
        It needs at least SQLite version 3.3.9.
      </para>

      <para>
        The <command>b10-ddns</command>, <command>b10-xfrin</command>,
        <command>b10-xfrout</command>, and <command>b10-zonemgr</command>
        components require the libpython3 library and the Python
        _sqlite3.so module (which is included with Python).
        Python modules need to be built for the corresponding Python 3.
      </para>
<!-- TODO: this will change ... -->
    </section>

    <section id="starting_stopping">
      <title>Starting and Stopping the Server</title>

      <para>
        BIND 10 is modular.  Part of this modularity is
        accomplished using multiple cooperating processes which, together,
        provide the server functionality.  This is a change from
        the previous generation of BIND software, which used a
        single process.
      </para>

      <para>
        At first, running many different processes may seem confusing.
        However, these processes are started, stopped, and maintained
        by a single command, <command>bind10</command>.
        This command starts a master process which will start other
        required processes and other processes when configured.
        The processes that may be started by the <command>bind10</command>
        command have names starting with "b10-", including:
      </para>

      <para>

        <itemizedlist>

          <listitem>
            <simpara>
              <command>b10-auth</command> &mdash;
              Authoritative DNS server.
              This process serves DNS requests.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-cfgmgr</command> &mdash;
              Configuration manager.
              This process maintains all of the configuration for BIND 10.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-cmdctl</command> &mdash;
              Command and control service.
              This process allows external control of the BIND 10 system.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-ddns</command> &mdash;
              Dynamic DNS update service.
              This process is used to handle incoming DNS update
              requests to allow granted clients to update zones
	      for which BIND 10 is serving as a primary server.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-msgq</command> &mdash;
              Message bus daemon.
              This process coordinates communication between all of the other
              BIND 10 processes.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-resolver</command> &mdash;
              Recursive name server.
              This process handles incoming DNS queries and provides
              answers from its cache or by recursively doing remote lookups.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-sockcreator</command> &mdash;
              Socket creator daemon.
              This process creates sockets used by
              network-listening BIND 10 processes.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-stats</command> &mdash;
              Statistics collection daemon.
              This process collects and reports statistics data.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-stats-httpd</command> &mdash;
              HTTP server for statistics reporting.
              This process reports statistics data in XML format over HTTP.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-xfrin</command> &mdash;
              Incoming zone transfer service.
              This process is used to transfer a new copy
              of a zone into BIND 10, when acting as a secondary server.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-xfrout</command> &mdash;
              Outgoing zone transfer service.
              This process is used to handle transfer requests to
              send a local zone to a remote secondary server.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-zonemgr</command> &mdash;
              Secondary zone manager.
              This process keeps track of timers and other
              necessary information for BIND 10 to act as a slave server.
            </simpara>
          </listitem>

        </itemizedlist>
      </para>

      <para>
        These do not need to be manually started independently.
      </para>

    </section>

    <section id="managing_once_running">
      <title>Managing BIND 10</title>

      <para>
        Once BIND 10 is running, a few commands are used to interact
        directly with the system:
        <itemizedlist>
          <listitem>
            <simpara>
              <command>bindctl</command> &mdash;
              Interactive administration interface.
              This is a low-level command-line tool which allows
              a developer or an experienced administrator to control
              BIND 10.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <command>b10-loadzone</command> &mdash;
              Zone file loader.
              This tool will load standard masterfile-format zone files into
              BIND 10.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <command>b10-cmdctl-usermgr</command> &mdash;
              User access control.
              This tool allows an administrator to authorize additional users
              to manage BIND 10.
            </simpara>
          </listitem>
  <!-- TODO usermgr -->
        </itemizedlist>
      </para>
    </section>

    <para>
      The tools and modules are covered in full detail in this guide.
<!-- TODO point to these -->
      In addition, manual pages are also provided in the default installation.
    </para>

<!--
bin/
  bindctl*
  host*
lib/
  libauth
  libdns
  libexceptions
  python3.1/site-packages/isc/{cc,config}
sbin/
  bind10
share/
  share/bind10/
    auth.spec
    b10-cmdctl.pem
    bob.spec
    passwd.csv
  man/
var/
  bind10/b10-config.db
-->

    <para>
      BIND 10 also provides libraries and programmer interfaces
      for C++ and Python for the message bus, configuration backend,
      and, of course, DNS. These include detailed developer
      documentation and code examples.
<!-- TODO: DHCP also but no Python yet. -->
<!-- TODO point to this -->
    </para>

  </chapter>

  <chapter id="quickstart">
    <title>Quick start</title>

    <para>
        This quickly covers the standard steps for installing
        and deploying BIND 10.
        For further details, full customizations, and troubleshooting,
        see the respective chapters in the BIND 10 guide.
    </para>

    <section id="quick-start-auth-dns">
      <title>Quick start guide for authoritative DNS service</title>

      <orderedlist>

        <listitem>
          <simpara>
            Install required run-time and build dependencies.
          </simpara>
        </listitem>

        <listitem>
          <simpara>
            Download the BIND 10 source tar file from
            <ulink url="ftp://ftp.isc.org/isc/bind10/"/>.
          </simpara>
        </listitem>

        <listitem>
          <para>Extract the tar file:
          <screen>$ <userinput>gzcat bind10-<replaceable>VERSION</replaceable>.tar.gz | tar -xvf -</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>Go into the source and run configure:
            <screen>$ <userinput>cd bind10-<replaceable>VERSION</replaceable></userinput>
  $ <userinput>./configure</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>Build it:
            <screen>$ <userinput>make</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>Install it as root (to default /usr/local):
            <screen>$ <userinput>make install</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>Start the server (as root):
            <screen>$ <userinput>/usr/local/sbin/bind10</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>DNS and DHCP components are not started in the default
	    configuration.  In another console, enable the authoritative
	    DNS service (by using the <command>bindctl</command> utility
	    to configure the <command>b10-auth</command> component to
	    run): <screen>$ <userinput>bindctl</userinput></screen>
	    (Login with the provided default username and password.)
            <screen>
&gt; <userinput>config add Boss/components b10-auth</userinput>
&gt; <userinput>config set Boss/components/b10-auth/special auth</userinput>
&gt; <userinput>config set Boss/components/b10-auth/kind needed</userinput>
&gt; <userinput>config commit</userinput>
&gt; <userinput>quit</userinput>
            </screen>
          </para>
        </listitem>

        <listitem>
         <para>Test it; for example:
            <screen>$ <userinput>dig @127.0.0.1 -c CH -t TXT version.bind</userinput></screen>
         </para>
        </listitem>

        <listitem>
          <para>Load desired zone file(s), for example:
            <screen>$ <userinput>b10-loadzone <replaceable>-c '{"database_file": "/usr/local/var/bind10/zone.sqlite3"}'</replaceable> <replaceable>your.zone.example.org</replaceable> <replaceable>your.zone.file</replaceable></userinput></screen>
          </para>
	  (If you use the sqlite3 data source with the default DB
	  file, you can omit the -c option).
        </listitem>

        <listitem>
          <simpara>
            Test the new zone.
          </simpara>
        </listitem>

      </orderedlist>

    </section>

  </chapter>

  <chapter id="installation">
    <title>Installation</title>

    <section id="packages">
      <title>Packages</title>

      <para>
        Some operating systems or software package vendors may
        provide ready-to-use, pre-built software packages for
        the BIND 10 suite.
        Installing a pre-built package means you do not need to
        install build-only prerequisites and do not need to
        <emphasis>make</emphasis> the software.
      </para>

      <para>
        FreeBSD ports, NetBSD pkgsrc, and Debian
        <emphasis>testing</emphasis> package collections provide
        all the prerequisite packages.
      </para>
    </section>

    <section id="install-hierarchy">
      <title>Install Hierarchy</title>
      <para>
        The following is the standard, common layout of the
        complete BIND 10 installation:
        <itemizedlist>
          <listitem>
           <simpara>
              <filename>bin/</filename> &mdash;
              general tools and diagnostic clients.
            </simpara>
          </listitem>
          <listitem>
          <simpara>
            <filename>etc/bind10/</filename> &mdash;
            configuration files.
          </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>lib/</filename> &mdash;
              libraries and python modules.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>libexec/bind10/</filename> &mdash;
              executables that a user wouldn't normally run directly and
              are not run independently.
              These are the BIND 10 modules which are daemons started by
              the <command>bind10</command> tool.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>sbin/</filename> &mdash;
              commands used by the system administrator.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>share/bind10/</filename> &mdash;
              configuration specifications.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>share/doc/bind10/</filename> &mdash;
              this guide and other supplementary documentation.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>share/man/</filename> &mdash;
              manual pages (online documentation).
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>var/bind10/</filename> &mdash;
              data source and configuration databases.
            </simpara>
          </listitem>
        </itemizedlist>
      </para>
    </section>

    <section id="build-requirements">
      <title>Building Requirements</title>

        <para>
          In addition to the run-time requirements (listed in
          <xref linkend="required-software"/>), building BIND 10
          from source code requires various development include headers and
          program development tools.
        </para>

        <note>
          <simpara>
            Some operating systems have split their distribution packages into
            a run-time and a development package.  You will need to install
            the development package versions, which include header files and
            libraries, to build BIND 10 from source code.
          </simpara>
        </note>

        <para>
          Building from source code requires the Boost
          build-time headers
          (<ulink url="http://www.boost.org/"/>).
          At least Boost version 1.35 is required.
  <!-- TODO: we don't check for this version -->
  <!-- NOTE: jreed has tested with 1.34, 1.38, and 1.41. -->
        </para>

        <para>
          To build BIND 10, also install the Botan (at least version
          1.8) and the log4cplus (at least version 1.0.3)
          development include headers.
        </para>

<!--
TODO
Debian and Ubuntu:
 libgmp3-dev and libbz2-dev required for botan too
-->

<!-- NOTE: _sqlite3 is only needed at test time; it is already listed
as a dependency earlier -->

        <para>
          Building BIND 10 also requires a C++ compiler and
          standard development headers, make, and pkg-config.
          BIND 10 builds have been tested with GCC g++ 3.4.3, 4.1.2,
          4.1.3, 4.2.1, 4.3.2, and 4.4.1; Clang++ 2.8; and Sun C++ 5.10.
        </para>

        <para>
          Visit the user-contributed wiki at <ulink
          url="http://bind10.isc.org/wiki/SystemSpecificNotes" />
          for system-specific installation tips.
        </para>

    </section>

    <section id="install">
      <title>Installation from source</title>
      <para>
        BIND 10 is open source software written in C++ and Python.
        It is freely available in source code form from ISC as a
        downloadable tar file or via BIND 10's Git code revision control
        service. (It may also be available in pre-compiled ready-to-use
        packages from operating system vendors.)
      </para>

      <section>
        <title>Download Tar File</title>
        <para>
          Downloading a release tar file is the recommended method to
          obtain the source code.
        </para>

        <para>
          The BIND 10 releases are available as tar file downloads from
          <ulink url="ftp://ftp.isc.org/isc/bind10/"/>.
          Periodic development snapshots may also be available.
        </para>
  <!-- TODO -->
      </section>

      <section>
        <title>Retrieve from Git</title>
        <para>
          Downloading this "bleeding edge" code is recommended only for
          developers or advanced users.  Using development code in a production
          environment is not recommended.
        </para>

        <note>
          <para>
            When using source code retrieved via Git, additional
            software will be required:  automake (v1.11 or newer),
            libtoolize, and autoconf (2.59 or newer).
            These may need to be installed.
          </para>
        </note>

        <para>
          The latest development code (and temporary experiments
          and un-reviewed code) is available via the BIND 10 code revision
          control system. This is powered by Git and all the BIND 10
          development is public.
          The leading development is done in the <quote>master</quote>
          branch.
        </para>
        <para>
          The code can be checked out from
          <filename>git://git.bind10.isc.org/bind10</filename>;
          for example:

        <screen>$ <userinput>git clone git://git.bind10.isc.org/bind10</userinput></screen>
        </para>

        <para>
          When checking out the code from
          the code version control system, it doesn't include the
          generated configure script, Makefile.in files, nor their
          related build files.
          They can be created by running <command>autoreconf</command>
          with the <option>--install</option> switch.
          This will run <command>autoconf</command>,
          <command>aclocal</command>,
          <command>libtoolize</command>,
          <command>autoheader</command>,
          <command>automake</command>,
          and related commands.
        </para>

      </section>


      <section id="configure">
        <title>Configure before the build</title>
        <para>
          BIND 10 uses the GNU Build System to discover build environment
          details.
          To generate the makefiles using the defaults, simply run:
          <screen>$ <userinput>./configure</userinput></screen>
        </para>
        <para>
          Run <command>./configure</command> with the <option>--help</option>
          switch to view the different options. Some commonly-used options are:

          <variablelist>

          <varlistentry>
            <term>--prefix</term>
            <listitem>
              <simpara>Define the installation location (the
                default is <filename>/usr/local/</filename>).
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--with-boost-include</term>
            <listitem>
              <simpara>Define the path to find the Boost headers.
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--with-pythonpath</term>
            <listitem>
              <simpara>Define the path to Python 3.1 if it is not in the
                standard execution path.
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--with-gtest</term>
            <listitem>
              <simpara>Enable building the C++ Unit Tests using the
                Google Tests framework. Optionally this can define the
                path to the gtest header files and library.
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--with-dhcp-mysql</term>
            <listitem>
              <simpara>Enable MySQL support for BIND 10 DHCP. For notes on configuring
              and building DHCP with MySQL see <xref linkend="dhcp-install-configure">.</xref>
              </simpara>
            </listitem>
          </varlistentry>

          </variablelist>

        </para>
  <!-- TODO: lcov -->

        <para>
          For example, the following configures it to
    find the Boost headers, find the
    Python interpreter, and sets the installation location:

          <screen>$ <userinput>./configure \
      --with-boost-include=/usr/pkg/include \
      --with-pythonpath=/usr/pkg/bin/python3.1 \
      --prefix=/opt/bind10</userinput></screen>
        </para>

        <para>
          If the configure fails, it may be due to missing or old
          dependencies.
        </para>


      </section>

      <section>
        <title>Build</title>
        <para>
    After the configure step is complete, to build the executables
    from the C++ code and prepare the Python scripts, run:

          <screen>$ <userinput>make</userinput></screen>
        </para>
      </section>

      <section>
        <title>Install</title>
        <para>
          To install the BIND 10 executables, support files,
          and documentation, run:
          <screen>$ <userinput>make install</userinput></screen>
        </para>
        <note>
          <para>The install step may require superuser privileges.</para>
        </note>
        <para>
	  If required, run <command>ldconfig</command> as root with
	  <filename>/usr/local/lib</filename> (or with ${prefix}/lib if
	  configured with --prefix) in
	  <filename>/etc/ld.so.conf</filename> (or the relevant linker
	  cache configuration file for your OS):
	  <screen>$ <userinput>ldconfig</userinput></screen>
        </para>
        <note>
          <para>
	    If you do not run <command>ldconfig</command> where it is
	    required, you may see errors like the following:
            <screen>
	      program: error while loading shared libraries: libb10-something.so.1:
	      cannot open shared object file: No such file or directory
	    </screen>
	  </para>
        </note>
      </section>

  <!-- TODO: tests -->

    </section>

  <!--
      <section id="install.troubleshooting">
        <title>Troubleshooting</title>
        <para>
        </para>
      </section>
  -->

  </chapter>

  <chapter id="bind10">
    <title>Starting BIND 10 with <command>bind10</command></title>
    <para>
      BIND 10 provides the <command>bind10</command> command which
      starts up the required processes.
      <command>bind10</command>
      will also restart some processes that exit unexpectedly.
      This is the only command needed to start the BIND 10 system.
    </para>

    <para>
      After starting the <command>b10-msgq</command> communications channel,
      <command>bind10</command> connects to it,
      runs the configuration manager, and reads its own configuration.
      Then it starts the other modules.
    </para>

    <para>
      The <command>b10-sockcreator</command>, <command>b10-msgq</command> and
      <command>b10-cfgmgr</command>
      services make up the core. The <command>b10-msgq</command> daemon
      provides the communication channel between every part of the system.
      The <command>b10-cfgmgr</command> daemon is always needed by every
      module, if only to send information about themselves somewhere,
      but more importantly to ask about their own settings, and
      about other modules. The <command>b10-sockcreator</command> daemon
      helps allocate Internet addresses and ports as needed for BIND 10
      network services.
    </para>

    <para>
      In its default configuration, the <command>bind10</command>
      master process will also start up
      <command>b10-cmdctl</command> for administration tools to
      communicate with the system, and
      <command>b10-stats</command> for statistics collection.
      The DNS and DHCP servers are not started by default.
      The configuration of components to start is covered in
      <xref linkend="bind10.components"/>.
    </para>

    <section id="start">
      <title>Starting BIND 10</title>
      <para>
        To start the BIND 10 service, simply run <command>bind10</command>
        as root.
        It will run in the foreground and your shell prompt will not
        be available. It will output various log messages as it starts up
        and is used.
        Run it with the <option>--verbose</option> switch to
        get additional debugging or diagnostic output.
      </para>

<!-- TODO: user switch -->

<!-- TODO:  example:  nohup /usr/local/sbin/bind10 1>bind10.log 2>&1 -->

      <note>
        <para>
          If the setproctitle Python module is detected at start up,
          the process names for the Python-based daemons will be renamed
          to better identify them instead of just <quote>python</quote>.
          This is not needed on some operating systems.
        </para>
      </note>

    </section>

  </chapter>

  <chapter id="msgq">
    <title>Command channel</title>

      <para>
        The BIND 10 components use the <command>b10-msgq</command>
        message routing daemon to communicate with other BIND 10 components.
        The <command>b10-msgq</command> implements what is called the
        <quote>Command Channel</quote>.
        Processes intercommunicate by sending messages on the command
        channel.
        Example messages include shutdown, get configurations, and set
        configurations.
        This Command Channel is not used for DNS message passing.
        It is used only to control and monitor the BIND 10 system.
      </para>

      <para>
        Administrators do not communicate directly with the
        <command>b10-msgq</command> daemon.
        By default, BIND 10 uses a UNIX domain socket file named
        <filename>/usr/local/var/bind10/msg_socket</filename>
        for this interprocess communication.
      </para>

  </chapter>

  <chapter id="cfgmgr">
    <title>Configuration manager</title>

      <para>
         The configuration manager, <command>b10-cfgmgr</command>,
         handles all BIND 10 system configuration.  It provides
         persistent storage for configuration, and notifies running
         modules of configuration changes.
      </para>

      <para>
        The <command>b10-auth</command> and <command>b10-xfrin</command>
        daemons and other components receive their configurations
        from the configuration manager over the <command>b10-msgq</command>
        command channel.
      </para>

      <para>The administrator doesn't connect to it directly, but
        uses a user interface to communicate with the configuration
        manager via <command>b10-cmdctl</command>'s REST-ful interface.
        <command>b10-cmdctl</command> is covered in <xref linkend="cmdctl"/>.
      </para>

<!-- TODO -->
      <note>
        <para>
          The current release only provides
          <command>bindctl</command> as a user interface to
          <command>b10-cmdctl</command>.
          Upcoming releases will provide another interactive command-line
          interface and a web-based interface.
        </para>
      </note>

      <para>
        The <command>b10-cfgmgr</command> daemon can send all
        specifications and all current settings to the
        <command>bindctl</command> client (via
        <command>b10-cmdctl</command>).
        <command>b10-cfgmgr</command> relays configurations received
        from <command>b10-cmdctl</command> to the appropriate modules.
      </para>
<!-- TODO:
        Configuration settings for itself are defined as ConfigManager.
TODO: show examples
-->

<!-- TODO:
config changes are actually commands to cfgmgr
-->

<!-- TODO: what about run time config to change this? -->
<!-- jelte: > config set cfgmgr/config_database <file> -->
<!-- TODO: what about command line switch to change this? -->
      <para>
        The stored configuration file is at
        <filename>/usr/local/var/bind10/b10-config.db</filename>.
        (The directory is what was defined at build configure time for
        <option>--localstatedir</option>.
        The default is <filename>/usr/local/var/</filename>.)
        The format is loosely based on JSON and is directly parseable
        python, but this may change in a future version.
        This configuration data file is not manually edited by the
        administrator.
      </para>

<!--

Well the specfiles have a more fixed format (they must contain specific
stuff), but those are also directly parseable python structures (and
'coincidentally', our data::element string representation is the same)

loosely based on json, tweaked to be directly parseable in python, but a
subset of that.
wiki page is http://bind10.isc.org/wiki/DataElementDesign

nope, spec files are written by module developers, and db should be done
through bindctl and friends

-->

    <para>
      The configuration manager does not have any command line arguments.
      Normally it is not started manually, but is automatically
      started using the <command>bind10</command> master process
      (as covered in <xref linkend="bind10"/>).
    </para>

<!-- TODO: upcoming plans:
configuration for configuration manager itself. And perhaps we might
change the messaging protocol, but an admin should never see any of that
-->

<!-- TODO: show examples, test this -->
<!--
, so an admin can simply run bindctl,
do config show, and it shows all modules; config show >module> shows all
options for that module
-->

  </chapter>

  <chapter id="cmdctl">
    <title>Remote control daemon</title>

    <para>
      <command>b10-cmdctl</command> is the gateway between
      administrators and the BIND 10 system.
      It is a HTTPS server that uses standard HTTP Digest
      Authentication for username and password validation.
      It provides a REST-ful interface for accessing and controlling
      BIND 10.
    </para>
<!-- TODO: copy examples from wiki, try with wget -->

    <para>
      When <command>b10-cmdctl</command> starts, it firsts
      asks <command>b10-cfgmgr</command> about what modules are
      running and what their configuration is (over the
      <command>b10-msgq</command> channel). Then it will start listening
      on HTTPS for clients &mdash; the user interface &mdash; such
      as <command>bindctl</command>.
    </para>

    <para>
      <command>b10-cmdctl</command> directly sends commands
      (received from the user interface) to the specified component.
      Configuration changes are actually commands to
      <command>b10-cfgmgr</command> so are sent there.
    </para>

<!--
TODO:
"For bindctl to list a module's available configurations and
available commands, it communicates over the cmdctl REST interface.
cmdctl then asks cfgmgr over the msgq command channel. Then cfgmgr
asks the module for its specification and also cfgmgr looks in its
own configuration database for current values."

(05:32:03) jelte: i think cmdctl doesn't request it upon a incoming
GET, but rather requests it once and then listens in for updates,
but you might wanna check with likun
-->

<!-- TODO: replace /usr/local -->
<!-- TODO: permissions -->
    <para>The HTTPS server requires a private key,
      such as a RSA PRIVATE KEY.
      The default location is at
      <filename>/usr/local/etc/bind10/cmdctl-keyfile.pem</filename>.
      (A sample key is at
      <filename>/usr/local/share/bind10/cmdctl-keyfile.pem</filename>.)
      It also uses a certificate located at
      <filename>/usr/local/etc/bind10/cmdctl-certfile.pem</filename>.
      (A sample certificate is at
      <filename>/usr/local/share/bind10/cmdctl-certfile.pem</filename>.)
      This may be a self-signed certificate or purchased from a
      certification authority.
    </para>

    <note><para>
      The HTTPS server doesn't support a certificate request from a
      client (at this time).
<!-- TODO: maybe allow request from server side -->
      The <command>b10-cmdctl</command> daemon does not provide a
      public service. If any client wants to control BIND 10, then
      a certificate needs to be first received from the BIND 10
      administrator.
      The BIND 10 installation provides a sample PEM bundle that matches
      the sample key and certificate.
    </para></note>
<!-- TODO: cross-ref -->

<!-- TODO
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
but that is a single file, maybe this should go back to that format?
-->

<!--
    <para>
(08:20:56) shane: It is in theory possible to run without cmdctl.
(08:21:02) shane: I think we discussed this.
    </para>
-->

<!-- TODO: Please check https://bind10.isc.org/wiki/cmd-ctrld -->


    <para>
      The <command>b10-cmdctl</command> daemon also requires
      the user account file located at
      <filename>/usr/local/etc/bind10/cmdctl-accounts.csv</filename>.
      This comma-delimited file lists the accounts with a user name,
      hashed password, and salt.
      (A sample file is at
      <filename>/usr/local/share/bind10/cmdctl-accounts.csv</filename>.
      It contains the user named <quote>root</quote> with the password
      <quote>bind10</quote>.)
    </para>

    <para>
      The administrator may create a user account with the
      <command>b10-cmdctl-usermgr</command> tool.
    </para>
<!-- TODO: show example -->

<!-- TODO: does cmdctl need to be restarted to change cert or key
or accounts database -->

    <para>
      By default the HTTPS server listens on the localhost port 8080.
      The port can be set by using the <option>--port</option> command line option.
      The address to listen on can be set using the <option>--address</option> command
      line argument.
      Each HTTPS connection is stateless and times out in 1200 seconds
      by default.  This can be
      redefined by using the <option>--idle-timeout</option> command line argument.
    </para>

    <section id="cmdctl.spec">
      <title>Configuration specification for b10-cmdctl</title>
      <para>
        The configuration items for <command>b10-cmdctl</command> are:
        <varname>accounts_file</varname> which defines the path to the
        user accounts database (the default is
        <filename>/usr/local/etc/bind10/cmdctl-accounts.csv</filename>);
        <varname>cert_file</varname> which defines the path to the
        PEM certificate file (the default is
        <filename>/usr/local/etc/bind10/cmdctl-certfile.pem</filename>);
        and
	<varname>key_file</varname> which defines the path to the
	PEM private key file (the default is
        <filename>/usr/local/etc/bind10/cmdctl-keyfile.pem</filename>).
      </para>

    </section>

<!--
TODO
(12:21:30) jinmei: I'd like to have sample session using a command line www client such as wget
-->

  </chapter>

  <chapter id="bindctl">
    <title>Control and configure user interface</title>

    <note><para>
      For the current release, <command>bindctl</command>
      is the only user interface. It is expected that upcoming
      releases will provide another interactive command-line
      interface and a web-based interface for controlling and
      configuring BIND 10.
    </para></note>

    <note><para>
      <command>bindctl</command> has an internal command history, as
      well as tab-completion for most of the commands and arguments.
      However, these are only enabled if the python readline module
      is available on the system. If not, neither of these
      features will be supported.
    </para></note>

    <para>
      The <command>bindctl</command> tool provides an interactive
      prompt for configuring, controlling, and querying the BIND 10
      components.
      It communicates directly with a REST-ful interface over HTTPS
      provided by <command>b10-cmdctl</command>. It doesn't
      communicate to any other components directly.
    </para>

    <section id="bindctl_commandline_options">
        <title>bindctl command-line options</title>
        <variablelist>
          <varlistentry>
            <term>-a <replaceable>&lt;address&gt;</replaceable>, --address=<replaceable>&lt;address&gt;</replaceable></term>
            <listitem>
              <simpara>
                  IP address that BIND 10's <command>b10-cmdctl</command>
                  module is listening on. By default, this is 127.0.0.1.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>-c <replaceable>&lt;certificate file&gt;</replaceable>, --certificate-chain=<replaceable>&lt;certificate file&gt;</replaceable></term>
            <listitem>
              <simpara>
                  PEM-formatted server certificate file. When this option is
                  given, <command>bindctl</command> will verify the server
                  certificate using the given file as the root of the
                  certificate chain. If not specified, <command>bindctl
                  </command> does not validate the certificate.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>--csv-file-dir=<replaceable>&lt;csv file&gt;</replaceable></term>
            <listitem>
              <simpara>
                  <command>bindctl</command> stores the username and