Professional Documents
Culture Documents
Administrator's Manual
December 8, 2016 7.2.0
Copyright ©2002-2017 Nominum, Inc. - All Rights Reserved
This software and documentation is subject to and made available pursuant to the terms
of the Nominum License Agreement, and may be used or copied only in accordance with
the terms of that Agreement. This manual, in whole or in part, may not be reproduced,
translated or reduced to any machine-readable form without prior written approval from
Nominum, Incorporated.
Nominum, Incorporated
800 Bridge Parkway
Suite 100
Redwood City, CA 94065
USA
http://www.nominum.com
Chapter 1: Introduction 44
About N2 Connect 44
High performance 45
In more detail 47
action 50
address-list 50
address-node 50
auth-monitoring 51
auth-server-list 51
auth-server-node 51
auth-server-node 51
2 NOMINUM CONFIDENTIAL
3 Table of Contents
binding 51
connection 52
device-list 52
device-node 52
dns64 52
layer 53
monitoring 53
name-group 54
name-list 54
name-node 54
policy 54
ratelimiter 55
resolver 55
selector 55
server 55
telemetry 55
view 56
view-selector 56
Engine Interaction 58
add 60
delete 60
get 60
list 60
mget 60
replace 61
Updating objects 61
+/Append 61
-/Remove 61
Interactive Mode 62
Policy Manager 66
Kafka 67
The details 70
In summary 71
Performance tuning 71
Use a recommended OS 71
Process tuning 72
NXDOMAIN redirection 76
Chapter 8: Ratelimiting 84
Simple rate-limiting 84
In CacheServe 5 84
In CacheServe 7 84
Prefetch extension 93
Extension entries 93
How it works 95
Configuration 95
Statistics 96
Caveats 99
Background 101
Managers 104
Agents 105
MIBs 105
snmpagent 106
Synopsis 106
Options 106
--channel 122
--directory 122
--dns-port 123
--fd-limit 123
--license 124
--no-statmon 124
--statmon-directory 124
--tcp-acl 125
--udp-acl 125
--usage 125
cacheserve-deleteconf 132
cacheserve-dumpconf 134
cacheserve-editconf 136
cacheserve-loadconf 138
cacheserve-stats 140
Options 140
Statistics 142
action 144
Commands 144
Events 146
address-list 146
Commands 146
Events 149
address-node 149
Events 151
auth-server-list 151
Commands 151
Events 153
auth-server-node 153
Commands 153
Events 155
binding 155
Events 158
connection 158
device-list 159
Commands 159
Events 161
device-node 161
Events 163
dns64 163
Events 166
layer 166
Events 169
name-group 170
Events 172
name-list 172
Events 173
name-node 174
Events 175
policy 175
Events 178
ratelimiter 178
Events 180
resolver 180
Events 194
selector 195
Events 196
server 197
Events 202
telemetry 202
Events 204
view 204
Events 206
view-selector 206
Events 209
action.add 210
Fields 210
Examples 211
action.count 211
Fields 211
Returns 211
action.delete 211
Fields 212
Examples 212
action.get 212
Fields 212
Examples 213
action.list 213
Fields 213
Examples 214
action.mget 215
Fields 215
Examples 216
action.replace 216
Fields 217
action.update 218
Examples 219
address-list.add 219
Fields 219
Examples 221
address-list.delete 221
Fields 221
Examples 221
address-list.dump 221
Fields 222
Examples 222
address-list.get 222
Fields 222
Examples 223
address-list.list 223
Fields 223
Examples 224
address-list.load 225
Fields 225
Examples 226
address-list.mget 226
Fields 226
Examples 227
address-list.replace 228
Fields 228
address-list.update 229
Examples 231
address-node.add 231
Fields 231
address-node.delete 232
Fields 232
address-node.get 233
Fields 233
address-node.list 234
Fields 234
address-node.mget 235
Fields 235
address-node.replace 236
Fields 236
address-node.update 237
Fields 238
auth-server-list.add 239
Fields 239
auth-server-list.delete 240
Fields 240
Examples 241
auth-server-list.get 241
Fields 241
Examples 242
auth-server-list.list 242
Fields 242
Examples 243
auth-server-list.mget 243
Fields 243
Examples 245
auth-server-list.replace 245
Fields 245
auth-server-list.update 246
Examples 247
auth-server-node.add 248
Fields 248
Examples 250
auth-server-node.delete 250
Fields 250
Examples 250
auth-server-node.get 251
Fields 251
auth-server-node.list 252
Fields 252
auth-server-node.mget 253
Fields 253
auth-server-node.replace 255
Fields 255
auth-server-node.update 257
binding.add 259
Fields 259
binding.delete 261
Fields 261
binding.get 262
Fields 262
binding.list 263
Fields 263
binding.mget 265
Fields 265
binding.replace 266
Fields 267
binding.update 269
Fields 269
connection.get 271
Fields 271
connection.replace 272
Fields 272
connection.subscribe-all 272
connection.update 272
Fields 272
device-list.add 273
Fields 273
Examples 274
device-list.count 274
Fields 274
Returns 275
device-list.delete 275
Fields 275
Examples 275
device-list.get 275
Fields 276
Examples 276
device-list.list 276
Fields 277
Examples 278
device-list.mget 278
Fields 278
Examples 279
device-list.replace 280
Fields 280
device-list.update 281
Examples 282
device-node.add 282
Fields 282
device-node.count 283
Fields 283
Returns 284
device-node.delete 284
Fields 284
Examples 285
device-node.get 285
Fields 285
device-node.list 286
Fields 286
Returns 287
device-node.mget 288
Fields 288
device-node.replace 290
Fields 290
device-node.update 291
Fields 291
dns64.add 292
Fields 292
dns64.delete 294
Fields 294
dns64.get 295
Fields 295
dns64.list 295
Fields 296
dns64.mget 297
Fields 297
dns64.replace 299
Fields 299
dns64.update 301
Fields 301
instance-information 303
Returns 303
layer.add 303
Fields 303
Examples 305
layer.clear-fault 305
Fields 305
layer.delete 305
Fields 306
layer.get 306
Fields 306
layer.list 306
Fields 307
layer.mget 308
Fields 308
layer.reimage 309
Fields 309
layer.replace 309
Fields 310
layer.update 311
Fields 311
name-group.add 313
Fields 313
name-group.count 314
Fields 314
Returns 314
name-group.delete 314
Fields 314
Examples 315
name-group.get 315
Fields 315
Examples 316
name-group.list 316
Fields 316
Examples 317
name-group.mget 317
Fields 317
Examples 319
name-group.replace 319
Fields 319
name-group.update 320
Examples 322
name-list.add 322
Fields 322
name-list.delete 323
Fields 323
name-list.dump 323
Fields 324
name-list.get 324
Fields 324
name-list.list 325
Fields 325
name-list.load 326
Fields 327
Examples 327
name-list.mget 327
Fields 327
name-list.replace 329
Fields 329
name-list.update 330
Fields 330
name-node.add 331
Fields 331
name-node.delete 332
Fields 332
name-node.get 333
Fields 333
name-node.list 334
Fields 334
name-node.mget 336
Fields 336
name-node.replace 338
Fields 338
name-node.update 339
Fields 339
policy.add 341
Fields 341
policy.delete 343
Fields 343
policy.get 343
Fields 343
policy.list 344
Fields 344
policy.mget 345
Fields 345
policy.replace 347
Field 347
policy.simulate 349
Fields 349
Returns 350
policy.update 350
Fields 351
Examples 352
process-information 352
Returns 353
ratelimiter.add 354
Fields 354
ratelimiter.delete 356
Fields 356
ratelimiter.get 356
Fields 356
ratelimiter.list 357
Fields 357
ratelimiter.mget 358
Fields 359
ratelimiter.limited 360
Fields 360
ratelimiter.replace 362
Fields 363
ratelimiter.statistics 364
Fields 365
Returns 365
ratelimiter.update 366
Fields 366
resolver.add 368
Fields 369
resolver.delete 381
Fields 381
resolver.flush 381
Fields 381
resolver.get 382
Fields 382
resolver.inspect 382
Fields 383
Returns 383
resolver.inspect-delegation 386
Fields 386
Returns 387
resolver.inspect-forwarders 388
Fields 388
Returns 388
resolver.list 389
Fields 389
resolver.mget 390
Fields 390
resolver.recursing 392
Fields 392
Returns 392
resolver.replace 392
Fields 392
resolver.statistics 404
Fields 404
Returns 404
resolver.update 406
Fields 406
restart 417
selector.add 418
Fields 418
selector.delete 419
Fields 419
selector.get 420
Fields 420
selector.list 420
Fields 420
Returns 422
selector.mget 422
Fields 422
selector.replace 423
Fields 424
selector.update 425
Fields 425
server.add 426
Fields 426
server.all-errors 431
Fields 431
server.block-checkpoints 431
Fields 431
server.checkpoint 431
server.delete 431
Fields 431
server.get 432
Fields 432
server.query 432
Fields 433
Returns 435
Example 438
server.replace 440
Fields 440
server.statistics 445
Fields 445
Returns 445
Example 446
server.unblock-checkpoints 447
server.usage 447
Returns 447
server.update 448
Fields 448
stop 453
telemetry.get 453
Fields 453
telemetry.replace 453
Fields 453
telemetry.statistics 455
Fields 455
Returns 455
Example 456
telemetry.update 457
Fields 457
uuid 458
version 458
Returns 459
view-selector.add 459
Fields 460
view-selector.delete 461
Fields 461
view-selector.get 461
Fields 461
view-selector.list 462
Fields 462
Returns 463
view-selector.mget 464
Fields 464
view-selector.query 465
Fields 465
Returns 466
view-selector.replace 466
Fields 466
view-selector.mget 467
Fields 467
view-selector.update 469
Fields 469
view.add 470
Fields 470
view.delete 471
Fields 471
view.get 472
Fields 472
view.list 473
Fields 473
view.mget 473
Fields 474
view.replace 475
Fields 475
view.update 476
Fields 476
action.changed 480
Returns 480
address-list.changed 480
Returns 480
address-node.changed 480
Returns 481
auth-monitoring.changed 481
auth-server-list.changed 481
Returns 481
auth-server-node.changed 481
Returns 481
binding.changed 482
Returns 482
dns64.changed 482
Returns 482
layer.changed 482
Returns 482
layer.provisioning-connected 483
Returns 483
layer.provisioning-connection-failure 483
Returns 483
layer.provisioning-disconnected 483
Returns 483
layer.provisioning-reimaging 484
Returns 484
layer.provisioning-update-failure 484
Returns 484
layer.provisioning-update-success 484
monitoring.changed 484
name-group.changed 485
Returns 485
name-list.changed 485
Returns 485
name-node.changed 485
Returns 485
policy.changed 485
Returns 486
policy.hit 486
Returns 486
ratelimiter.abate 486
Returns 487
ratelimiter.changed 488
Returns 488
ratelimiter.onset 489
Returns 489
resolver.changed 490
Returns 491
resolver.flush 491
Returns 491
resolver.id-spoofing-suspected 491
Returns 491
selector.changed 492
Returns 492
server.changed 492
server.configuration-error 492
Returns 492
server.formerr-loop 492
Returns 492
server.restart 493
server.stop 493
server.tcp-client-limit 493
server.udp-recursion-limit 493
telemetry.changed 493
view-selector.changed 493
Returns 493
view.changed 494
Returns 494
ACLs 496
acl-element 496
acl-element4 497
acl-element6 497
addr 497
addr-or-name 497
addr4 497
addr6 497
addrpat 497
addrpat4 498
addrpat6 498
addrport 498
addrport4 498
addrport6 498
addrport-or-name 498
addrrange 498
anonymization-key-file-path 498
boolean 499
dns-flag 499
dns-rcode 499
edns-flag 500
event-name 500
float-seconds-since-epoch 501
inspect-delegation-servers 501
integer 501
ipv4netlen 501
ipv6netlen 502
kafka-configuration-field 502
brokers 502
global-properties 502
partition 503
topic 503
topic-properties 503
monitor-log-switch 503
monitoring-statistics 504
messages-delivered 504
messages-dropped 504
messages-produced 504
queue-full 504
records-delivered 504
records-dropped 505
records-not-produced 505
records-produced 505
name 505
name-empty-ok 505
name-label-count 505
policy-action 505
'answer-noerror' 508
'answer-nxdomain' 508
'drop' 509
'fail' 509
'no-op' 509
'refuse' 509
'send-event' 509
'stop' 510
'truncate' 510
policy-calendar-selector 510
policy-result-type 511
policy-selector 511
'initial-qname' 514
('synthesized') 516
port-mask 517
positive-integer 517
provisioning-status 517
ratelimiter-statistics 518
all-indications 518
current-entry-count 518
current-limited-count 518
expiring-entry-age 518
indications-by-bps 518
indications-by-qps 519
uses 519
rdata 519
rdataclass 519
rdatatype 519
report-max-memory-arg 519
resolver-statistics 519
active-recursions 520
cache-misses 520
dnssec-validations-failure 520
dnssec-validations-insecure 520
dnssec-validations-success 520
dropped-recursions 520
id-spoofing-defense-queries 520
ignored-referral-lookups 520
interrupted-before-recursion 521
interrupted-recursion-waits 521
interrupted-recursions 521
lookups 521
proactive-lookups 521
queries 521
queued-prefetches 521
rate-limited-requests 521
recursive-lookups 521
requests-sent 522
responses-by-rcode 522
tcp-requests-sent 522
seconds-since-epoch 522
server-statistics 522
formerr-loop-dropped 522
lookups 523
malformed-requests-dropped 523
rate-limited-requests 523
recursion-contexts-in-use 523
recursive-lookups 523
requests-no-view 523
requests-received 523
requests-sent 523
responses-received 523
responses-sent 523
suppressed-duplicate-queries 524
tcp-clients 524
tcp-connections-accepted 524
tcp-connections-rejected 524
tcp-requests-sent 524
sizeval 524
std-layered-edit-operation 524
string 525
string-empty-ok 525
telemetry-statistics 525
messages-delivered 525
messages-dropped 525
messages-produced 525
queue-full 525
records-delivered 525
records-dropped 526
records-produced 526
threshold-abate 526
threshold-duration 526
threshold-onset 526
time-in-microseconds 526
time-in-seconds 526
ttl 527
uint16 527
uint64 527
unparsed 527
uuid 527
versioncheck-days 527
Statistics 533
Database 534
Monitoring 534
Ratelimiting 534
Index 536
While the data is cached, the caching server doesn't need to go back and re-query
authoritative servers, and this increases the efficiency of local DNS responses (like those
that come from your end-users).
About N2 Connect
The N2 Connect version of CacheServe is a restricted-function CacheServe implementation
that eliminates recursion, causing CacheServe to operate only as a forwarding server.
The following CacheServe settings are available but have no effect in N2 Connect:
l auth-server-list
l hints
l ignore-first-referral
l log-lame
l stub
If you are interested in these features, upgrade to a full CacheServe license by contacting
your Nominum salesperson.
44 NOMINUM CONFIDENTIAL
45 High performance
High performance
Vantio CacheServe has been engineered to make the most efficient use of modern, multi-
core servers. In testing environments, CacheServe has performed at 2,000,000 queries per
second.
We have put together some performance tuning guidelines to help you take advantage of
CacheServe's capabilities.
It also includes:
46 NOMINUM CONFIDENTIAL
47 Removing the default view-selector
l The world view-selector: view-selectors map DNS requests to views based on teh
source and destination addresses of the request.
cacheserve> view-selector.delete
In more detail
The initial configuration consists of the following elements (shown as the annotated output
of cacheserve-dumpconf):
{
object => "auth-monitoring"
}
This indicates that an auth-monitoring object has been created to represent the
"authoritative monitoring" functions in CacheServe. These functions are managed entirely
by the Nominum statmon utility, but there are minor configuration steps you need to take.
See "creating an authoritative querystore".
{
object => "layer"
priority => "0"
name => "operator"
}
This section indicates that an initial layer called operator has been created, with a priority of
0.
In most cases, you will use additional layers for things like provisioned data (if you are
using CacheServe with a Policy Manager server: see Connecting CacheServe to other
Nominum products), or user-configurable data.
For more information about layers, see the layer object overview.
{
object => "monitoring"
}
As with the auth-monitoring object, this indicates that a monitoring object has been created
to represent the "monitoring" functions in CacheServe. These functions are managed
entirely by the Nominum statmon utility, but there are minor configuration steps you need
to take. See "creating a monitoring querystore".
{
object => "resolver"
name => "world"
}
This indicates that CacheServe has created an initial resolver object, called world.
You will notice that this resolver object has almost no configuration except its name; if you
are unfamiliar with resolver capabilities, the resolver object section is a good starting place.
Resolvers do the heavy lifting in CacheServe, with almost all of the DNS operations
occurring within the context of a resolver.
Furthermore, more than one resolver may be configured, which gives you the ability to
create multiple fully customized DNS environments.
{
object => "server"
}
This indicates that a server object has been created; this is CacheServe's internal
representation of itself, and is important for managing the server's behavior. For more
detail, see the server object.
{
object => "view"
This section defines a view named world; you will notice that it refers to the world resolver.
Views represent a customizable DNS namespace, which is particularly helpful when you
start to get into things like policies. Each view has an associated resolver, which makes it
possible to customize the entire resolution chain.
For example, using views (and view-selectors), you can configure CacheServe such that
certain clients "see" different DNS results depending on criteria you define.
{
object => "view-selector"
view => "world"
}
View-selectors map DNS requests to specific views depending on the source and
destination of the request. As previously mentioned, view-selectors are particularly
important when working with things like policies, and when you are interested in directing
certain subsets of your customers towards a tailored result.
The expanded reference section includes the commands, supported fields, and supported
events for each object.
action
actions specify actions that may be referenced by name from other actions.
Full reference material, including commands, supported fields and events, is found in the
action expanded reference.
address-list
address-lists contain nodes that represent addresses and networks. The contents of
address-lists are made up of address-nodes.
Full reference material, including commands, supported fields and events, is found in the
address-list expanded reference.
address-node
address-nodes represent all data associated with a single network in an address-list.
50 NOMINUM CONFIDENTIAL
51 auth-monitoring
Full reference material, including commands, supported fields, and supported events, is
located in the address-node expanded reference.
auth-monitoring
The auth-monitoring object represents the authoritative monitoring system in CacheServe.
To use this object, you need to configure a query store as described in Connecting
CacheServe to other Nominum products; additional details beyond that are covered in the
Nominum monitoring manuals: Monitoring Query and Request Data on Nominum Engines and
Nominum statmon Utility and Query Store Command Reference.
auth-server-list
Note: Has no effect in N2 Connect.
auth-server-lists contain nodes that represent authoritative servers. The contents of auth-
server-lists are made up of auth-server-nodes.
Full reference material, including commands, supported fields and events, is found in the
auth-server-list expanded reference.
auth-server-node
auth-server-nodes represent authoritative name servers. auth-server-nodes are used in
auth-server-lists.
Full reference material, including commands, supported fields and events, is found in the
auth-server-node expanded reference.
auth-server-node
auth-server-nodes represent authoritative name servers. auth-server-nodes are used in
auth-server-lists.
Full reference material, including commands, supported fields and events, is found in the
auth-server-node expanded reference.
binding
bindings represent bindings between policies and the server or views.
Full reference material, including commands, supported fields, and supported events, is
located in the binding expanded reference.
connection
connections represent the properties of a Nominum Command Channel connection.
Connections never persist, and always refer to the Command Channel connection on which
its commands are sent.
Full reference material, including commands, supported fields, and supported events, is
located in the connection expanded reference.
device-list
device-lists contain nodes that represent device identifiers, and are used in the "device"
policy-selector. The contents of device-lists are made up of device-nodes.
Full reference material, including commands, supported fields and events, is found in the
device-list expanded reference.
device-node
device-nodes represent device identifiers. Each device-node contains a device identifier and
an associated view. device-nodes are aggregated into device-lists, which are used in policy
selectors.
Full reference material, including commands, supported fields, and supported events, is
located in the device-node expanded reference.
dns64
dns64 objects represent DNS64 translation layers. dns64 objects only have an effect when
they're paired with active policies.
DNS64 translation layers map IPv4 addresses into IPv6 addresses as defined in RFC6147.
This enables additional processing for DNS AAAA queries; if no AAAA records exist for a
queried name, but A records exist, AAAA records can be generated from A records
according to a set of mapping rules. The synthesized answer is then returned to the client.
DNS64 also provides additional processing for PTR queries; if a PTR query is received for a
name that matches a defined DNS64 prefix, CacheServe will synthesize a CNAME which
points at the reverse map entry in the IPv4 reverse space.
Full reference material, including commands, supported fields, and supported events, is
located in the dns64 expanded reference.
layer
layers are sets of configuration information that can be selectively enabled or disabled.
One of the primary uses for layers is to store CacheServe's critical configuration in an
"operational layer" that remains unchanged, and add services by adding layers that contain
the configuration for that service.
This operational layer is the operator layer, it has a priority of 0 (the highest priority) and it
cannot be deleted.
Full reference material, including commands, supported fields, and supported events, is
located in the layer expanded reference.
monitoring
The monitoring object supports statistical processing, and interacts with the Nominum
statmon utility.
To use this object, you need to configure a query store as described in Connecting
CacheServe to other Nominum products; additional details beyond that are covered in the
Nominum monitoring manuals: Monitoring Query and Request Data on Nominum Engines and
Nominum statmon Utility and Query Store Command Reference.
The core domain is the name one label deeper than the public suffix of the name: for
example, the core domain for www.nominum.com, the core domain is nominum.com, and
the public suffix is com.
CacheServe computes the core domain depth for a query and writes it to the base
monitoring stream. In most cases, CacheServe will compute the depth when it processes a
cache miss, and will store the depth in the cache entry. For synthesized answers,
CacheServe will compute the depth on an as-needed basis.
name-group
A name-group is a collection of name-lists and other name-groups. name-groups are used
in the "qname-in-group" policy-selector.
Full reference material, including commands, supported fields, and supported events, is
located in the name-group expanded reference.
name-list
name-lists contain nodes that represent DNS names. The contents of name-lists are made
up of name-nodes.
Full reference material, including commands, supported fields, and supported events, is
located in the name-list expanded reference.
name-node
name-nodes represent all data associated with a single name in an name-list.
Full reference material, including commands, supported fields, and supported events, is
located in the name-node expanded reference.
policy
policies are a way for CacheServe to execute specific actions based on the results from
processing a DNS query. They are connected to the server or views with bindings.
l Child policies, which are policies related to the current policy, and that execute after
the current policy completes.
Full reference material, including commands, supported fields, and supported events, is
located in the policy expanded reference.
ratelimiter
ratelimiters constrain traffic; they use query or response fields to group queries into
buckets, and apply limits to those buckets.
Full reference material, including commands, supported fields, and supported events, is
located in the ratelimiter expanded reference.
resolver
resolvers represent a DNS cache and a set of properties related to DNS resolution.
More than one resolver may be configured, which permits you to create customized DNS
environments.
Full reference material, including commands, supported fields, and supported events, is
located in the resolver expanded reference.
selector
selectors map DNS requests to views based on the source and destination addresses of the
request.
Full reference material, including commands, supported fields, and supported events, is
located in the selector expanded reference.
server
servers represent a subset of CacheServe configuration that applies to the server as a
whole. Changes made to a server will affect all other configuration elements within the
scope of that server's influence.
Full reference material, including commands, supported fields, and supported events, is
located in the server expanded reference.
telemetry
The telemetry object periodically writes engine samples and events into Kafka.
Full reference material, including commands, supported fields, and supported events, is
located in the telemetry expanded reference.
view
views represent a customizable DNS namespace.
Full reference material, including commands, supported fields, and supported events, is
located in the view expanded reference.
view-selector
view-selectors map DNS requests to views based on the source and destination addresses
of the request.
Full reference material, including commands, supported fields, and supported events, is
located in the view-selector expanded reference.
All Nominum-products that use the Command Channel ship with a client called nom-tell,
which is used in examples throughout the manual.
CC Message Types
RESPONSES are messages sent from servers in response to requests from clients. A
response is sometimes a sequence of several messages. Responses to failed requests
contain an err tag indicating the error that led to the failure.
EVENTS are messages sent from servers with no expectation of a response and cannot be
responded to.
58 NOMINUM CONFIDENTIAL
59 Basic Command Channel Messages
CC Message Formats
Command Channel messages are formatted three ways: as strings, lists, or tables.
STRINGS are a sequence of zero or more octets, and can take several forms.
Unquoted foo
(May be terminated with a space, tab, newline, or the
( ) { } ; or = characters)
Single-quoted 'foo'
Double-quoted "foo"
Hexadecimal \x66\x6f\x6f
LISTS are parenthesized values, optionally separated by commas, containing any of the
basic Command Channel formats: strings, lists, or tables.
(foobarbaz)
(1, 2, 3)
TABLES are key/value pairs, optionally separated by commas, = or =>, inside curly braces (
{ } ).
Table keys are strings, and table values can be any of the basic Command Channel formats:
strings, lists, or tables.
Command Usage
Command Usage
For example, the Nominum CacheServe nameserver represents parts of the server's
configuration with a server object.
The following methods can be used with most, but not necessarily all, top-level server
configuration objects.
add
The add method creates a new object. The arguments needed for this command are the
initial values of the object's required fields and any optional fields that you want to set
when creating the object.
delete
The delete method deletes an object. Depending on the type of object, you will need to
specify a name or other key field to determine which object to delete.
get
The get method retrieves the values of an object's fields. Depending on the type of object,
you will need to specify a name or other key field to determine which objects to retrieve.
list
The list method retrieves all instances of a specific class of objects. This method will return
a sequence of one or more responses, depending on the number of objects listed.
mget
The mget method retrieves all instances of a specific class of objects and the values of their
fields. This method will return a sequence of one or more responses, depending on the
number of objects listed.
replace
The replace method will create a new object in place of a chosen object, with the new
object's fields set to the specified values. Any unspecified fields will either be unset or set
to the default value, even if they were set in the original object.
Updating objects
The update method will update the values for the specified fields for a chosen object while
leaving any unspecific fields unchanged.
+/Append
When using the update method, you can use the append syntax to add new values to the
end of a list in an object's fields.
-/Remove
When using the update method, you can use the remove syntax to remove specified values
from a list in an object's fields.
nom-tell is located in /usr/local/nom/sbin, and you may find it convenient to add that
location to your PATH.
All of the examples in this manual use nom-tell in its interactive mode, which is the
preferred way to send Command Channel messages to a Nominum engine.
Interactive Mode
nom-tell's interactive mode creates a persistent Command Channel session, and is by far
the best option for communicating with a Nominum product.
Using nom-tell in interactive mode has several advantages over using nom-tell from the
command line:
l In interactive mode, nom-tell returns to the interactive prompt (rather than exiting to
the OS shell) after Command Channel responses are received.
l Interactive nom-tell features tab completion of commands, which is particularly use-
ful with complex operations.
l Interactive nom-tell features much simpler list formatting.
To enter nom-tell interactive mode, send a nom-tell command from the OS's command line
with only an engine or service name specified:
# nom-tell <product>
product>
Note: If you leave your nom-tell interactive mode window idle for a few minutes, you may
receive a message that the connection has been closed.
This is normal behavior: the next nom-tell command you send will automatically reopen
the connection.
When you're using nom-tell from the command-line, and you need to send list parameters,
you'll need to enclose each entry in the list in quotation marks. This allows the target to
correctly parse the command.
If you find this feature useful, you may want to add this variable to your shell configuration
file (e.g. .bashrc or .profile).
This is very useful for cases where a Nominum product needs to establish multiple
separate Command Channel connections.
The channel.conf file translates a service name into a location (a host and a port), and
identifies a shared secret that should be retrieved.
A channel.conf file is formatted as a sequence of lines, where blank lines and lines starting
with the # character are ignored.
l service-name—A string used to identify the service. Each server has a default service
name, and can also be configured to use alternative service names.
l addrport—An address taking the form address [%scope]#port. For example, 9253 and
10.0.0.1#1111 are both valid addrports. If no address is specified, the loopback
address (127.0.0.1) is used.
An address of 0.0.0.0 indicates that a server should listen on all interfaces, and that
a client should use the loopback address to communicate with that server.
l secret—A string, specified with double quotes if it contains whitespace and within
which explicit quotation marks or backslashes are quoted with a backslash. A secret
of * is interpreted as no secret.
l acl—A list of addresses and/or networks that may make connections to this
channel. The list is a comma-separated list of addresses with optional prefix
length specifiers. For example: acl=127.0.0.1,10.0.0.0/8
Note: A full explanation of the capacities of the Nominum products listed is beyond the
scope of this manual; please consult the references for the listed products for anything
beyond the basic steps needed to connect them to CacheServe.
Policy Manager
To configure Vantio CacheServe for use with the policy and provisioning servers of
Nominum Policy Manager:
1. On the Policy Manager server, ensure that the provisioning server is listening on all
interfaces.
If you have not already done so, edit the /etc/channel.conf file to contain the following
line:
nom-ccpserver-data 0.0.0.0#16002 secret
66 NOMINUM CONFIDENTIAL
67 Kafka
3. Add a provisioning layer to CacheServe. This provisioning layer will cause CacheServe
to retrieve all provisioning information from the Policy Manager's provisioning
server.
For the provisioning-hostname and secret values, use the address of the Policy Man-
ager's provisioning server, and the secret used by the nom-ccpserver-data service on
the Policy Manager server:
cacheserve> layer.add name=pm priority=1 server=(provisioning-
hostname 16002 secret)
Kafka
Nominum products use customized versions of two open-source scaling technologies:
Zookeeper and Kafka. Together, Zookeeper and Kafka provide a durable reporting
architecture for Nominum products.
CacheServe, when being used as part of an N2 solution "stack", connects to Kafka via the
telemetry object.
This refers to the fact that Kafka instances (brokers) are deployed in clusters of 3 or more. In
these clusters, a given Kafka broker may at any time be considered the "leader" for the
brokers in that cluster; in basic terms, the broker currently responsible for organizing the
cluster.
Note: For detailed information about the use of the auth-monitoring and monitoring
objects, and about monitoring in CacheServe, please consult the Nominum monitoring
manuals: Monitoring Query and Request Data on Nominum Engines and Nominum statmon
Utility and Query Store Command Reference.
1. Check the /etc/channel.conf file to ensure that there's an entry for statmon. It should
look something like:
statmon 9994 CRaLf7m/rgKHUAd+vZrgQFZM8wCY88tdX3lpRJLDGQSV//
The following command creates a query store in which the query logfile is located in
/var/log, query search results are anonymized, log entries are cached for a maximum
of 2 days, and the maximum size of the query store is capped at 100 MB:
cacheserve> monitoring.update querystore=
{directory=/var/log/querystore anonymize-search-results=true
duration=2d max-size=100M}
The details
cacheserve-stats --cpu reflects the percentage of CPU being used by a given thread group, as
a percentage (for example, 100% usage is represented as 100.0).
The percentage displayed is based on the number of threads being utilized by the thread
group. For example, a thread group using 2 threads could have a maximum displayed CPU
usage of very close to 200.0, or 200% (it's possible for percentage values to very slightly
exceed 100% per thread on a transient basis).
If you are not aware of how many threads are being used by a given thread group,
server.usage will display each thread group and the number of threads in use by that group.
70 NOMINUM CONFIDENTIAL
71 In summary
In summary
In a nutshell, the total values returned by cacheserve-stats --cpu should not reflect
maximum thread utilization.
For example:
By contrast:
In some cases, the solution may be to add further capacity, which can be achieved by either
adding more CacheServe instances or greater concurrency to your CacheServe license.
Performance tuning
The following suggestions may improve general CacheServe performance.
Use a recommended OS
The best operating system for CacheServe is a multi-core physical server running RHEL 6.5
or later, CentOS 6.5, or a Linux distribution with a 3.9 kernel or higher.
Systems that match these specifications allow CacheServe to make full use of the SO_
REUSEPORT feature, where the kernel distributes load from a single IP address and port to
multiple sockets. CacheServe will do this automatically.
If you are not running Linux, or don't have access to a modern Linux kernel, you can
improve CacheServe performance by manually configuring the system to listen on multiple
addresses or ports, and then routing traffic for CacheServe through a load balancer.
Process tuning
The following suggestions may improve the efficiency of the CacheServe process.
If this rate limiting involves responses being truncated, the caching server can rapidly
exhaust its supply of file descriptors. The resolver max-tcp-recursions option limits the
number of TCP connections the server can make at one time during resolution.
The default value is 1000, which should be sufficient for most use cases.
Configure the number of recursion contexts with the server's max-recursive-clients setting,
up to a maximum of 250,000:
cacheserve> server.update max-recursive-clients=50000
There may be situations where you will want to configure CacheServer's behavior as it
relates to specific authoritative servers, rather than as it relates to authoritative servers in
general.
The most common use case involves EDNS: some authoritative servers may not answer,
either when a request contains EDNS or there are fragmentation issues with the
transmission path.
As well, there may exist cases where you want to avoid sending any traffic at all to an
authoritative server.
l auth-server-node objects represent authoritative servers for a given network, and the
nearest authoritative server is used.
l auth-server-list objects are collections of auth-server-node objects that may be used
by a resolver to identify the authoritative servers used by that resolver.
The following example configures an auth-server-list called servers, and adds two
authoritative servers to it. The 1.2.3.4 server supports EDNS, and the 2.3.4.5 server does
not. The world resolver will use the appropriate authoritative server when traffic involves
EDNS.
cacheserve> auth-server-list.add name=server
Note: Elsewhere in the manual, we give command examples using the nom-tell
command channel interface (cacheserve>). These instructions give commands from the
operating system prompt, because the command context switches back and forth between
sending commands to CacheServe and sending commands to the host system.
To back up CacheServe:
2. Use tar to back up the files in the /var/nom/cacheserve and /usr/local/nom/etc/ dir-
ectories:
Where directory is a filesystem or partition with sufficient free space for the backup.
Note: To conserve disk space, we recommend compressing backups and deleting old
backup files which are no longer needed.
1. Stop CacheServe:
# service cacheserve stop
3. Extract the files contained in the backup from which you want to restore:
# tar xf backup-name.tar
4. Start CacheServe:
# service cacheserve start
Note: It is normal to see log messages related to the restore in syslog when you
restore your data.
Vantio handled NXDOMAIN redirection and malicious domain redirection with specialized
modules (NXR and MDR).
In CacheServe, the same abilities are provided by a single feature, the policy engine. This
section shows you how to achieve those same features with the policy engine, and provides
a good foundation for more advanced goals, like defending against DNS amplification
attacks.
NXDOMAIN redirection
Vantio used the NXR module to redirect NXDOMAIN responses. In CacheServe, the policy
engine provides this functionality.
The following example configures CacheServe to redirect everything except queries and
prefixes that match entries on two lists.
l Creating a policy.
l Adding a redirection policy-action to the policy.
l Making lists of domains and prefixes that you don't want to redirect.
l Adding a policy-selector that executes the redirection for anything that isn't on the
"don't-redirect" lists.
l Binding the policy to a view.
76 NOMINUM CONFIDENTIAL
77 Create the NXDOMAIN policy
Note: This example shows a network in which both IPv4 and IPv6 traffic are being
redirected.
1. In Vantio, retrieve the view that contains the redirection you want to accomplish, and
look for the redirect-nxdomain-replace value:
vantio> view.get name=nxdomain-redirect-view
{
type => 'view.get'
name => 'nxdomain-redirect-view'
class => 'IN'
redirect-nxdomain-replace => ((('.') ('192.168.1.1'
'2001:db8:f61:a1ff:0:0:0:80')))
redirect-nxdomain-prefix-only-prefixes => ('www')
}
2. You will need both the IPv4 and IPv6 addresses. In this case, those addresses are:
192.168.1.1
2001:db8:f61:a1ff:0:0:0:80
3. In CacheServe, add the redirection action to the policy you created earlier, using the
IPv4 and IPv6 addresses you looked up:
cacheserve> policy.update name=nxdomain-redirect-policy
action=(answer ((A 192.168.1.1)(AAAA
2001:db8:f61:a1ff:0:0:0:80)))
{
type => 'policy.update'
}
1. In Vantio, retrieve the view that contains the redirection you want to accomplish, and,
this time, look for the redirect-nxdomain-exclusions value:
vantio> view.get name=nxdomain-redirect-view
{
type => 'view.get'
name => 'nxdomain-redirect-view'
class => 'IN'
redirect-nxdomain-replace => ((('.') ('192.168.1.1')))
redirect-nxdomain-exclusions => ("example.org" "example.net"
"example.com")
redirect-nxdomain-prefix-exclusions => ("www" "ldap" "smtp")
}
2. In CacheServe, create a name-list. This name-list will contain the names of queries
you want to exempt from redirection:
cacheserve> name-list.add name=nxdomain-do-not-redirect-
domains
{
type => 'name-list.add'
}
3. In CacheServe, add the names you want to exempt as name-nodes in the name-list
you just created (for large lists, you should consider extracting the list contents into a
file and using name-list.load to populate the list):
cacheserve> name-node.add list=nxdomain-do-not-redirect-
domains name=example.com
{
type => 'name-node.add'
}
5. In CacheServe, create another name-list. This name-list will contain the names of pre-
fixes you want to exempt:
cacheserve>name-list.add name=nxdomain-do-not-redirect-
prefixes
{
type => 'name-list.add'
}
6. In CacheServe, add the prefixes you want to exempt as name-nodes in the name-list
you just created (for large lists, you should consider extracting the list contents into a
file and using name-list.load to populate the list):
cacheserve> name-node.add list=nxdomain-do-not-redirect-
prefixes name=www
{
type => 'name-node.add'
}
Now you need to link them together in the policy you created in the beginning.
1. Add a policy-selector that combines the action you created (redirect A and AAAA quer-
ies) with the lists you created, and associate the selector with a policy:
cacheserve> policy.update name=nxdomain-redirect-policy
selector=(and ((result (nxdomain)) (qtype (A AAAA)) (not
(synthesized)) (not ((qname (nxdomain-do-not-redirect-domains
subdomain )))) (not ((qname-prefix nxdomain-do-not-redirect-
prefixes)))))
{
type => 'policy.update'
}
1. Bind the policy you created to the appropriate view, having the policy execute post-
query (because that's when you will get an NXDOMAIN response from resolution) and
giving the policy a high priority:
cacheserve> binding.add view=world policy=nxdomain-redirect-
policy when=postquery priority=1
{
type => 'binding.add'
}
The following examples will look similar to the NXDOMAIN examples; that's because most
of the elements that we use in NXDOMAIN redirection, we also use to redirect malicious
domains:
The following example configures CacheServe to redirect queries and prefixes that match
entries on two lists.
l Creating a policy.
l Adding a redirection action to the policy.
l Making a list of domains that you want to redirect.
l Adding a policy selector that executes the redirection for anything that's on the "mali-
cious domains" list.
l Binding the policy to a view.
Create the malicious redirection policy
As before, since we're implementing malicious domain redirection, we will use the name
malicious-redirect-policy.
2. You will need both the IPv4 and IPv6 addresses. In this case, those addresses are:
192.168.1.1
2001:db8:f61:a1ff:0:0:0:80
3. In CacheServe, add the redirection action to the policy you created earlier, using the
IPv4 and IPv6 addresses you looked up:
cacheserve> policy.update name=malicious-redirect-policy
action=(answer ((A 192.168.1.1)(AAAA
2001:db8:f61:a1ff:0:0:0:80)))
{
2. In CacheServe, create a name-list. This name-list will contain the names of queries
you want to redirect:
cacheserve> name-list.add name=redirect-malicious-domains
{
type => 'name-list.add'
}
3. In CacheServe, add the names you want to redirect as name-nodes in the name-list
you just created (for large lists, you should consider extracting the list contents into a
file and using name-list.load to populate the list):
cacheserve> name-node.add list=redirect-malicious-domains
name=infect-internet-explorer.com
{
type => 'name-node.add'
}
Note: You can redirect any query type; just substitute the appropriate type for A or AAAA
in the example.
Now you need to link them together in the policy you created in the beginning.
1. Add a selector that combines the action you created (redirect A and AAAA queries)
with the list you created, and associate the selector with a policy:
cacheserve> policy.update name=malicious-redirect-policy
selector=(and ((qtype (A AAAA)) (qname (redirect-malicious-
domains subdomain))))
{
type => 'policy.update'
}
1. Bind the policy you created to the appropriate view, having the policy execute pre-
query (because you want to redirect before the query is resolved) and giving the
policy a high priority:
cacheserve> binding.add view=world policy=malicious-redirect-
policy when=prequery priority=1
{
type => 'binding.add'
}
In this section, we will cover two scenarios: a simple scenario where you want to truncate
traffic above a certain rate, and a more complex scenario where you will use ratelimiting to
deal with a DNS amplification attack.
Simple rate-limiting
The following walkthrough demonstrates a simple rate-limiting use case, both as defined
in Vantio CacheServe 5 and in Vantio CacheServe 7.
In CacheServe 5
In CacheServe 5, traffic was rate-limited using the following configuration (please note that
the return has been edited for conciseness):
vantio> server.get
{
rate-limiting => 'true'
rate-limiting-max-qps => '10'
rate-limiting-unenforced => 'false'
rate-limiting-truncate-factor => '1'
}
In CacheServe 7
In CacheServe 7, rate-limiting is accomplished using policies.
84 NOMINUM CONFIDENTIAL
85 Rate-limiting DNS amplification attacks
1. Define a ratelimiter that constrains QPS to 10, and applies to each client:
cacheserve> ratelimiter.add name=overall-qps10 qps=10 \
fields=((client-network (32 128)))
2. Define a policy to truncate traffic which exceeds the qps limit, using the new rate-
limiter:
cacheserve> policy.add name=rl10 action=truncate \
selector=(ratelimiter overall-qps10)
Amplification attacks center on the response size; it's particularly important to note that a
DNS amplification attack may have a low queries-per-second (qps) rate, but still consume a
tremendous amount of bandwidth.
l "Purpose-built" attack domains with large numbers of A or TXT records that hover
right around the 4000-byte boundary.
l Domains with large numbers of A or TXT records that only make sense in the context
of an attack. For instance, large quantities of A records pointing to the same IP, or
large quantities of TXT records containing bizarre or arbitrary counters.
Mitigating amplification attacks
This section of the manual will walk you through several use cases:
3. Managing dual-use domains that are legitimate, but can also be used for an attack:
l Rate limiting dual-use domain traffic
4. Rate-limiting traffic that exceeds a certain qps threshold or maximum response size.
Dealing with purpose-built amplification domains
To recap: purpose-built amplification domains are domains constructed specifically for use
in DNS amplification attacks. Queries for these domains usually possess the characteristics
in “Characteristics of amplification attacks.”
Nominum's statmon utility is useful for finding out what domains are being used to attack
you, as well as what types of query are being used.
Note: The full capabilities of the statmon utility are beyond the scope of this manual;
consult the "Monitoring Query and Request Data on Nominum Engines" manual for
comprehensive details.
The best time to identify purpose-built amplification domains is when you suspect an
attack is in progress.
statmon>
2. Identify the top domains by response size over the last hour:
statmon> querystore.top-domains-by-response-size duration=1h
If you see domains that you wouldn't expect to see in your top querying domains,
make note of them.
2. Further constrain results to just large packets (over 1024 bytes in size):
statmon> querystore.top-domains-by-response-size duration=1h
filter=((response-size-ge (true (1024))))
3. Identify which query types these domains are being asked for:
Once you've identified your suspect domains, you should add them to lists. you are going
to create two lists: one for exact domains, and one for subdomains.
Using lists allows you to easily keep the list of domains updated, and to preemptively drop
all queries to any domain on the list, as well as any subdomains of a domain on the list.
1. Create a source file for the domains (for the file syntax, see name-list.load), and put it
somewhere you can find it. For the purposes of this example, we will assume the list
is /tmp/droppurpose-exact-list.
2. Make sure you are using the cacheserve command-line interface:
[testbed etc]# nom-tell cacheserve
nom-tell 3.0.39.0.d, interactive mode
cacheserve>
4. Using name-list.load, add the contents of your domain-name file to the name-list:
cacheserve> name-list.load name=droppurpose-exact
file=/tmp/droppurpose-exact-list
{
type => 'name-list.add'
}
1. Create a source file for the subdomains (for the file syntax, see name-list.load), and
put it somewhere you can find it. For the purposes of this example, we will assume
the list is /tmp/droppurpose-sub-list.
2. Make sure you are using the cacheserve command-line interface:
4. Using name-list.load, add the contents of your subdomain file to the name-list:
cacheserve> name-list.load name=droppurpose-sub
file=/tmp/droppurpose-sub-list
{
type => 'name-list.add'
}
Now that you've created lists for both purpose-built amplification domains and their
subdomains, you will incorporate those lists into a policy, and bind that policy to the
widest possible view.
1. Create the policy, which will drop any query that matches an entry on the drop-
purpose-exact or droppurpose-sub lists:
cacheserve> policy.add name=droppurpose action=drop selector=
(or ((qname (droppurpose-exact exact)) (qname (droppurpose-sub
subdomain )) ))
{
type => 'policy.add'
}
Unfortunately, these queries can be directed to legitimate domains, which makes it difficult
to exclude these queries purely on the basis of size. For example, a legitimate domain
could be using DNSSEC, which would result in a lot of records at the top of the zone, some
of them very large (like DNSKEY).
A good workaround is to limit ANY queries on the basis of queries per second (qps).
Although limiting ANY queries on the basis of qps will cause those responses to be
truncated, a querying server that really needs the information can repeat the query over
TCP.
2. Add a policy that truncates any response to a query that matches the ratelimiter:
cacheserve> policy.add name=truncate-rate-any selector=(and
((qtype (ANY))(ratelimiter rateany))) action=truncate
l Identifying certain types of queries that are likely to be used in amplification attacks.
l Truncating responses to those query types when the qps rate exceeds a given
threshold.
In this example, you will create exact-match lists and subdomain lists, and associate them
with a qps-rate-based ratelimiter.
Here's how you add and delete entries from that list.
3. Add a policy that truncates large responses to any domain on either of the lists:
cacheserve> policy.add name=truncacteratelarge action=truncate
selectors=(and ((qtype (A)) (or ((qname (ratelarge-a-exact
exact)) (qname (ratelarge-a-sub subdomain ) ) )) (ratelimiter
ratelarge)))
The following example rate-limits any client that exceeds 100 qps.
1. First, create a ratelimiter that applies to the entire client population, and constrain it
to 100 qps:
cacheserve> ratelimiter.add name=clientlimiter qps=100
unenforced=true fields=((client-network (32 128)))
2. Next, add the ratelimiter to a policy that drops the response to any client matching
the rate limiter:
cacheserve> policy.add name=droprate-limitedclients
action=drop selector=(ratelimiter clientlimiter)
The following example rate-limits traffic based on the size of the response; note that this
ratelimiter is applied after the query response is created, but before it's sent.
1. First, create a ratelimiter that applies to all query types, and constrain it to 250 qps:
cacheserve> ratelimiter.add name=ratesize qps=250 fields=
(query-type )
2. Next, add the ratelimiter to a policy that truncates the response if any query exceeds
1500 bytes:
cacheserve> policy.add name=truncateoversize action=truncate
selector=(and ((response-size 1500) (ratelimiter ratesize)))
3. Finally, bind the policy to the server, specifying that the policy should execute before
the response is sent:
cacheserve> binding.add when=presend policy=truncateoversize
server=1 priority=40
Authoritative DNS service is often outsourced to large hosting or Content Delivery Network
(CDN) services. This means the impact from an attack on authority can affect many services
simultaneously.
The Internet of Things has added a powerful new dimension to Distributed DoS attacks
against authoritative servers.
There are some issues with preserving the contents of the cache. First, not all content is
equally worth preserving, because of the "long tail" aspect of DNS queries. Second, the
most obvious methods of preserving cache contents (such as "just ignore the TTL", or
imposing a minimum TTL) may impair the correct operation of a CDN.
92 NOMINUM CONFIDENTIAL
93 The CacheServe prefetch mechanism
Prefetching, by proactively fetching refreshed content before the cache entry expires,
attempts to ensure that popular content is always a cache hit for clients.
The frequency with which prefetching occurs is determined by the Resolver object's
prefetch-ratio field.
For example, consider an RRset with a TTL of 320. If CacheServe is configured with a
prefetch-ratio of 16 (the default), CacheServe will prefetch an answer if it gets a query
within the last 20 seconds of the remaining TTL: 20 seconds is 1/16th of the original 320-
second TTL.
Prefetch extension
CacheServe uses prefetching to identify popular content. Therefore, it makes sense to use
the existing prefetching mechanism to extend the life of popular content.
Extension entries
The mechanism via which CacheServe achieves this is extension entries. Extension entries
are cache entries created for popular content, according to the following rules:
1. An extension entry is made for any prefetch attempt that ends without the cache
entry being successfully refreshed (unless an extension cache entry already exists for
the given attempt).
2. If there are less than 2 seconds of life remaining on a prefetch attempt, CacheServe
immediately inserts an extension entry for the given entry.
3. Extension entries have the same DNS content as the entry being replaced, but with
an expiration time 30 seconds in the future.
4. Extension entries are clearly marked as extension entries.
Extension entries behave normally when they're found in cache lookups, with the
exception that extension entries are rendered with a TTL of 0.
Extension entries are themselves subject to prefetching, so data is extended for as long as
authorities are not responding and there's sufficient demand for the content.
Legitimate and common names may expire from cache because prefetching isn't
completed. This situation generally only occurs when the server is under extremely heavy
load, and prefetch queries are as a result unable to get slots in the set defined by max-
recursive-clients.
Prefetch queries, under normal circumstances, have no advantage over other queries when
looking for a slot. Prioritized prefetch domains provide a weighting for "more
important" prefetches.
How it works
If CacheServe attempts to find a slot for a prefetch and fails, it compares the domain in the
prefetch query to a list of "good" domains. If the domain appears in that list, CacheServe
queues the prefetch. The prefetch queue is not subject to the max-recursive-clients limit.
Queued prefetches are preferentially executed over regular recursions when recursion
slots become available.
Configuration
1. Add a prioritized-domains list:
cacheserve> name-list.add name=good-domains
3. Associate the list with a resolver, using the name of the list as the argument to the pri-
oritized-domains field:
cacheserve> resolver.update name=world prioritized-
domains=good-domains
Statistics
The Resolver object's queued-prefetches statistic indicates the number of prefetch queries
that were added to a queue rather than being sent immediately. A prefetch is queued when
there are no available recursion slots and the name of the query is associated with an entry
in the prioritized-domains list.
The attack only succeeds if the random 16-bit value in the ID field of a forged packet
matches that of a legitimate packet. Therefore, an extremely large number of packets are
required, each containing a different guess for the ID value.
CacheServe sends each outgoing query from a randomly chosen port , selected from a
pool of ports.
This makes the server more resilient against ID spoofing attacks, as the attacker has to
guess both the query ID and the port.
98 NOMINUM CONFIDENTIAL
99 Settings related to ID spoofing
l log-id-spoofing: this parameter controls when and how CacheServe issues warnings
about suspected ID spoofing attacks.
l query-source-pool: this parameter controls the pool of available IPv4 ports from
which CacheServe can send outgoing queries.
l query-source-pool-v6: this parameter controls the pool of available IPv6 ports from
which CacheServe can send outgoing queries.
Caveats
Under normal circumstances, CacheServe gets some responses with incorrect IDs even
though no attack is in progress. This can be attributed to things like software errors in
authoritative servers, or extreme network delays that cause a response to show up long
after CacheServe has forgotten about the original query.
To prevent lots of spurious log messages, the conditions for issuing a log message are
necessarily more stringent than those for activating the defense mechanism itself. As a
result, it's normal for the ID spoofing defense mechanism to be triggered every so often,
and you shouldn't take it as ironclad evidence that an attack is underway. You should start
investigating if you start seeing log messages.
l Quality-of-service improvements.
l Reductions in long-haul network traffic.
l Localization.
However, the client-subnet protocol has some limitations that affect scalability.
These limitations can provoke rapid increases in the amount of data cached,
CPU utilization, and network bandwidth.
Client equivalency
CacheServe, when communicating with CDNs using client-subnet, uses client equivalency
to designate a given address as a representative for a subnet, or a list of subnets.
When CacheServe receives a query from a client in one of those subnets, it treats the query
as if it originated from the representative address.
In this way, CacheServe can identify thousands of clients to the CDN as a single client,
versus individually resolving each client's query.
Background
Client equivalency is designed to address two specific situations where the limitations of
client-subnet come into play.
For instance, in this type of network, a /20 may apply to a major metropolitan area, but the
authoritative server may be returning answers specific to /24 subnets within that /20.
In this situation:
The problem
Even though the CDN's answer for each of the /24 networks in the /20 is the same, each
client is being handled individually.
The solution
A more efficient way of dealing with this situation is to use a single representative address
to stand for all /24's in the /20: for example, "all clients in this city share the 192.168.16/20
subnet, and are functionally equivalent to the client 192.168.1.1".
For example, in this kind of topology, if an authoritative server were to provide an answer
based on a /20 subnet, the /20 could be composed of multiple /25 subnets which are
geographically widely distributed.
The problem
The inconsistency between physical location and network location causes the CDN to try to
provide responses for each individual subnet. This creates scalability problems, both for
the CDN and for the caching server that's trying to keep track of many identical responses
for different subnets.
The CDN may be forced to deliver resources across thousands of miles and multiple
network segments for clients that are physically "next door".
The solution
Using client equivalence, it's possible to group physically related subnets even if they're
widely separated in network terms.
All subnets related to City A can be designated as a group, and a single address designated
to stand for that group.
When a query comes in from a "City A" subnet, regardless of network location, the client
can be handled by a physically proximate CDN node versus being routed through distant
network segments on the basis of network topology.
1. Configure an address-list, with some nodes. In this example, each node is a subnet
related to the fictional city of Gotham:
cacheserve> address-list.add name=gotham
2. Configure another address-list. In this example, each node is a subnet related to the
fictional city of Metropolis:
cacheserve> address-list.add name=metropolis
3. Configure the resolver, which uses client-subnet to apply the gotham and metropolis
equivalence classes to the Akamai and Google CDN's:
cacheserve> resolver.update name=world client-subnet=
{equivalence-classes=(gotham,metropolis) whitelist=(akadns.com
google.com)}
To manually apply an IPv4 representative address for clients that originate in the 24.2.0/24
gotham subnet:
cacheserve> address-list.update name=gotham representative-
address-v4=24.2.0/24
To manually apply an IPv6 representative address for clients that originate in the 1:2:3::/48
gotham subnet:
cacheserve> address-list.update name=metropolis representative-
address-v6=1:2:3::/48
SNMP-aware software can be used to monitor and manage Nominum products such as
CacheServe engines.
Nominum assumes that this chapter will be used in conjunction with the documentation
for Net-SNMP, available at http://www.net-snmp.org/.
Managers
A management application (or "manager") is any one of an array of SNMP-aware tools used
for monitoring and managing the status of networked systems, issuing requests for
management operations and perhaps also receiving unsolicited alerts ("notifications" or
"traps") from agents.
Agents
An agent is "go-between" software running on a managed system. A master agent
communicates directly with the manager, while a subagent handles specialized
communication for each type of managed system. Every managed system requires its own
subagent. Messages can travel in either direction: managers can query agents for
information, and agents can also supply unsolicited information to managers.
MIBs
For each type of managed system, the relevant details are defined in a set of hierarchical
tables called Management Information Bases (MIBs). MIBs are defined using a common
interface language; they specify the information exchanged between agents and managers.
MIBs are discussed in detail in RFC 1155.
GET Messages
GET commands are sent by a network manager to an agent to request data values defined
by a MIB. The agent then responds with the requested values.
Traps (Notifications)
SNMP subagents can be configured to generate alarms when specified events occur in the
managed systems. These alerts are referred to as SNMP "traps". In SNMP version 2 and
greater, traps are properly called "notifications".
To set up a notification, you will have to specify a master agent destination, or "trap sink",
in your agent's configuration file.
So, to summarize: SNMP-aware network managers send requests via agent software;
specialized subagents read and write data in each managed system's set of MIBs, and can
also convey unsolicited alerts (traps) for master agents to relay back to the network
manager.
snmpagent is built on top of Net-SNMP and links to Net-SNMP's agent library. Net-SNMP is
included with the operating systems supported by Nominum products. Nominum assumes
that this chapter will be used in conjunction with the documentation for Net-SNMP,
available at http://www.net-snmp.org/.
If necessary, snmpagent can coexist as a master agent with a third-party master agent
running on the same host computer. To do this, you'll have to configure one of the two
master agents to use a non-standard port, and also configure your management
application accordingly to send SNMP traffic to the correct port.
The snmpagent package installs MIBs specific to Nominum products, along with associated
documentation. For details, see Nominum MIBs.
snmpagent
The Nominum SNMP Agent (snmpagent) provides SNMP notifications that correspond to
events sent by Nominum engines, and SNMP GET access to engine statistics.
Synopsis
snmpagent [-c file] [-f] [-F] [-h|--help]
[-m|--masteragent] [ -r|--root directory ]
[-s|--syslog-facility facility ] [-u|--user username]
[--usage ] [ -v|--version]
Options
Option Description
Option Description
Configuration Files
snmpagent can run as either an SNMP master agent or as an SNMP subagent. By default it
runs as a subagent.
These options are described in this manual, in The snmpagent Configuration File
and Using the Command Channel with snmpagent.
l /var/nom/snmpagent/snmpagent_master.conf
l /var/nom/snmpagent/snmpagent_subagent.conf
Nominum MIBs
The snmpagent package installs MIBs specific to Nominum products, along with their
associated documentation. The documentation is in /usr/local/nom/doc/snmpagent, and the
MIBs themselves are in /usr/local/nom/share/snmp/mibs.
Running as a Subagent
By default, snmpagent runs as a subagent, typically in conjunction with Net-SNMP's master
agent, snmpd. In the simplest instance, this may not require any configuration at all.
If your environment is more complex — for instance, if you are running a master agent
other than Net-SNMP's snmpd, or if you are extending an existing Net-SNMP installation
that has already been customized — more configuration may be involved. Nominum
assumes that you are familiar with Net-SNMP and that you have access to its
documentation at http://www.net-snmp.org/.
For SNMP configuration file options, see The snmpagent Configuration File.
Details specific to atypical installations are beyond the scope of this chapter, but the
following broadly outlines the necessary steps:
2. Ensure that the installation supports the AgentX protocol. See Configuration
Files.
5. Ensure that a master SNMP agent is configured and running on the same
machine, and that the SNMP agent supports the AgentX protocol.
Nominum assumes that you are familiar with Net-SNMP and that you have access to its
documentation at http://www.net-snmp.org/.
For complete SNMP configuration file options, see The snmpagent Configuration File.
Details are beyond the scope of this chapter, but the following broadly outlines the
necessary steps:
sysservices 12
rwuser fflintstone
rwcommunity test
trap2sink localhost
master agentx
Note: Further details on configuring Net-SNMP are beyond the scope of this
chapter.
If there are no driver directives present in the configuration file, snmpagent tries to read
/etc/channel.conf and monitor any currently running Nominum engines. If driver
directives are present in the configuration file, snmpagent does not search
/etc/channel.conf.
If you want snmpagent to scan /etc/channel.conf to discover engines, then all the engines
to be monitored must be running before snmpagent starts. First start the engines, make
sure they're running, and then start snmpagent. This process should also work when
running multiple instances of CacheServe on the same host.
If the snmpagent fails to discover the engine or engines that you want it to monitor, you
may need to add a driver line to the /etc/snmpagent.conf file identifying each engine that
you want it to recognize. Information on how to complete this configuration can be found
below.
A snmpagent configuration file is a sequence of lines. Blank lines and lines starting with the
# comment character are ignored. Each configuration line contains an option name,
optionally followed by whitespace and a value. If a value is present, it is set to the
remaining text on the line, including any non-leading whitespace.
command-channel
Specifies the address and port to use for Command Channel messages. If no secret is
specified, then who specifies the name of a service in /etc/channel.conf. If a secret is
specified, then who specifies an addrport (restricted to IPv4 addresses), and a port must be
specified.
If secret is anything other than "*", only Command Channel requests signed with secret are
allowed to execute, and Command Channel responses are signed with the secret. If secret is
specified as "*", then Command Channel messages are neither validated nor signed.
Note: This address and port setting has nothing to do with how snmpagent communicates
with the engines it monitors. It is only relevant to interaction with the Command Channel.
directory
directory directory
Instructs the agent to use the specified directory as the working directory of the server. This
command takes effect immediately. Only one directory statement may appear in a
configuration.
driver
driver engine engine-type [args...]
Instructs the agent to load an SNMP agent driver for a given Nominum engine. The engine-
type is the type of Nominum engine: cacheserve or statmon.
Any remaining arguments are passed to the driver's setup function, and multiple driver
statements may be specified. If you are running multiple instances of CacheServe on the
same host, each instance will require its own driver statement.
At this time, the only valid args is a comma-separated list of events to request from the
engine and convert into SNMP notifications. If unspecified, all events are requested.
log
log switch_name yes_or_no
Instructs the agent to set a logging control switch. snmpagent allows fine-grained control
over what is logged.
l snmp/get—Logs SNMP GET requests. The default value of this switch is false.
l snmp/set—Logs SNMP SET requests. The default value of this switch is false.
l snmp/trap—Logs SNMP traps and notifications. The default value of this switch is
false.
l snmp/status—Logs SNMP status changes. The default value of this switch is false.
yes_or_no is either:
l yes—Enables logging.
l no—Disables logging.
masteragent
masteragent
minseverity
minseverity severity
Sets the minimum severity assigned to a Nominum notification. A notification will not be
sent if it has a severity less than the specified severity. Replace the severity argument with a
number from 0 (zero) to 6, as defined in the NominumPerceivedSeverity textual convention
in NOMINUM-TC-MIB.
This has no effect on clearing notifications (for example, those with a severity of cleared(1)).
observer-address
observer-address addrport
Instructs the agent to include the specified address and (optional) port in SNMP
notifications. If not specified, no address or port is included in SNMP notifications.
setseverity
setseverity notification severity
Sets the severity assigned to a Nominum notification. notification must be the name of one
of the notifications defined in NOMINUM-NSN-MIB, such as nnsnServerEventStop, severity is
specified as a number in the range from 0 (zero) through 6, as defined in the
NominumPerceivedSeverity textual convention in NOMINUM-TC-MIB.
This has no effect on clearing notifications (for example, those with a severity of cleared(1)).
syslog-facility
syslog-facility facility
Instructs the agent to use the specified syslog facility instead of the default facility (daemon).
l The agent has no trap sinks configured and hence does not need to receive most
events from the engines it is monitoring.
l The engines are generating large numbers of events, causing the SNMP agent to use
CPU cycles needlessly.
Note: Do not enable request-minimal-events if you want the SNMP agent to send SNMP
traps or notifications.
events
A comma-separated list of events to be requested from the engine and converted into
SNMP notifications. If this value is not specified, all events are requested.
For example:
request-minimal-events
The request-minimal-events option permits you to control the number of events you
receive from the CacheServe SNMP driver. If you set this option to yes, the driver requests
only the minimal set of events needed to keep applTable up to date. This option supersedes
the events configuration element.
load-driver
If the engine name is anything other than the default for the given engine, engine-type must
also be specified, and any additional arguments are passed on to the driver.
It is also possible to use the events argument to restrict the list of events to be requested
from the engine and converted into SNMP notifications. If this value is not specified, all
events are requested.
pid
snmpagent> pid
{
type => 'pid'
pid => '4847'
}
process-information
snmpagent> process-information
{
type => 'process-information'
arguments => ('/usr/local/nom/sbin/snmpagent' '-F')
pid => '4847'
current-time => '1475693394.685179'
start-time => '1475693165.108551'
host-name => 'rt56584-4.a.nominum.com'
working-directory => '/var/nom/snmpagent'
node-id => 'f7860845-d470-5bcb-b59b-2a71daa1dafd'
}
stop
snmpagent> stop
show-drivers
Shows the currently loaded drivers. The CC result contains a list of drivers, and each driver-
list item contains a list of currently instantiated drivers for that driver type.
snmpagent> show-drivers
{
type => 'show-drivers'
drivers => {
cacheserve => ('cacheserve')
}
}
uuid
snmpagent> uuid
{
type => 'uuid'
uuid => '864223ee-c791-4e1c-9194-505537860254'
}
unload-driver
version
snmpagent> version
{
type => 'version'
vendor => 'Nominum'
product => 'SNMPAgent'
platform => 'rhel-6-x86_64'
version => '16.1.0.0'
}
If you have installed the snmpagent package, all the MIBs and driver libraries will be where
both snmpagent and the Net-SNMP tools expect them to be. However, you will still have to
configure the command-line tools to use all the MIBs. You can do that by calling the tools
with the -m ALL option each time, or more neatly by adding the following line to
/etc/snmp/snmp.conf:
mibs +ALL
If you built the tools yourself rather than by installing snmpagent, you will also have to set
the mibdirs environment variable by including the following line:
mibdirs +/usr/local/nom/share/snmp/mibs
It is beyond the scope of this chapter to discuss the Net-SNMP tools in detail. A few
examples are provided for each of the most useful tools: snmptranslate, snmpwalk,
snmpget, and snmptrapd. Please see the Net-SNMP documentation at http://www.net-
snmp.org/.
In all examples below that require a hostname, localhost is used. If snmpagent is not
running on the local host, you can replace this with the hostname or IP address of the
appropriate host computer.
snmptranslate
To verify that the tools can find what they need, use the snmptranslate command as
shown in the following examples:
You can also display full object identifiers (OIDs), in numeric or symbolic form:
snmpwalk
This example assumes that your "community string" (SNMP password) is test, and that
snmpagent is running on the localhost.
One crucial piece of information the applTable provides is a mapping from the human-
readable server name (dcs in this example) to the application ID (in this case, 1). The
application ID is the number after each column name (applName.1). The application ID
appears in the indexes of all Nominum SMI objects, and provides the only reference to
which Nominum engine a given SMI object refers.
snmpwalk can dump any table in the set of MIBs that snmpagent supports. This includes a
large number of standard MIBs in addition to Nominum's MIBs.
All Nominum tables (5901 is Nominum's enterprise OID: the examples are edited for
brevity):
snmpget
To get the zone name and zone type indexed by application ID 2, view ID 1, and zone ID 2:
To get the zone name to zone ID mapping for example.com, look in the
nnsmZoneNameToZoneId table. This one is a bit trickier since the zone name is encoded as
an index, as the number of characters followed by the ASCII codes for each letter. In this
example, the 2.1 following nnsmZoneNameToZoneID refer to the application ID (2) and
the view ID (1):
NOMINUM-NSM-MIB::nnsmZoneNameToZoneID.2.1."example.com." = Gauge32:2
snmptrapd
You can use snmptrapd to display traps. With some configuration, snmptrapd can also take
action on them.
To configure snmptrapd you'll need the same security information you configured your trap
sink with in snmpagent_master.conf. To be consistent with the sample configuration file
given in Running as a Master Agent, for example, you would add the following to
/etc/snmp/snmptrapd.conf:
Run snmptrapd in the foreground (-f) with logging redirected to stderr (-Le). Since you've
installed the snmpagent package, your MIBS and MIBDIRS environment variable will already
be where snmptrapd expects them to be).
Here is what a typical trap looks like when displayed by snmptrapd. (This example was
triggered by a server start event.)
All of the following command-line options are passed to the basic cacheserve command,
as in:
shell #/usr/local/nom/sbin/cacheserve --<COMMAND>
Specifies one or more Command Channel services on which CacheServe will listen. Each
service specified must be defined in the /etc/channel.conf file.
-c, --configuration
shell# /usr/local/nom/sbin/cacheserve --configuration
/path/to/file
Use the specified configuration database instead of the default configuration database,
/var/nom/cacheserve/cacheserve.vdb2.
--directory
shell# /usr/local/nom/sbin/cacheserve --directory directory
--dns-port
shell# /usr/local/nom/sbin/cacheserve --dns-port port-number
Sets the default UDP/TCP port CacheServe will use for DNS protocol traffic. The default
value is 53.
This option is mainly intended for server testing; a server using a port other than 53 will
not be able to communicate with the global DNS.
--dns-port controls both the port upon which the server listens for DNS queries and the
port to which outbound DNS queries (to other DNS servers) are sent.
--fd-limit
shell# /usr/local/nom/sbin/cacheserve --fd-limit 1000
Sets the maximum number of open file descriptors to the specified value, or fail.
If --fd-limit isn't specified, CacheServe will try to raise the limit to an appropriate value. If
that fails, CacheServe will raise the soft limit to the hard limit.
-F, --foreground-with-syslog
shell# /usr/local/nom/sbin/cacheserve --foreground-with-syslog
Configures CacheServe to run in the foreground and log messages to both standard error
and syslog.
-f, --foreground
shell# /usr/local/nom/sbin/cacheserve --foreground
Configures CacheServe to run in the foreground and log messages to standard error.
-h, --help
shell# /usr/local/nom/sbin/cacheserve --help
--license
shell# /usr/local/nom/sbin/cacheserve --license license-path
Specifies a path to the product license file. The default license location is
/usr/local/nom/etc/cacheserve.license.
--no-statmon
shell# /usr/local/nom/sbin/cacheserve --no-statmon
-r, --root
shell# /usr/local/nom/sbin/cacheserve --root directory
Configures CacheServe to run under the specified directory. All paths, including that of the
configuration database, are interpreted relative to the specified root.
A "nanny" process continues to run with the original root directory, and changes the
server's root directory before starting the server.
Warning! -root provides no added security unless you also specify a non-root user with
the -u, --user option.
--statmon-directory
shell# /usr/local/nom/sbin/cacheserve --statmon-directory
directory
Configures the directory that the Nominum statmon utility should use for locks and IPC
files. By default, this is /var/nom/statmon.
--directory must be set to the same value for the statmon process.
This argument has no effect on the location of querystore files; those settings are
controlled using querystore configuration in statmon and the CacheServe monitoring
objects.
-s, --syslog-facility
shell# /usr/local/nom/sbin/cacheserve --syslog-facility facility
The supported facilities are cron, daemon, kern, lpr, mail, news, user, uucp, local0, local1,
local2, local3, local4, local5, local6, local7, and on some plaforms ftp.
--tcp-acl
shell# /usr/local/nom/sbin/cacheserve --tcp-acl acl
Configures CacheServe to send all TCP socket-creation requests to the nanny process.
Privileged ports must be permitted by an access control list (ACL).
For example:
((53 (0.0.0.0/0 ::/0)) (54 (!10.0.1.0/24 10.0.0.0/8)))
--udp-acl
shell# /usr/local/nom/sbin/cacheserve --udp-acl acl
Configures CacheServe to send all UDP socket-creation requests to the nanny process.
Privileged ports must be permitted by an access control list (ACL).
For example:
((53 (0.0.0.0/0 ::/0)) (54 (!10.0.1.0/24 10.0.0.0/8)))
--usage
shell# /usr/local/nom/sbin/cacheserve --usage
-u, --user
shell# /usr/local/nom/sbin/cacheserve --user username
A "nanny" process continues to run as the original user, and changes the user ID of the
server process before starting CacheServe.
-v, --version
shell# /usr/local/nom/sbin/cacheserve --version
Supported objects
All of the CacheServe utilities support changes to the following configuration objects.
Note: Some of these objects may not be available unless you have a license for them.
Element Description
Element Description
Element Description
Element Description
The full configuration is surrounded by curly braces ({ and }), and each field is displayed as
key => value
value can be anything from a simple string all the way up to complicated data structures
like policy-actions or policy-selectors.
Whether it's a string or something more complicated, the value of each field consists of
three types of entry:
l lists, which are variable-length lists of elements where each element is of the same
type;
l tuples, which are fixed-length elements where each element is of a different type;
l tables, which are variable-length tables of fields where each field is a key => value
pair.
Each element in a list or tuple, and each value in a table, can also be a string, list, tuple, or
table.
{
preload => ((’localhost’ ’A’ ’127.0.0.1’))
log−dnssec => "true"
}
The preload field's single element is a tuple of 3 values (the name, the type, and the data):
{
preload => ((’localhost’ ’A’ ’127.0.0.1’))
log−dnssec => "true"
}
cacheserve-deleteconf
cacheserve-deleteconf gives you a way to delete an element's configuration in textual
format.
How it works
You use cacheserve-deleteconf from the command line, using command-line arguments to
specify the CacheServe configuration element you want to remove.
cacheserve-deleteconf options
-t type Required.
or
Instructs cacheserve-deleteconf to remove an
--object-type type
element of this type.
cacheserve-dumpconf
cacheserve-dumpconf dumps configuration data about a CacheServe element to text.
By default, cacheserve-dumpconf gets data from a running server; if you want to get
information from the configuration database instead, use the --configuration option.
How it works
You use cacheserve-dumpconf from the command line, using command-line arguments to
specify the CacheServe configuration element you want to retrieve.
cacheserve-dumpconf options
--list value The list key field for the object being
dumped.
-t type or Required.
--object-type type
Instructs cacheserve-dumpconf to dump an
object of this type.
cacheserve-editconf
cacheserve-editconf gives you a way to edit Cacheserve's configuration in textual format.
How it works
You use cacheserve-editconf from the command line, using command-line arguments to
specify the CacheServe configuration element you want to edit.
cacheserve-editconf options
--list value The list key field for the object being mod-
ified.
-t type or Required.
--object-type type
Instructs cacheserve-editconf to modify an
object of this type.
--policy value The policy key field of the object being mod-
ified.
--server value The server key field of the object being mod-
ified.
--view value The view key field of the object being mod-
ified.
cacheserve-loadconf
cacheserve-loadconf gives you a way to load Cacheserve configuration from text input.
By default, cacheserve-loadconf updates a running server; if you want to load data to the
configuration database instead, use the --configuration option.
How it works
You use cacheserve-loadconf from the command line, using command-line arguments to
specify the CacheServe configuration element you want to load.
This means it's possible for non-working configuration data to be accepted by cacheserve-
loadconf, but be non-operational in CacheServe.
If this happens, CacheServe will flag the problem in the errors field, but it reinforces the
best practice of making changes to your configuration database only when absolutely
necessary, and even then as infrequently as possible.
-t type Required.
or
Instructs cacheserve-loadconf to load
--object-type type
an element of this type.
cacheserve-stats
The cacheserve-stats utility program retrieves statistics from a running CacheServe instance
and displays them in a tabular, human-readable form, emitting a new header every 24
lines.
Options
Option Description
--channel channel Communicate with the running server using the specified
channel (as configured in /etc/channel.conf), instead of the
default (cacheserve).
Option Description
l udp
l rec (recursion)
l cc (Command Channel)
l ccp (Command Channel provisioning)
l prov (Kafka provisioning)
l kafka
l stat (statmon)
l other
l def (default)
l proc-user
l proc-sys
l proc-total
l udp-user
l udp-sys
l udp-total
l rec-user
l rec-sys
l rec-total
Option Description
-o, --statistics statistics-list Specify which statistics to display. The names of the
statistics are given as a comma-separated list of statistic
names.
l requests-received
l responses-sent
l requests-sent
l responses-received
l user-time
l system-time
l cpu-time
l efficiency
l recursion-contexts-in-use
Statistics
CacheServe provides the following statistics. Each statistic is documented with the name of
the statistic and the abbreviated description that's displayed as a column heading in the
cacheserve-stats output.
Most of the statistic names correspond directly to fields returned in server-statistics; the
exceptions are noted below.
l current-time (current time): The current time, in seconds since the UNIX epoch.
l efficiency (q/cpusec): Indicates how many queries Vantio CacheServe has processed
per second of CPU time used. This provides a measure of processing efficiency. To
avoid excessive roundoff errors, it is only displayed if Vantio CacheServe has used at
least 1% of the CPU time in the measurement interval.
l hit-rate (hit-rate %): Indicates the total cache hit rate, computed as the percentage of
DNS lookups that could be satisfied from the cache and/or configuration.
l requests-no-view (no view/s): These running packet counts are converted to packet
rates (packets/second).
l system-time (sys %cpu): These running time measurements are converted into
percentages of the total available CPU time.
l uptime (uptime): The amount of time that the Vantio CacheServe instance has been
running, in seconds.
This expanded reference provides summaries of each object, as well as the commands for
each object, the object's supported fields, and the object's supported events.
The quick reference section provides simple summaries of each object, if you're just
looking for a quick overview of each object.
action
actions represent actions that may be referenced by name by other actions.
Commands
actions accept the following commands:
Command Description
Command Description
Supported Fields
actions support the following fields:
action
Optional
policy-action
The action associated with this named action. If this value is not set, the action has no
effect.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
count
integer
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Events
actions report the following events:
l action.changed
address-list
address-lists contain nodes that represent addresses and networks. The contents of
address-lists are made up of address-nodes.
Commands
address-lists accept the following commands:
Command Description
Command Description
Supported Fields
address-lists support the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
count
integer
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
lowest-address-v4
Read-only
addr4
lowest-address-v6
Read-only
addr6
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
representative-address-v4
Optional
addrpat4
An IPv4 address that represents this list. The address normally matches the list, but is not
required to match. Currently used as part of edns-client-subnet equivalence classes.
representative-address-v6
Optional
addrpat6
An IPv6 address that represents this list. The address normally matches the list, but is not
required to match. Currently used as part of edns-client-subnet equivalence classes.
Events
address-lists report the following events:
l address-list.changed
address-node
address-nodes represent all data associated with a single network in an address-list.
Command Description
Supported Fields
address-nodes support the following fields:
address
Required
addrpat
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
list
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
tag
Optional
string
Events
address-nodes report the following events:
l address-node.changed
auth-server-list
Note: Has no effect in N2 Connect.
Commands
auth-server-lists accept the following commands:
Command Description
Supported Fields
auth-server-lists support the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
count
integer
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Events
auth-server-lists report the following events:
l auth-server-list.changed
auth-server-node
auth-server-nodes represent authoritative name servers. auth-server-nodes make up the
contents of auth-server-lists.
Commands
auth-server-nodes accept the following commands:
Command Description
Supported Fields
auth-server-nodes support the following fields:
address
Required
addrpat
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
dnssec-aware
Optional
boolean
edns
Optional
boolean
If set to false, disables the use of EDNS in queries to matching authoritative servers.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
ignore
Optional
boolean
If set to true, indicates that no queries should be sent to the authoritative server
represented by this node.
list
Required
string
max-edns-udp-size
Optional
integer
Configures the advertised EDNS packet size, overriding any resolver configuration. The
default is 4096.
When this field is configured, CacheServe, when sending EDNS queries to matching
authoritative servers, advertises that packets of up to this length (in bytes) can be
reassembled.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Events
auth-server-nodes report the following events:
l auth-server-node.changed
binding
bindings represent bindings between policies and the server or views.
Command Description
binding.update Updates a binding with new values or resets values to their defaults.
Supported Fields
Bindings take the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
policy
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
priority
Required
integer
The priority of a policy-binding operation. Priorities affect the execution order of policies.
Priorities are ranked by the lowest value, with 0 being the most important priority.
Policies with a lower priority value are executed before policies with a higher priority value.
As some policies execute before DNS resolution is performed, and other policies execute
after DNS resolution is performed, policies are only compared to other policies that are
executing at the same time.
If multiple bindings specify the same priority, the order of execution is considered
undefined. Therefore, you should consider specifying priorities with some flexibility to
them. For example, instead of using the priorities 0, 1, 2, 3, 4 and so on, you may want to
consider using 0, 10, 20, 30, 40 or even 0, 100, 200, 300, 400.
server
Optional
boolean
May only be 1, and is mutually exclusive with the view field. Indicates that the binding
target is the server object. This binding matches all queries.
view
Optional
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by the view. Mutually exclusive with the server field.
when
Optional
postquery | prequery | presend
Specifies the time in the DNS processing cycle when a policy-binding operation should
execute.
prequery
bindings are executed prior to cache lookup and/or resolution. DNS processing is aborted
if a prequery binding produces a response. If a CNAME or DNAME is followed, prequery
bindings may be executed multiple times for a single query.
postquery
bindings are executed after prequery bindings and/or normal DNS processing. If a CNAME
or DNAME is followed, postquery bindings may be executed multiple times for a single
query.
presend
bindings are executed after the full DNS response has been constructed, immediately prior
to sending the response.
Events
bindings report the following events:
l binding.changed
connection
connections represent the properties of a Nominum Command Channel connection.
Connections never persist, and always refer to the Command Channel connection on which
its commands are sent.
Command Description
Supported Fields
Connections take the following fields:
all-events
(event-name ...)
events
Optional
(event-name ...)
idle-timeout
Optional
time-in-seconds
Specifies the amount of time before a connection will be closed in the absence of traffic.
Defaults to 5 minutes (300 seconds). If any events are specified for the connection, there is
no timeout.
device-list
device-lists contain nodes that represent device identifiers, and are used in the "device"
policy-selector. The contents of device-lists are made up of device-nodes.
Commands
device-lists accept the following commands:
Command Description
Supported Fields
device-lists support the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
count
integer
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Events
device-lists report the following events:
l device-list.changed
device-node
device-nodes represent device identifiers. Each device-node contains a device identifier and
an associated view. device-nodes are aggregated into device-lists, which are used in policy
selectors.
Device-nodes are indexed by their views and identifiers: a device-node does not possess a
separate unique name.
Command Description
Supported Fields
device-nodes support the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
identifier
Required
string
list
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
view
Required
string
Events
device-nodes report the following events:
l device-node.changed
dns64
dns64 objects represent DNS64 translation layers. dns64 objects only have an effect when
they're paired with active policies.
DNS64 translation layers map IPv4 addresses into IPv6 addresses as defined in RFC6147.
This enables additional processing for DNS AAAA queries; if no AAAA records exist for a
queried name, but A records exist, AAAA records can be generated from A records
according to a set of mapping rules. The synthesized answer is then returned to the client.
DNS64 also provides additional processing for PTR queries; if a PTR query is received for a
name that matches a defined DNS64 prefix, CacheServe will synthesize a CNAME which
points at the reverse map entry in the IPv4 reverse space.
Command Description
Supported Fields
dns64 objects take the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
exclude
Optional
(acl-element6 ...)
If present, removes any IPv6 addresses (in AAAA records) matching this acl from responses
that contain them.
If no AAAA records remain after exclusion, the response is processed as if the original
AAAA query returned a NOERROR or NODATA response.
mapped
Optional
(acl-element4 ...)
Specifies an ACL instructing CacheServe to map only certain IPv4 A records into IPv6 AAAA
records.
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
prefix
Required
addrpat6
The prefix must exactly match one of the following bit lengths:
l 32
l 40
l 48
l 56
l 64
l 96
suffix
Optional
addr6
An addr6 specifying the bits that will trail IPv6 addresses constructed from IPv4 addresses.
Any bits specified in the suffix must not overlap bits in the prefix, reserved bits, or the
mapped IPv4 address.
Events
dns64 objects report the following events:
l dns64.changed
layer
Note: The layer and provisioning features require an N2 or ThreatAvert license in addition
to the CacheServe base license.
layers are sets of configuration information that can be selectively enabled or disabled.
One of the primary uses for layers is to store CacheServe's critical configuration in an
"operational layer" that remains unchanged, and add services by adding layers that contain
the configuration for that service.
This operational layer is the operator layer, it has a priority of 0 (the highest priority) and it
cannot be deleted.
The preconfigured operator layer always exists, cannot be deleted, and has a priority value
of 0, which means it takes precedence over all other layers.
When a layer is reimaged, either because it's the initial transfer of content or the database
ID has changed, CacheServe sends a layer.provisioning-reimaging event.
All provisioning events are contained in the layer namespace (for example, the provisioning
connection event is layer.provisioning-connected).
Provisioning connection attempts use exponential backoff: the first reconnection attempt
is at 1 second, the second at 2 seconds, the third at 4 seconds and so forth up to a
maximum of 32 seconds.
If you want to disable communications with a provisioning server, unset the channel field
on the layer. The layer content will remain, and if you re-enable the channel field,
provisioning will pick up where it left off.
Command Description
layer.reimage Erases all data from the layer, and reloads layer data
from the provisioning server.
Supported Fields
Layers support the following fields:
channel
Optional
string
A Command Channel service name, as defined in the local channel configuration file
(usually /etc/channel.conf).
This service should point to a provisioning server, and may not coexist with the server
field.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
hidden
Optional
boolean
A value that indicates whether or not a layer affects the server's active configuration.
Changing this value forces an automatic server restart.
If hidden is set to true, the layer's contents do NOT affect the server's active configuration.
For provisioned layers, provisioning changes will be applied, but have no visible effect until
the layer is unhidden.
If hidden is set to false (the default), the layer's contents affect the server's active
configuration.
name
Required
string
priority
Required
integer
The priority of a layer. Layers are ranked by the lowest value, with 0 being the most
important layer. Layers with a lower priority value take precedence over layers with a
higher priority value.
The operator layer is always priority 0 and has precedence over all other layers: the
operator layer cannot be deleted.
provisioning
provisioning-status
server
Optional
(addr-or-nameuint16, string)
The system's resolver configuration is used to resolve the server's DNS name.
Events
layers report the following events:
l layer.changed
l layer.provisioning-connected
l layer.provisioning-connection-failure
l layer.provisioning-disconnected
l layer.provisioning-reimaging
l layer.provisioning-update-failure
l layer.provisioning-update-success
name-group
A name-group is a collection of name-lists and other name-groups. name-groups are used
in the "qname-in-group" policy-selector.
Command Description
Supported Fields
name-groups support the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
groups
Optional
(string ...)
lists
string
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Events
name-groups report the following events:
l name-group.changed
name-list
name-lists contain nodes that represent DNS names. The contents of name-lists are made
up of name-nodes.
Command Description
Supported Fields
name-lists support the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
count
integer
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Events
name-lists report the following events:
l name-list.changed
name-node
name-nodes represent all data associated with a single name in a name-list.
Command Description
Supported Fields
name-nodes support the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
encrypted
Optional
boolean
list
Required
string
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
tag
Optional
string
Events
name-nodes report the following events:
l name-node.changed
policy
policies are a way for CacheServe to execute specific actions based on the results from
processing a DNS query. They are connected to the server or views with bindings.
l Child policies, which are policies related to the current policy, and that execute after
the current policy completes.
Command Description
policy.update Updates a policy with new values or resets values to their defaults.
Supported Fields
Policies support the following fields:
action
Optional
policy-action
The policy-action the policy should run when applied to a query. If this field is empty, no
action is taken.
children
Optional
string
A list of strings identifying child policies attached to the current policy. All children are
executed immediately after the parent policy.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
selector
Required
policy-selector
The associated policy is applied to a query if the selector criteria match, and the policy is
bound to either the server object or the view matching the query.
The boolean AND and OR selectors support lists of selectors, and the NOT selector inverts
the result of another selector.
Events
policies report the following events:
l policy.changed
l policy.hit
ratelimiter
ratelimiters constrain traffic; they use query or response fields to group queries into
buckets, and apply limits to those buckets.
Command Description
Supported Fields
Ratelimiters support the following fields:
bps
Optional
integer
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
fields
Required
((’client‐network’ (ipv4netlen, ipv6netlen)) | (’query‐name’
(name-label-count)) | ’query‐type’ ...)
string
Specifies the fields to use when grouping requests into entries. Each field specified
increases granularity.
For example, (client-network (32 128)) groups each client into its own entry.
If both client-network and query-type are used, a new entry is generated for that specific
combination, and the defined rate limits are applied to the combination.
maximum-entries
Optional
positive-integer
Specifies the maximum number of entries to track, which indicates how many field
combinations can be tracked.
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Optional
integer
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually
dropping or truncating answers. Defaults to false.
Events
ratelimiters report the following events:
l ratelimiter.abate
l ratelimiter.changed
l ratelimiter.onset
resolver
resolvers represent a DNS cache and a set of properties related to DNS resolution.
More than one resolver may be configured, which permits you to create customized DNS
environments.
Command Description
Supported Fields
Resolvers support the following fields:
auth-server-list
Optional
string
client-subnet
Optional
{
blacklist => (name ...)
equivalence-classes => (string ...)
max-source-prefix-v4 (ipv4netlen ...)
max-source-prefix-v6 (ipv6netlen ...)
valid-addresses => (acl-element ...)
whitelist => (name ...)
}
Configures domains that should return responses specific to the source address of the
query.
The whitelist configures domains for which source-specific queries should be enabled, and
the blacklist disables domains.
The max-source-prefix fields for v4 and v6 control how client addresses are truncated for
sending edns-client-subnet options and caching. The specification recommends truncating
IPv4 address to no more than 24 bits; this is the default. No recommendation is provided
for IPv6; the default is 48 bits. Higher values may cause considerable growth in cache
memory. In both cases, the minimum value is 1, and the maximum value is the full length
of an address (32 or 128).
The valid addresses acl specifies which addresses present in edns-client-subnet options
provided by clients are valid. A network is considered valid if it either contains the actual
client address or matches this acl.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default
is false, and DNSSEC signatures are not verified unless dnssec-aware is configured.
Requesting and caching DNSSEC information will significantly increase the amount of
network traffic.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
forward
Optional
(( name , 'first' | 'off' | 'only', (addrport ...)) ...)
Causes queries within a specific domain to be forwarded to one or more specific recursive
name servers.
name specifies the domain; first, off or only specify the forwarding mode; and the final
addrport is a list of recursive name servers.
l first: First attempt to use the forwarders. If they do not respond, attempt to resolve
the query.
l off: Disable forwarding for a subdomain. If you specify off, you must leave the server
addrport empty.
l only: Use only the forwarders. If they do not respond, do not attempt to resolve the
query, and let it fail.
hints
Optional
(name, ((name, (addr ...)) ...))
These servers are queried to discover the current set of root servers. If there is no hints
field, this resolver uses a compiled-in set of root hints.
The name must always be . (the root name), as providing hints for domains other than the
root is meaningless.
ignore-first-referral
Optional
boolean
Although it results in a small increase in network traffic, ignore-first-referral reduces the risk
of delegation-spoofing attacks.
log-dnssec
Optional
boolean
When set to true, log-dnssec configures CacheServe to log detailed information about
DNSSEC validation failures. All messages related to DNSSEC validation are logged at priority
LOG_INFO, and log entries are prefixed with "dnssec:".
For log-dnssec to work, you must have DNSSEC trust anchors defined.
log-id-spoofing
Optional
boolean
Configures CacheServe to issue a log message when it suspects an ID spoofing attack. The
log message is only issued when there's a relatively strong suspicion that an actual attack is
taking place.
log-lame
Optional
(name ...)
A list of names. Causes CacheServe to log lame delegations and other configuration errors
detected in authoritative servers during resolution. log-lame domains should belong to
your own organization.
When log-lame is enabled, CacheServe will log other errors from authoritative servers in
addition to lame delegations, such as malformed responses, RCODES indicating a server
error, and NS records pointing at CNAMEs.
managed-keys
Optional
((name, (rdata...)) ...)
A tuple of domain name and rdata that defines DNSSEC managed keys. Each managed-key
domain may include one or more keys, formatted as DNSKEYs (RFC4034).
Managed-keys are similar to trusted-keys, but are automatically maintained (as described
in RFC5011). The set of keys (as well as state) is persistently stored, and maintained over
time, including a periodic refetch of the DNSKEY set.
When managed-keys is initially configured, if there are any keys present for a domain,
CacheServe tries to verify signatures in the retrieved DNSKEY set. If it cannot verify any of
the signatures, CacheServe considers the domain insecure.
Managed-keys are normally used only for the root zone, so CacheServe has the current
root key compiled in. If the root domain is specified in the managed-keys field, but no keys
are specified, CacheServe will use that root key to verify the root DNSKEY set.
managed-keys-state
Optional, read-only
((name, { expire => time-in-seconds
has-validated => boolean
keys => ({
created => time-in-seconds
key => string
keyid => integer
next => time-in-seconds
state => 'add-pending' | 'missing' |
'removed' | 'revoked' | 'start' | 'valid'
updated => time-in-seconds
} ...)
last-fetch => time-in-seconds
next-fetch => time-in-seconds
}) ...)
max-cache-size
Optional
sizeval
Specifies the maximum amount of memory which can be used by this resolver's cache. The
default is 1G (1 gigabyte).
Values larger than 16G are treated as 16G, and values smaller than 64M are treated as 64M.
max-cache-ttl
Optional
time-in-seconds
Sets the maximum amount of time for which the server will cache ordinary (positive)
answers. The default is 604800 (7 days).
max-client-ttl
Optional
time-in-seconds
max-client-ttl only affects responses to DNS clients, not actual caching; a DNS record can
remain in the cache for the full amount of time even if clients receive a smaller value.
max-edns-udp-size
Optional
integer
When this field is configured, CacheServe, when sending EDNS queries, advertises that
packets of up to this length (in bytes) can be reassembled. Values smaller than 512 and
larger than 4096 are treated as 512 and 4096, respectively.
max-ncache-ttl
Optional
time-in-seconds
Specifies the maximum amount of time that CacheServe will cache negative answers.
Defaults to 10800 (3 hours).
max-tcp-recursions
Optional
integer
If you find that CacheServe is rapidly exhausting its supply of file descriptors as a result of
truncated responses (for example, due to ratelimiting), modifying this setting may help.
min-cache-ttl
Optional
time-in-seconds
Sets the minimum amount of time for which the server will cache ordinary (positive)
answers.
Values in excess of 15 minutes or the value of max-cache-ttl are clamped to the minimum
of those values.
Note: The minimum may not be applied in all cases, such as when limiting the amount of
time DNSSEC-validated records are cached based on signature expiration, or when caching
negative responses without an SOA record.
name
Required
string
negative-trust-anchors
Optional
(name ...)
Turns off DNSSEC validation for a domain, even if that domain is under a security root.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
prefetch-ratio
Optional
integer
Adjusts CacheServe's criteria for whether or not it issues prefetch queries. The default is 16,
and values greater than 32 or less than 4 are clamped to 32 or 4 respectively. Setting the
value to 0 completely disables prefetching.
Note: Changing this value is not recommended, and you should only change it under the
direction of Nominum support.
Prefetching is normally performed when a query requests data that's already cached but
will expire soon from the cache. This prevents commonly-accessed data from ever
expiring, and results in a higher cache hit rate and better average latency.
The prefetch-ratio value defines the relationship between the time at which data expires
and the initial TTL (time-to-live) of the data. Specifically, a value of X means that CacheServe
issues a prefetch query if the currently cached data expires in less than 1/X of the initial
TTL.
preload
Optional
((name, rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name,
rdatatype and rdata.
preload-nxdomain
Optional
(name ...)
Note: preload-nxdomain affects only a single name; if you want to affect an entire
domain, use synthesize-nxdomain.
preload-nxrrset
Optional
((name, rdatatype) ...)
Note: preload-nxrrset is an option included for the sake of completeness. Don't use it
unless you are specifically told to by Nominum support!
Preloads CacheServe with an indication that no resource record of a given name and type
exists.
For example, to specify that no AAAA record exists for the local hostname:
preload-nxrrset host.domain AAAA
prioritized-domains
Optional
string
Note: The list should contain only known good domains, to better protect those names
from attacks. The list should never contain the root domain or TLDs.
qname-case-randomization
Optional
'enforced' | 'off' | 'silent-enforced' | 'unenforced'
Indicates whether CacheServe should randomize letters in a query name when sending
queries to authoritative servers or forwarders. Defaults to off.
qname-case-randomization-exclusions
Optional
(name ...)
query-source-pool
Optional
(uint16, addrport4)
Sets the address CacheServe will use to send outgoing IPv4 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport4 is nonzero, ports are allocated sequentially, starting at that number.
If you don't specify query-source-pool, CacheServe creates a query source pool with a
number of ports that's appropriate for the OS.
Warning! When you are choosing the number of ports to use, make sure you don't
exceed the OS's file-descriptor limit. Each port uses a file descriptor, and additional file
descriptors are needed for listen-on-matching and things like outgoing and incoming TCP
connections.
query-source-pool-v6
Optional
(uint16, addrport6)
Sets the address CacheServe uses to send outgoing IPv6 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport6 is nonzero, ports are allocated sequentially, starting at that number.
If you don't specify query-source-pool-v6 and CacheServe has been configured to use IPv6
transport (by including type AAAA in server-address-lookup-order), CacheServe creates a
query source pool with an appropriate number of ports for the OS.
Warning! When you are choosing the number of ports to use, make sure you don't
exceed the OS's file-descriptor limit. Each port uses a file descriptor, and additional file
descriptors are needed for listen-on-matching and things like outgoing and incoming TCP
connections.
rrset-order
Optional
'cyclic' | 'fixed' | 'random'
Sets the order in which resource records (RRs) in a resource record set (RRset) are added to
a response. The default is cyclic.
l cyclic configures CacheServe to use a random starting point in the list of RRs and
wrap around to the beginning of the list when the end is reached.
l fixed configures CacheServe to always emit RRs in the order in which they are stored.
server-address-lookup-order
Optional
('A' | 'AAAA' ...)
Defines the order in which CacheServe should use IPv4 or IPv6 server addresses.
The argument is a list of address record types that may be either A or AAAA.
The default is A, which configures CacheServe to use only IPv4 addresses for nameserver
addresses, and thus IPv4 transport only for communications with the authoritative server.
The same value may not occur multiple times in the list, and only nameserver addresses of
the specified types are used, in the listed order.
For example, if your site has some IPv6 connectivity to the Internet, you can specify (A
AAAA), and CacheServe will attempt IPv4 first; if your site has mostly IPv6 connectivity, you
can specify (AAAA A) and CacheServe will attempt IPv6 first.
stub
Optional
((name, ((name, (addrport ...)) ...)) ...)
Queries within each domain are resolved as if the specified servers were delegated
authority for that domain.
Warning! A specific domain may only appear once per stub per resolver, and you cannot
have the same entry in both stub and synthesize-nxdomain.
The main use for stub resolution is in situations where you need to resolve a domain using
a particular set of servers that have not actually been delegated authority.
For example, if you are using RFC1918 private addresses (10.*), you might want to define a
stub for 10.in-addr.arpa, so that queries for that domain get directed to your own set of
internal authoritative servers.
synthesize-nxdomain
Optional
(name ...)
Configures CacheServe to return synthetic NXDOMAIN responses for all queries within the
specified domains.
Note: If you need to return PTR records for RFC1918 addresses, use a stub pointing at one
or more authoritative servers configured with the right reverse mapping data!
trusted-keys
Optional
((name, (rdata ...)) ...)
Defines DNSSEC trusted keys. Enabling this option automatically enables dnssec-aware,
and configures CacheServe to perform DNSSEC verification on all DNS data in a subdomain
of a security root.
The trusted−keys field can contain multiple key entries,each consisting of the key’s domain
name and rdata. If any trusted-keys are defined, DNSSEC information will be requested and
cached as if the dnssec-aware option were enabled.
Events
resolvers report the following events:
l resolver.changed
l resolver.flush
l resolver.id-spoofing-suspected
selector
Named selectors (identified as selector objects in CacheServe) specify selectors that may be
referenced by name from other selectors.
Named selectors are useful for using the same selector in multiple conditions, and provide
a way to save memory and change multiple selectors in a single operation.
Command Description
Supported Fields
Selectors take the following fields:
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
selector
policy-selector
The boolean AND and OR selectors permit multiple selectors to be evaluated, and the NOT
selector inverts the result of another selector.
Events
view-selectors report the following events:
l selector.changed
server
servers represent a subset of CacheServe configuration that applies to the server as a
whole. Changes made to a server will affect all other configuration elements within the
scope of that server's influence.
Command Description
Supported Fields
Servers support the following fields:
commands-not-logged
Optional
(string ...)
Specifies a list of Command Channel message types that should not be logged when log-
command-channel is enabled.
Defaults to ().
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
listen-on-matching
Optional
({
instances => integer
interface => string
patterns => (acl-element ...)
port => uint16
} ...)
Configures CacheServe to listen for incoming DNS queries on addresses which match
specified patterns and ports. If no listen-on-matching value is given, CacheServe listens on
all interfaces on the default port (53).
Note: instances takes advantage of certain relatively new Linux features, which permit
multiple sockets listening on a single address and port (SO_REUSEPORT). If you have this
capability, set instances to the number of desired UDP sockets.
listen-on-matching can contain multiple elements, which allows different listener ports to be
specified.
l patterns defaults to an ACL which matches any address. To listen on all interfaces, use
a pattern of 0.0.0.0/0 (IPv4) or ::/0 (IPv6).
l If port is 0 or not specified, CacheServe listens on the port specified by the --dns-port
command-line option, which defaults to the standard DNS port of 53.
Examples
For example, here's how you specify listen-on-matching to use 16 instances on the
IP address 192.168.1.1 and 1 instance on 127.0.0.1, port 5334:
cacheserve> server.update listen-on-matching=({patterns=(192.168.1.1)
instances=16}{patterns=(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
patterns => ('192.168.1.1/32')
instances => '16'
}
{
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
And here's how you specify listen-on-matching with the same values, this time limiting the
interface to eth0:
cacheserve> server.update listen-on-matching=({interface=eth0
patterns=(192.168.1.1) instances=16}{interface=eth0 patterns=
(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
interface => 'eth0'
patterns => ('192.168.1.1/32')
instances => '16'
}
{
interface => 'eth0'
patterns => ('127.0.0.1/32')
log-command-channel
Optional
boolean
Defaults to false.
When set to true, commands are logged at the LOG_INFO priority, and large commands
are truncated.
max-recursive-clients
Optional
integer
An integer that specifies the maximum number of recursive UDP lookups that can occur at
any one time. The default is 25,000, and values over 500,000 are capped at 500,000.
The limit applies equally to recursive lookups coming from UDP clients and lookups that
are generated internally.
max-tcp-clients
Optional
integer
Controls the maximum number of TCP client connections at any one time. The default is
100.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
server-description
Optional
string
A user-specified text description for this server instance. server-description is visible only in
telemetry, and only when present.
server-id
Optional
string-empty-ok
The server ID used to populate the server.id and bind.id values in responses to DNS CH TXT
queries for the server's ID, as well as NSID EDNS responses.
If server-id is empty or set to the literal string "none", CacheServe will refuse all queries for
the server ID, and ignore NSID requests.
server-version
Optional
string-empty-ok
The server version used to populate the version.server and version.bind values in
responses to DNS CH TXT queries for version.server and version.bind.
If server-version is set to the literal string "none", CacheServe will refuse all queries for the
server version. If server-version is empty, CacheServe will respond with the actual software
version.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column
of the IANA tzdb.
versioncheck-interval
Optional
versioncheck-days
Specifies how often CacheServe should check for a newer version. Defaults to 7, with a
minimum of 1 and a maximum of 30.
Events
servers report the following events:
l server.changed
l server.configuration-error
l server.formerr-loop
l server.restart
l server.stop
l server.tcp-client-limit
l server.udp-recursion-limit
telemetry
The telemetry object periodically writes engine samples and events into Kafka.
Command Description
Supported Fields
The telemetry object supports the following fields:
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
enable
boolean
interval
integer
kafka
Optional
kafka-configuration-field
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
record-events
Optional
(event-name ...)
Specifies a list of events to be recorded by the telemetry stream in addition to the standard
periodic sampling. Defaults to no additional events (an empty value).
Events
layers report the following events:
l layer.changed
l layer.provisioning-connected
l layer.provisioning-connection-failure
l layer.provisioning-disconnected
l layer.provisioning-reimaging
l layer.provisioning-update-failure
l layer.provisioning-update-success
view
views represent a customizable DNS namespace.
Command Description
view.update Updates a view with new values or resets values to their defaults.
Supported Fields
Views support the following fields:
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
name
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
resolver
Required
string
The name of the resolver associated with this view. All DNS operations are performed in
the context of the resolver.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column
of the IANA tzdb.
Events
views report the following events:
l view.changed
view-selector
view-selectors map DNS requests to views based on the source and destination addresses
of the request.
view-selectors are specifically tied to views; CacheServe also features named selectors,
which may be used in multiple conditions.
Command Description
Supported Fields
View-selectors take the following fields:
destination-address
Optional
addrport
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
source-address
Optional
addrpat
source-port-mask
Optional
port-mask
When defined, masks the specified bits out of the port when this view-selector is the best
match for the source address. The remaining port number is then used to search for a
view-selector that includes the specified port.
CacheServe only uses view selectors with port information when source-port-mask is
defined on the closest match by address.
The source port mask has no effect if source-address is present and contains an IPv6
network or address or if the source-ports field is present.
source-ports-prefix
Optional
ipv4netlen
If this view-selector is the closest match for the source address, and this field is defined,
the source address is truncated to length when searching for a view-selector, including the
port.
View selectors including port information are only used if source-port-mask and/or source-
port-prefix are defined on the closest match by address. If course port processing is
desired, but no masking or truncation is needed, set the source-port-mask field to 0.
The source port prefix has no effect if the source-address field is present and contains an
IPv6 network or address, or if the source-ports field is present.
source-ports
Optional
(uint16, uint16)
This view-selector requires that the source port of the client, after any modification by the
source-port-mask of the view-selector matching the address, is in this range, specified as a
start and length. The range must be aligned: that is, the length must be a power of 2, and
the start must be a multiple of the length.
View selectors that include port information are used only if source-port-mask is defined
on the closest match by address. If no port masking is desired, set source-port-mask to 0.
view
Required
string
The name of the view that handles requests matching this view-selector (if no other, more
specific view-selector matches).
Events
view-selectors report the following events:
l view-selector.changed
Fields
action
Optional
policy-action
The action associated with this named action. If this value is not set, the action has no
effect.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Examples
cacheserve> action.add name=my-action
{
action.count
Description and usage
Counts actions.
Fields
layer
Optional
string
Returns
count
integer
action.delete
Description and usage
Deletes an action.
Fields
name
Required
string
layer
Optional
string
Examples
cacheserve> action.delete name=my-action
{
type => 'action.delete'
}
action.get
Description and usage
Retrieves an action, returning details of the action.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
Examples
cacheserve> action.get name=my-action
{
type => 'action.get'
name => 'my-action'
count => '0'
}
action.list
Description and usage
Lists actions, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of an action.
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> action.list
{
type => 'action.list'
name => 'my-action'
}
action.mget
Description and usage
Retrieves multiple actions.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of an action.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> action.mget
{
type => 'action.mget'
name => 'my-action'
count => '1'
}
{
name => 'your-action'
count => '0'
}
action.replace
Description and usage
Replaces all fields of an action.
Fields
name
Required
string
action
Optional
policy-action
The action associated with this named action. If this value is not set, the action has no
effect.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
action.update
Description and usage
Updates one or more fields of an action.
Fields
name
Required
string
action
Optional
policy-action
The action associated with this named action. If this value is not set, the action has no
effect.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
Examples
cacheserve> action.update name=my-action comment="A comment" lay-
er=operator
{
type => 'action.update'
}
address-list.add
Description and usage
Creates a new address-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
representative-address-v4
Optional
addrpat4
An IPv4 address that represents this list. The address normally matches the list, but is not
required to match. Currently used as part of edns-client-subnet equivalence classes.
representative-address-v6
Optional
addrpat6
An IPv6 address that represents this list. The address normally matches the list, but is not
required to match. Currently used as part of edns-client-subnet equivalence classes.
Examples
cacheserve> address-list.add name=my-list
{
address-list.delete
Description and usage
Deletes an address-list.
Fields
name
Required
string
layer
Optional
string
Examples
cacheserve> address-list.delete name=my-list
{
type => 'address-list.delete'
}
address-list.dump
Description and usage
Dumps the contents of the specified list to the file address-list.dump in cacheserve's
working directory.
Fields
name
Required
string
Examples
cacheserve> address-list.dump name=my-list
{
type => 'address-list.dump'
}
cacheserve> quit
[root@test cacheserve]# pwd
/var/nom/cacheserve
[root@test cacheserve]# ls -al
total 1589004
drwxr-xr-x 3 root root 4096 Jun 24 11:13 .
drwxr-xr-x 6 root root 4096 Jun 24 02:28 ..
-rw-r--r-- 1 root root 0 Jun 24 13:27 address-list.dump
address-list.get
Description and usage
Retrieves an address-list, returning details of the list.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
Examples
cacheserve> address-list.get name=my-list
{
type => 'address-list.get'
name => 'my-list'
count => '0'
}
address-list.list
Description and usage
Lists address-lists, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of a list.
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> address-list.list
{
type => 'address-list.list'
name => 'my-list'
}
address-list.load
Description and usage
Loads a set of address-lists from a file designated by the file parameter, optionally
replacing existing entries.
Each line of file must contain a single entry, consisting of a sequence of two whitespace-
delimited tokens:
For example:
192.168.1.2/24
192.168.1.1/24 -
If there are any errors in file, the entire operation is cancelled and an error is returned.
To have address-list.load add the contents of file to the existing entries, and silently ignore
existing entries, set replace to false (the default).
To have address-list.load replace all existing entries with the contents of file, set replace to
true.
Fields
name
Required
string
file
Required
string
replace
Optional
boolean
Indicates whether the contents of file should merge with or replace existing entries.
Examples
cacheserve> address-list.load name=loadlist file=/tmp/address-list-
load-file
{
type => 'address-list.load'
}
address-list.mget
Description and usage
Retrieves multiple address-lists.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of a list.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> address-list.mget
{
address-list.replace
Description and usage
Replaces all fields of an address-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
representative-address-v4
Optional
addrpat4
An IPv4 address that represents this list. The address normally matches the list, but is not
required to match. Currently used as part of edns-client-subnet equivalence classes.
representative-address-v6
Optional
addrpat6
An IPv6 address that represents this list. The address normally matches the list, but is not
required to match. Currently used as part of edns-client-subnet equivalence classes.
address-list.update
Description and usage
Updates one or more fields of an address-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
representative-address-v4
Optional
addrpat4
An IPv4 address that represents this list. The address normally matches the list, but is not
required to match. Currently used as part of edns-client-subnet equivalence classes.
representative-address-v6
Optional
addrpat6
An IPv6 address that represents this list. The address normally matches the list, but is not
required to match. Currently used as part of edns-client-subnet equivalence classes.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
Examples
cacheserve> address-list.update name=my-list layer=operator
{
type => 'address-list.update'
}
address-node.add
Description and usage
Creates a new address-node.
Fields
address
Required
addrpat
list
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
tag
Optional
string
address-node.delete
Description and usage
Deletes an address-node.
Fields
address
Required
addrpat
layer
Optional
string
list
Required
string
address-node.get
Description and usage
Retrieves an address-node.
Fields
address
Required
addrpat
list
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
address-node.list
Description and usage
Lists address-nodes, optionally sorted by various criteria.
Fields
end
Optional
{
address => addrpat
list => string
}
Defines the last value to be returned. The value is an IP address with the name of the
node's associated address-list.
list
Optional
string
layer
Optional
string
max-results
Optional
integer
start
Optional
{
address => addrpat
Defines the first value to be returned. The value is an IP address with the name of the
node's associated address-list.
address-node.mget
Description and usage
Retrieves multiple address-nodes.
Fields
end
Optional
{
address => addrpat
list => string
}
Defines the last value to be returned. The value is an IP address with the name of the
node's associated address-list.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
list
Optional
string
max-results
Optional
integer
start
Optional
{
address => addrpat
list => string
}
Defines the first value to be returned. The value is an IP address with the name of the
node's associated address-list.
address-node.replace
Description and usage
Replaces all fields of an address-node.
Fields
address
Required
addrpat
list
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
tag
Optional
string
address-node.update
Description and usage
Updates one or more fields of an address-node.
Fields
address
Required
addrpat
list
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
tag
Optional
string
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
auth-server-list.add
Note: Has no effect in N2 Connect.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
auth-server-list.delete
Note: Has no effect in N2 Connect.
Fields
name
Required
string
layer
Optional
string
Examples
cacheserve> auth-server-list.delete name=my-auth-list
{
type => 'auth-server-list.delete'
}
auth-server-list.get
Note: Has no effect in N2 Connect.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
Examples
cacheserve> auth-server-list.get name=my-auth-list
{
type => 'auth-server-list.get'
name => 'my-auth-list'
count => '0'
}
auth-server-list.list
Note: Has no effect in N2 Connect.
Fields
descending
Optional
boolean
end
Optional
{
string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> auth-server-list.list
{
type => 'auth-server-list.list'
name => 'my-auth-list'
}
auth-server-list.mget
Note: Has no effect in N2 Connect.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of a list.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> auth-server-list.mget
{
type => 'auth-server-list.mget'
name => 'loadlist'
count => '1'
}
{
name => 'my-auth-list'
count => '0'
}
auth-server-list.replace
Note: Has no effect in N2 Connect.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
auth-server-list.update
Note: Has no effect in N2 Connect.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
Examples
cacheserve> auth-server-list.update name=my-auth-list layer=operator
{
type => 'auth-server-list.update'
}
auth-server-node.add
Description and usage
Creates a new auth-server-node.
Fields
address
Required
addrpat
list
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
dnssec-aware
Optional
boolean
edns
Optional
boolean
If set to false, disables the use of EDNS in queries to matching authoritative servers.
ignore
Optional
boolean
If set to true, indicates that no queries should be sent to the authoritative server
represented by this node.
layer
Optional
string
max-edns-udp-size
Optional
integer
Configures the advertised EDNS packet size, overriding any resolver configuration. The
default is 4096.
When this field is configured, CacheServe, when sending EDNS queries to matching
authoritative servers, advertises that packets of up to this length (in bytes) can be
reassembled.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Examples
cacheserve> auth-server-node.add name=my-node
{
auth-server-node.delete
Description and usage
Deletes an auth-server-node.
Fields
address
Required
addrpat
list
Optional
string
layer
Optional
string
Examples
cacheserve> auth-server-node.delete name=my-node
{
auth-server-node.get
Description and usage
Retrieves an auth-server-node, returning details of the node.
Fields
address
Required
addrpat
list
Optional
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
auth-server-node.list
Description and usage
Lists auth-server-nodes.
Note: When retrieving multiple nodes with the auth-server-node.list command, the list
argument is optional. If list is absent, all nodes in all lists are retrieved.
Fields
list
Optional
string
descending
Optional
boolean
end
Optional
{
address => addrpat
list => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
address => addrpat
list => string
}
auth-server-node.mget
Description and usage
Retrieves multiple auth-server-nodes.
Note: When retrieving multiple nodes with the auth-server-node.mget command, the list
argument is optional. If list is absent, all nodes in all lists are retrieved.
Fields
descending
Optional
boolean
end
Optional
{
address => addrpat
list => string
}
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
address => addrpat
list => string
}
auth-server-node.replace
Description and usage
Replaces all fields of an auth-server-node.
Fields
address
Required
addrpat
list
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
dnssec-aware
Optional
boolean
edns
Optional
boolean
If set to false, disables the use of EDNS in queries to matching authoritative servers.
ignore
Optional
boolean
If set to true, indicates that no queries should be sent to the authoritative server
represented by this node.
max-edns-udp-size
Optional
integer
Configures the advertised EDNS packet size, overriding any resolver configuration. The
default is 4096.
When this field is configured, CacheServe, when sending EDNS queries to matching
authoritative servers, advertises that packets of up to this length (in bytes) can be
reassembled.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
auth-server-node.update
Description and usage
Updates one or more fields of an auth-server-node.
Fields
address
Required
addrpat
list
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
dnssec-aware
Optional
boolean
edns
Optional
boolean
If set to false, disables the use of EDNS in queries to matching authoritative servers.
ignore
Optional
boolean
If set to true, indicates that no queries should be sent to the authoritative server
represented by this node.
max-edns-udp-size
Optional
integer
Configures the advertised EDNS packet size, overriding any resolver configuration. The
default is 4096.
When this field is configured, CacheServe, when sending EDNS queries to matching
authoritative servers, advertises that packets of up to this length (in bytes) can be
reassembled.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
binding.add
Description and usage
Creates a new binding.
Fields
policy
Required
string
priority
Required
integer
The priority of a policy-binding operation. Priorities affect the execution order of policies.
Priorities are ranked by the lowest value, with 0 being the most important priority.
Policies with a lower priority value are executed before policies with a higher priority value.
As some policies execute before DNS resolution is performed, and other policies execute
after DNS resolution is performed, policies are only compared to other policies that are
executing at the same time.
If multiple bindings specify the same priority, the order of execution is considered
undefined. Therefore, you should consider specifying priorities with some flexibility to
them. For example, instead of using the priorities 0, 1, 2, 3, 4 and so on, you may want to
consider using 0, 10, 20, 30, 40 or even 0, 100, 200, 300, 400.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
server
Optional
boolean
May only be 1, and is mutually exclusive with the view field. Indicates that the binding
target is the server object. This binding matches all queries.
view
Optional
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by the view. Mutually exclusive with the server field.
when
Optional
postquery | prequery | presend
Specifies the time in the DNS processing cycle when a policy-binding operation should
execute.
prequery
bindings are executed prior to cache lookup and/or resolution. DNS processing is aborted
if a prequery binding produces a response. If a CNAME or DNAME is followed, prequery
bindings may be executed multiple times for a single query.
postquery
bindings are executed after prequery bindings and/or normal DNS processing. If a CNAME
or DNAME is followed, postquery bindings may be executed multiple times for a single
query.
presend
bindings are executed after the full DNS response has been constructed, immediately prior
to sending the response.
binding.delete
Description and usage
Deletes a binding.
Fields
policy
Required
string
layer
Optional
string
server
Optional
boolean
May only be 1, and is mutually exclusive with the view field. Indicates that the binding
target is the server object. This binding matches all queries.
view
Optional
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by the view. Mutually exclusive with the server field.
binding.get
Description and usage
Retrieves a policy binding.
Fields
policy
Required
string
exclude-fields
Optional
(string ...)
fields
string
layer
Optional
string
server
Optional
boolean
May only be 1, and is mutually exclusive with the view field. Indicates that the binding
target is the server object. This binding matches all queries.
view
Optional
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by the view. Mutually exclusive with the server field.
binding.list
Description and usage
Lists policy bindings, optionally sorted by various criteria.
Fields
end
Optional
{
policy => string
server => '1'
view => string
Defines the last value to be returned. The value is a policy name, and either or both of the
value '1' for the server or the name of a view.
policy
Required
string
layer
Optional
string
max-results
Optional
integer
server
Optional
boolean
May only be 1, and is mutually exclusive with the view field. Indicates that the binding
target is the server object. This binding matches all queries.
start
Optional
{
policy => string
server => '1'
view => string
Defines the first value to be returned. The value is a policy name, and either or both of the
value '1' for the server or the name of a view.
view
Optional
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by the view. Mutually exclusive with the server field.
binding.mget
Description and usage
Retrieves multiple bindings.
Fields
policy
Required
string
end
Optional
{
policy => string
server => '1'
view => string
Defines the last value to be returned. The value is an policy name, and either or both of the
value '1' for the server or the name of a view.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
max-results
Optional
integer
server
Optional
boolean
May only be 1, and is mutually exclusive with the view field. Indicates that the binding
target is the server object. This binding matches all queries.
start
Optional
{
policy => string
server => '1'
view => string
Defines the first value to be returned. The value is an policy name, and either or both of
the value '1' for the server or the name of a view.
view
Optional
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by the view. Mutually exclusive with the server field.
binding.replace
Description and usage
Replaces all fields of a policy binding.
Fields
priority
Required
integer
The priority of a policy-binding operation. Priorities affect the execution order of policies.
Priorities are ranked by the lowest value, with 0 being the most important priority.
Policies with a lower priority value are executed before policies with a higher priority value.
As some policies execute before DNS resolution is performed, and other policies execute
after DNS resolution is performed, policies are only compared to other policies that are
executing at the same time.
If multiple bindings specify the same priority, the order of execution is considered
undefined. Therefore, you should consider specifying priorities with some flexibility to
them. For example, instead of using the priorities 0, 1, 2, 3, 4 and so on, you may want to
consider using 0, 10, 20, 30, 40 or even 0, 100, 200, 300, 400.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
policy
Required
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
server
Optional
boolean
May only be 1, and is mutually exclusive with the view field. Indicates that the binding
target is the server object. This binding matches all queries.
view
Optional
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by the view. Mutually exclusive with the server field.
when
Optional
postquery | prequery | presend
Specifies the time in the DNS processing cycle when a policy-binding operation should
execute.
prequery
bindings are executed prior to cache lookup and/or resolution. DNS processing is aborted
if a prequery binding produces a response. If a CNAME or DNAME is followed, prequery
bindings may be executed multiple times for a single query.
postquery
bindings are executed after prequery bindings and/or normal DNS processing. If a CNAME
or DNAME is followed, postquery bindings may be executed multiple times for a single
query.
presend
bindings are executed after the full DNS response has been constructed, immediately prior
to sending the response.
binding.update
Description and usage
Updates the fields of a policy binding.
Fields
policy
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
priority
Optional
integer
The priority of a policy-binding operation. Priorities affect the execution order of policies.
Priorities are ranked by the lowest value, with 0 being the most important priority.
Policies with a lower priority value are executed before policies with a higher priority value.
As some policies execute before DNS resolution is performed, and other policies execute
after DNS resolution is performed, policies are only compared to other policies that are
executing at the same time.
If multiple bindings specify the same priority, the order of execution is considered
undefined. Therefore, you should consider specifying priorities with some flexibility to
them. For example, instead of using the priorities 0, 1, 2, 3, 4 and so on, you may want to
consider using 0, 10, 20, 30, 40 or even 0, 100, 200, 300, 400.
server
Optional
boolean
May only be 1, and is mutually exclusive with the view field. Indicates that the binding
target is the server object. This binding matches all queries.
when
Optional
postquery | prequery | presend
Specifies the time in the DNS processing cycle when a policy-binding operation should
execute.
prequery
bindings are executed prior to cache lookup and/or resolution. DNS processing is aborted
if a prequery binding produces a response. If a CNAME or DNAME is followed, prequery
bindings may be executed multiple times for a single query.
postquery
bindings are executed after prequery bindings and/or normal DNS processing. If a CNAME
or DNAME is followed, postquery bindings may be executed multiple times for a single
query.
presend
bindings are executed after the full DNS response has been constructed, immediately prior
to sending the response.
view
Optional
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by the view. Mutually exclusive with the server field.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
connection.get
Description and usage
Retrieves a connection configuration.
Fields
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
connection.replace
Description and usage
Replaces field values for a Command Channel connection configuration.
Fields
events
Optional
(event-name ...)
idle-timeout
Optional
time-in-seconds
Specifies the amount of time before a connection will be closed in the absence of traffic.
Defaults to 5 minutes (300 seconds). If any events are specified for the connection, there is
no timeout.
connection.subscribe-all
When specified, subscribes this connection to all events, overriding any previous list of
requested events.
connection.update
Description and usage
Updates the fields of a Command Channel connection.
Fields
events
Optional
(event-name ...)
idle-timeout
Optional
time-in-seconds
Specifies the amount of time before a connection will be closed in the absence of traffic.
Defaults to 5 minutes (300 seconds). If any events are specified for the connection, there is
no timeout.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
device-list.add
Description and usage
Creates a new device-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
Examples
cacheserve> device-list.add name=my-device-list
{
device-list.count
Description and usage
Counts device-lists.
Fields
layer
Optional
string
Returns
count
integer
device-list.delete
Description and usage
Deletes a device-list.
Fields
name
Required
string
layer
Optional
string
Examples
cacheserve> device-list.delete name=my-device-list
{
type => 'device-list.delete'
}
device-list.get
Description and usage
Retrieves a device-list, returning details of the device-list.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
Examples
cacheserve> device-list.get name=my-device-list
{
type => 'device-list.get'
name => 'my-device-list'
count => '0'
}
device-list.list
Description and usage
Lists device-lists, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of a device-list.
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> device-list.list
{
type => 'device-list.list'
name => 'my-device-list'
}
device-list.mget
Description and usage
Retrieves multiple device-lists.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of an device-list.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> device-list.mget
{
device-list.replace
Description and usage
Replaces all fields of a device-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
device-list.update
Description and usage
Updates one or more fields of a device-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
Examples
cacheserve> device-list.update name=my-device-list comment="A com-
ment" layer=operator
{
type => 'device-list.update'
}
device-node.add
Description and usage
Creates a new device-node.
Fields
identifier
Required
string
list
Required
string
view
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
device-node.count
Description and usage
Counts device-nodes.
Fields
list
Optional
string
layer
Optional
string
Returns
count
integer
device-node.delete
Description and usage
Deletes a device-node.
Fields
identifier
Required
string
view
Required
string
list
Optional
string
layer
Optional
string
Examples
cacheserve> device-node.delete name=my-device-node
{
type => 'device-node.delete'
}
device-node.get
Description and usage
Retrieves a device-node.
Fields
identifier
Required
string
view
Required
string
list
Optional
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
device-node.list
Description and usage
Lists device-nodes, optionally sorted by various criteria.
Fields
end
Optional
{
identifier => string
list => string
view => string
Defines the last value to be returned. The value is the device-node's name, along with the
node's associated device-list.
descending
Optional
boolean
layer
Optional
string
list
Optional
string
max-results
Optional
integer
start
Optional
{
list => string
name => name
Defines the first value to be returned. The value is the device-node's name, along with the
node's associated name-list.
Returns
identifier
Required
string
list
Optional
string
view
Required
string
device-node.mget
Description and usage
Retrieves multiple device-nodes.
Fields
list
Optional
string
descending
Optional
boolean
end
Optional
{
identifier => string
list => string
view => name
Defines the last value to be returned. The value is the device-node's name, along with the
node's associated name-list.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
list => string
name => name
Defines the first value to be returned. The value is the device-node's name, along with the
node's associated name-list.
device-node.replace
Description and usage
Replaces all values on a device-node with new values.
Fields
identifier
Required
string
list
Required
string
view
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
device-node.update
Description and usage
Updates one or more values on a device-node with new values.
Fields
identifier
Required
string
list
Required
string
view
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
dns64.add
Description and usage
Creates a new DNS64 layer.
Fields
name
Required
string
prefix
Required
addrpat6
The prefix must exactly match one of the following bit lengths:
l 32
l 40
l 48
l 56
l 64
l 96
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
exclude
Optional
(acl-element6 ...)
If present, removes any IPv6 addresses (in AAAA records) matching this acl from responses
that contain them.
If no AAAA records remain after exclusion, the response is processed as if the original
AAAA query returned a NOERROR or NODATA response.
layer
Optional
string
mapped
Optional
(acl-element4 ...)
Specifies an ACL instructing CacheServe to map only certain IPv4 A records into IPv6 AAAA
records.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
suffix
Optional
addr6
An addr6 specifying the bits that will trail IPv6 addresses constructed from IPv4 addresses.
Any bits specified in the suffix must not overlap bits in the prefix, reserved bits, or the
mapped IPv4 address.
dns64.delete
Description and usage
Deletes a dns64 configuration.
Fields
name
Required
string
layer
Optional
string
dns64.get
Description and usage
Retrieves a dns64 configuration.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
dns64.list
Description and usage
Lists dns64 configurations, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the name of a DNS64 key.
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the name of a DNS64 key.
dns64.mget
Description and usage
Retrieves multiple DNS64 configurations.
Fields
descending
Optional
boolean
end
Optional
string
end
Optional
{
name => string
Defines the last value to be returned. The value is the name of a DNS64 key.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the name of a DNS64 key.
dns64.replace
Description and usage
Replaces values for a dns64 layer.
Fields
name
Required
string
prefix
Required
addrpat6
The prefix must exactly match one of the following bit lengths:
l 32
l 40
l 48
l 56
l 64
l 96
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
exclude
Optional
(acl-element6 ...)
If present, removes any IPv6 addresses (in AAAA records) matching this acl from responses
that contain them.
If no AAAA records remain after exclusion, the response is processed as if the original
AAAA query returned a NOERROR or NODATA response.
layer
Optional
string
mapped
Optional
(acl-element4 ...)
Specifies an ACL instructing CacheServe to map only certain IPv4 A records into IPv6 AAAA
records.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
suffix
Optional
addr6
An addr6 specifying the bits that will trail IPv6 addresses constructed from IPv4 addresses.
Any bits specified in the suffix must not overlap bits in the prefix, reserved bits, or the
mapped IPv4 address.
dns64.update
Description and usage
Updates fields for a dns64 layer.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
exclude
Optional
(acl-element6 ...)
If present, removes any IPv6 addresses (in AAAA records) matching this acl from responses
that contain them.
If no AAAA records remain after exclusion, the response is processed as if the original
AAAA query returned a NOERROR or NODATA response.
layer
Optional
string
mapped
Optional
(acl-element4 ...)
Specifies an ACL instructing CacheServe to map only certain IPv4 A records into IPv6 AAAA
records.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
prefix
Required
addrpat6
The prefix must exactly match one of the following bit lengths:
l 32
l 40
l 48
l 56
l 64
l 96
suffix
Optional
addr6
An addr6 specifying the bits that will trail IPv6 addresses constructed from IPv4 addresses.
Any bits specified in the suffix must not overlap bits in the prefix, reserved bits, or the
mapped IPv4 address.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
instance-information
Description and usage
Retrieves the server's instance ID and information about all instances of the server's
partners.
Returns
instance-id
uuid
partners
integer
layer.add
Description and usage
Creates a new layer.
Fields
name
Required
string
priority
Required
integer
The priority of a layer. Layers are ranked by the lowest value, with 0 being the most
important layer. Layers with a lower priority value take precedence over layers with a
higher priority value.
The operator layer is always priority 0 and has precedence over all other layers: the
operator layer cannot be deleted.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
channel
Optional
string
A Command Channel service name, as defined in the local channel configuration file
(usually /etc/channel.conf).
This service should point to a provisioning server, and may not coexist with the server
field.
hidden
Optional
boolean
A value that indicates whether or not a layer affects the server's active configuration.
Changing this value forces an automatic server restart.
If hidden is set to true, the layer's contents do NOT affect the server's active configuration.
For provisioned layers, provisioning changes will be applied, but have no visible effect until
the layer is unhidden.
If hidden is set to false (the default), the layer's contents affect the server's active
configuration.
server
Optional
(addr-or-nameuint16, string)
The system's resolver configuration is used to resolve the server's DNS name.
Examples
cacheserve> layer.add name=second-layer priority=1
{
type => 'layer.add'
}
layer.clear-fault
Description and usage
If the layer's provisioning session has entered the faulted state, layer.clear-fault forces the
server to clear the fault and make an attempt to reestablish communications with the
provisioning server.
Fields
name
Required
string
layer.delete
Description and usage
Deletes a layer.
Fields
name
Required
string
layer.get
Description and usage
Retrieves a layer.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer.list
Description and usage
Lists layers, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the name of a layer.
key
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the name of a layer.
layer.mget
Description and usage
Retrieves multiple layers.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the name of a layer.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the name of a layer.
layer.reimage
Description and usage
Reimages a layer, erasing all configuration data from the layer and then reloading the
layer's configuration from the provisioning server.
Fields
name
Required
string
layer.replace
Description and usage
Replaces values for a layer.
Fields
name
Required
string
priority
Required
integer
The priority of a layer. Layers are ranked by the lowest value, with 0 being the most
important layer. Layers with a lower priority value take precedence over layers with a
higher priority value.
The operator layer is always priority 0 and has precedence over all other layers: the
operator layer cannot be deleted.
channel
Optional
string
A Command Channel service name, as defined in the local channel configuration file
(usually /etc/channel.conf).
This service should point to a provisioning server, and may not coexist with the server
field.
hidden
Optional
boolean
A value that indicates whether or not a layer affects the server's active configuration.
Changing this value forces an automatic server restart.
If hidden is set to true, the layer's contents do NOT affect the server's active configuration.
For provisioned layers, provisioning changes will be applied, but have no visible effect until
the layer is unhidden.
If hidden is set to false (the default), the layer's contents affect the server's active
configuration.
server
Optional
(addr-or-nameuint16, string)
The system's resolver configuration is used to resolve the server's DNS name.
layer.update
Description and usage
Updates values for a layer.
Fields
name
Required
string
channel
Optional
string
A Command Channel service name, as defined in the local channel configuration file
(usually /etc/channel.conf).
This service should point to a provisioning server, and may not coexist with the server
field.
hidden
Optional
boolean
A value that indicates whether or not a layer affects the server's active configuration.
Changing this value forces an automatic server restart.
If hidden is set to true, the layer's contents do NOT affect the server's active configuration.
For provisioned layers, provisioning changes will be applied, but have no visible effect until
the layer is unhidden.
If hidden is set to false (the default), the layer's contents affect the server's active
configuration.
priority
Optional
integer
The priority of a layer. Layers are ranked by the lowest value, with 0 being the most
important layer. Layers with a lower priority value take precedence over layers with a
higher priority value.
The operator layer is always priority 0 and has precedence over all other layers: the
operator layer cannot be deleted.
server
Optional
(addr-or-nameuint16, string)
The system's resolver configuration is used to resolve the server's DNS name.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
name-group.add
Description and usage
Creates a new name-group.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
groups
Optional
(string ...)
lists
string
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
name-group.count
Description and usage
Counts name-groups.
Fields
layer
Optional
string
Returns
count
integer
name-group.delete
Description and usage
Deletes an name-group.
Fields
name
Required
string
layer
Optional
string
Examples
cacheserve> name-group.delete name=my-name-group
{
type => 'name-group.delete'
}
name-group.get
Description and usage
Retrieves a name-group, returning details of the name-group.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
Examples
cacheserve> name-group.get name=my-name-group
{
type => 'name-group.get'
name => 'my-name-group'
count => '0'
}
name-group.list
Description and usage
Lists name-groups, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of a name-group.
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> name-group.list
{
type => 'name-group.list'
name => 'my-name-group'
}
name-group.mget
Description and usage
Retrieves multiple name-groups.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
Defines the last value to be returned. The value is the name of an name-group.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
Examples
cacheserve> name-group.mget
{
type => 'name-group.mget'
name => 'my-name-group'
count => '1'
}
{
name => 'your-name-group'
count => '0'
}
name-group.replace
Description and usage
Replaces all fields of a name-group.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
groups
Optional
(string ...)
lists
string
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
name-group.update
Description and usage
Updates one or more fields of a name-group.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
groups
Optional
(string ...)
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
Examples
cacheserve> name-group.update name=my-name-group comment="A comment"
layer=operator
{
type => 'name-group.update'
}
name-list.add
Description and usage
Creates a new name-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
name-list.delete
Description and usage
Deletes a name-list.
Fields
name
Required
string
layer
Optional
string
name-list.dump
Description and usage
Dumps the content of a list to the file name-list.dump in the server's current working
directory.
Fields
name
Required
string
name-list.get
Description and usage
Retrieves a name-list.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
name-list.list
Description and usage
Lists name-list configurations, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the name of a name-list.
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the name of a name-list.
name-list.load
Description and usage
Loads a set of names to a name-list from a file designated by the file parameter, optionally
replacing existing entries.
Each line of file must contain a single entry, consisting of a sequence of two whitespace-
delimited tokens:
1. A DNS name (names containing whitespace must be quoted or have their whitespace
escaped).
2. One or two optional parameters:
1. A '-', which indicates that the IP network should be deleted, or
2. X:t if the name has been encrypted.
For example:
example.net
example.org -
If there are any errors in file, the entire operation is cancelled and an error is returned.
To have name-list.load add the contents of file to the existing entries, and silently ignore
existing entries, set replace to false (the default).
To have name-list.load replace all existing entries with the contents of file, set replace to
true.
Fields
name
Required
string
file
Required
string
replace
Optional
boolean
Indicates whether the contents of file should merge with or replace existing entries.
Examples
cacheserve> name-list.load name=loadlist file=/tmp/name-list-load-
file
{
type => 'name-list.load'
}
name-list.mget
Description and usage
Retrieves multiple name-lists.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the name of a name-list.
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the name of a name-list.
name-list.replace
Description and usage
Replaces all fields of an name-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
name-list.update
Description and usage
Updates one or more fields of a name-list.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
name-node.add
Description and usage
Creates a new name-node.
Fields
list
Required
string
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
encrypted
Optional
boolean
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
tag
Optional
string
name-node.delete
Description and usage
Deletes a name-node.
Fields
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
layer
Optional
string
list
Optional
string
name
Required
string
name-node.get
Description and usage
Retrieves a name-node.
Fields
list
Required
string
name
Required
string
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
name-node.list
Description and usage
Lists name-nodes, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
list => string
name => name
Defines the last value to be returned. The value is the name-node's name, along with the
node's associated name-list.
key
Optional
string
layer
Optional
string
list
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
list => string
name => name
Defines the first value to be returned. The value is the name-node's name, along with the
node's associated name-list.
name-node.mget
Description and usage
Retrieves multiple name-nodes.
Fields
list
Optional
string
descending
Optional
boolean
end
Optional
{
list => string
name => name
Defines the last value to be returned. The value is the name-node's name, along with the
node's associated name-list.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
list => string
name => name
Defines the first value to be returned. The value is the name-node's name, along with the
node's associated name-list.
name-node.replace
Description and usage
Replaces all fields of a name-node.
Fields
list
Required
string
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
encrypted
Optional
boolean
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
tag
Optional
string
name-node.update
Description and usage
Updates one or more fields of a name-node.
Fields
list
Required
string
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
encrypt
Optional
boolean
If true, instructs CacheServe to encrypt the node's name before trying to find or define it.
encrypted
Optional
boolean
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
tag
Optional
string
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
policy.add
Description and usage
Creates a new policy.
Fields
name
Required
string
action
Optional
policy-action
The policy-action the policy should run when applied to a query. If this field is empty, no
action is taken.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
children
Optional
string
A list of strings identifying child policies attached to the current policy. All children are
executed immediately after the parent policy.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
selector
Required
policy-selector
The associated policy is applied to a query if the selector criteria match, and the policy is
bound to either the server object or the view matching the query.
The boolean AND and OR selectors support lists of selectors, and the NOT selector inverts
the result of another selector.
policy.delete
Description and usage
Deletes a policy.
Fields
name
Required
string
layer
Optional
string
policy.get
Description and usage
Retrieves a policy.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
policy.list
Description and usage
Lists policy configurations, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the policy name.
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the policy name.
policy.mget
Description and usage
Retrieves multiple policies.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the policy name.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the policy name.
policy.replace
Description and usage
Replaces all fields of a policy.
Field
name
Required
string
action
Optional
policy-action
The policy-action the policy should run when applied to a query. If this field is empty, no
action is taken.
children
Optional
string
A list of strings identifying child policies attached to the current policy. All children are
executed immediately after the parent policy.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
selector
Required
policy-selector
The associated policy is applied to a query if the selector criteria match, and the policy is
bound to either the server object or the view matching the query.
The boolean AND and OR selectors support lists of selectors, and the NOT selector inverts
the result of another selector.
policy.simulate
Description and usage
Simulates the execution of a policy, reporting on the result of each policy.
Note: Policy simulation isn't quite the same thing as policy execution. The key differences:
simulation only performs a single lookup (it doesn't follow CNAMEs), and simulation
doesn't actually construct the DNS response, which means the response-size policy-
selector won't work.
Fields
client
Optional
addr
The client address of the simulated query. If no client is specified, the client-address policy-
selector will never match.
initial-qname
Optional
name
The initial query name of the simulated query. You only need this if you are attempting to
simulate the subsequent part of a query that has followed a CNAME.
qname
Optional
name
qtype
Optional
rdatatype
start-time
Optional
seconds-since-epoch
tcp
Optional
boolean
Indicates whether or not the simulated query should be processed as if it were received via
TCP.
view
Optional
string
Returns
policy.simulate returns, in order, a list of evaluated policies, identifying the policy name and
whether it matched or not.
Policies directly associated with bindings return the object to which it's bound (view or
server), as well as the time at which it executes (prequery, postquery, or presend) and the
priority.
Format:
({
match => boolean
parent => string
policy => string
priority => integer
server => string
view => string
when => 'postquery' | 'prequery' | 'presend'
} ...)
policy.update
Description and usage
Updates all fields of a policy.
Fields
name
Required
string
action
Optional
policy-action
The policy-action the policy should run when applied to a query. If this field is empty, no
action is taken.
children
Optional
string
A list of strings identifying child policies attached to the current policy. All children are
executed immediately after the parent policy.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
selector
Required
policy-selector
The associated policy is applied to a query if the selector criteria match, and the policy is
bound to either the server object or the view matching the query.
The boolean AND and OR selectors support lists of selectors, and the NOT selector inverts
the result of another selector.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
Examples
cacheserve> policy.update name=malicious-redirect-policy action=
(answer ((A 192.168.1.1)(AAAA 2001:db8:f61:a1ff:0:0:0:80))
{
type => 'policy.update'
}
process-information
Description and usage
Retrieves process information for the server.
Returns
arguments
string
current-time
float-seconds-since-epoch
The server's current time, in seconds and microseconds since the UNIX epoch (January 1,
1970, 0:00:00 UTC).
instance
integer
The instance identifier of this process, if any. The instance identifier can be set by passing
the --instance option to the server, if the server supports it.
license
unparsed
node-id
uuid
The node identifier of the system on which the server process is running.
pid
integer
start-time
float-seconds-since-epoch
The time the server was started, in seconds and microseconds since the UNIX epoch
(January 1, 1970, 0:00:00 UTC).
working-directory
string
ratelimiter.add
Description and usage
Adds a ratelimiter.
Fields
name
Required
string
fields
Required
((’client‐network’ (ipv4netlen, ipv6netlen)) | (’query‐name’
(name-label-count)) | ’query‐type’ ...)
string
Specifies the fields to use when grouping requests into entries. Each field specified
increases granularity.
For example, (client-network (32 128)) groups each client into its own entry.
If both client-network and query-type are used, a new entry is generated for that specific
combination, and the defined rate limits are applied to the combination.
bps
Optional
integer
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
maximum-entries
Optional
positive-integer
Specifies the maximum number of entries to track, which indicates how many field
combinations can be tracked.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
qps
Optional
integer
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually
dropping or truncating answers. Defaults to false.
ratelimiter.delete
Description and usage
Deletes a rate limiter.
Fields
name
Required
string
layer
Optional
string
ratelimiter.get
Description and usage
Retrieves a ratelimiter.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
ratelimiter.list
Description and usage
Lists ratelimiters, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the ratelimiter name.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the ratelimiter name.
ratelimiter.mget
Description and usage
Retrieves multiple rate limiters.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the ratelimiter name.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the ratelimiter name.
ratelimiter.limited
Description and usage
Returns a list of ratelimiter entries. The list is returned as a sequence.
Fields
bps
Optional
integer
client-network
Optional
addr
client-network-family
Optional
'ipv4' or 'ipv6'
client-network-mask-length
Optional
ipv6netlen
creation-time
float-seconds-since-epoch
entry-creation-time
float-seconds-since-epoch
fields
Optional
(’client‐network’ | ’query‐name’ | ’query‐type’ ...)
string
last-limited-time
float-seconds-since-epoch
last-use-time
float-seconds-since-epoch
name
Required
string
qps
Optional
integer
query-name+
name
query-name-labels
name-label-count
query-type
rdatatype
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually
dropping or truncating answers. Defaults to false.
ratelimiter.replace
Description and usage
Replaces all values for a ratelimiter.
Fields
name
Required
string
fields
Required
((’client‐network’ (ipv4netlen, ipv6netlen)) | (’query‐name’
(name-label-count)) | ’query‐type’ ...)
string
Specifies the fields to use when grouping requests into entries. Each field specified
increases granularity.
For example, (client-network (32 128)) groups each client into its own entry.
If both client-network and query-type are used, a new entry is generated for that specific
combination, and the defined rate limits are applied to the combination.
bps
Optional
integer
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
maximum-entries
Optional
positive-integer
Specifies the maximum number of entries to track, which indicates how many field
combinations can be tracked.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
qps
Optional
integer
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually
dropping or truncating answers. Defaults to false.
ratelimiter.statistics
Description and usage
Returns the current values for ratelimiter statistics along with general process statistics.
Fields
all
Optional
boolean
If set to true, instructs CacheServe to return the values of all tracked statistics, even those
with a value of 0.
reset
Optional
boolean
If set to true, instructs CacheServe to reset all counters to 0 after returning them.
Returns
creation-time
float-seconds-since-epoch
current-time
float-seconds-since-epoch
memory-in-use
uint64
This value represents the amount of memory requested from the memory allocator and
memory used by the cache; it does not include overhead for allocator bookkeeping,
rounding, fragmentation or free lists.
name
string
reset-time
float-seconds-since-epoch
server-start-time
float-seconds-since-epoch
statistics
{
all-indications => uint64
current-entry-count => uint64
current-limited-count => uint64
expiring-entry-age => uint64
indications-by-bps => uint64
indications-by-qps => uint64
uses => uint64
}
system-time
time-in-microseconds
user-time
time-in-microseconds
The amount of user CPU time used since the server started.
ratelimiter.update
Description and usage
Updates or resets values for a ratelimiter.
Fields
name
Required
string
bps
Optional
integer
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
fields
Optional
((’client‐network’ (ipv4netlen, ipv6netlen)) | (’query‐name’
(name-label-count)) | ’query‐type’ ...)
string
Specifies the fields to use when grouping requests into entries. Each field specified
increases granularity.
For example, (client-network (32 128)) groups each client into its own entry.
If both client-network and query-type are used, a new entry is generated for that specific
combination, and the defined rate limits are applied to the combination.
layer
Optional
string
maximum-entries
Optional
positive-integer
Specifies the maximum number of entries to track, which indicates how many field
combinations can be tracked.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
qps
Optional
integer
unenforced
Optional
boolean
Enables statistics, log messages and events related to rate limiting without actually
dropping or truncating answers. Defaults to false.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
resolver.add
Description and usage
Creates a new resolver.
Fields
name
Required
string
auth-server-list
Optional
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
client-subnet
Optional
{
blacklist => (name ...)
equivalence-classes => (string ...)
max-source-prefix-v4 (ipv4netlen ...)
max-source-prefix-v6 (ipv6netlen ...)
valid-addresses => (acl-element ...)
whitelist => (name ...)
}
Configures domains that should return responses specific to the source address of the
query.
The whitelist configures domains for which source-specific queries should be enabled, and
the blacklist disables domains.
The max-source-prefix fields for v4 and v6 control how client addresses are truncated for
sending edns-client-subnet options and caching. The specification recommends truncating
IPv4 address to no more than 24 bits; this is the default. No recommendation is provided
for IPv6; the default is 48 bits. Higher values may cause considerable growth in cache
memory. In both cases, the minimum value is 1, and the maximum value is the full length
of an address (32 or 128).
The valid addresses acl specifies which addresses present in edns-client-subnet options
provided by clients are valid. A network is considered valid if it either contains the actual
client address or matches this acl.
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default
is false, and DNSSEC signatures are not verified unless dnssec-aware is configured.
Requesting and caching DNSSEC information will significantly increase the amount of
network traffic.
forward
Optional
(( name , 'first' | 'off' | 'only', (addrport ...)) ...)
Causes queries within a specific domain to be forwarded to one or more specific recursive
name servers.
name specifies the domain; first, off or only specify the forwarding mode; and the final
addrport is a list of recursive name servers.
l first: First attempt to use the forwarders. If they do not respond, attempt to resolve
the query.
l off: Disable forwarding for a subdomain. If you specify off, you must leave the server
addrport empty.
l only: Use only the forwarders. If they do not respond, do not attempt to resolve the
query, and let it fail.
hints
Optional
(name, ((name, (addr ...)) ...))
These servers are queried to discover the current set of root servers. If there is no hints
field, this resolver uses a compiled-in set of root hints.
The name must always be . (the root name), as providing hints for domains other than the
root is meaningless.
ignore-first-referral
Optional
boolean
Although it results in a small increase in network traffic, ignore-first-referral reduces the risk
of delegation-spoofing attacks.
layer
Optional
string
log-dnssec
Optional
boolean
When set to true, log-dnssec configures CacheServe to log detailed information about
DNSSEC validation failures. All messages related to DNSSEC validation are logged at priority
LOG_INFO, and log entries are prefixed with "dnssec:".
For log-dnssec to work, you must have DNSSEC trust anchors defined.
log-id-spoofing
Optional
boolean
Configures CacheServe to issue a log message when it suspects an ID spoofing attack. The
log message is only issued when there's a relatively strong suspicion that an actual attack is
taking place.
log-lame
Optional
(name ...)
A list of names. Causes CacheServe to log lame delegations and other configuration errors
detected in authoritative servers during resolution. log-lame domains should belong to
your own organization.
When log-lame is enabled, CacheServe will log other errors from authoritative servers in
addition to lame delegations, such as malformed responses, RCODES indicating a server
error, and NS records pointing at CNAMEs.
The most common type of authoritative server configuration error is a lame delegation.
Lame delegations occur when a server's had authority over a zone delegated to it, but
It's technically possible to log errors occurring in any domain by specifying the root
domain, but is extremely inadvisable. There are thousands upon thousands of lame
servers, and you'll get deluged by thousands of messages to no good purpose, unless
you're planning to contact the administrators of every one of these "free-range" servers to
ask them to correct the error.
managed-keys
Optional
((name, (rdata...)) ...)
A tuple of domain name and rdata that defines DNSSEC managed keys. Each managed-key
domain may include one or more keys, formatted as DNSKEYs (RFC4034).
Managed-keys are similar to trusted-keys, but are automatically maintained (as described
in RFC5011). The set of keys (as well as state) is persistently stored, and maintained over
time, including a periodic refetch of the DNSKEY set.
When managed-keys is initially configured, if there are any keys present for a domain,
CacheServe tries to verify signatures in the retrieved DNSKEY set. If it cannot verify any of
the signatures, CacheServe considers the domain insecure.
Managed-keys are normally used only for the root zone, so CacheServe has the current
root key compiled in. If the root domain is specified in the managed-keys field, but no keys
are specified, CacheServe will use that root key to verify the root DNSKEY set.
max-cache-size
Optional
sizeval
Specifies the maximum amount of memory which can be used by this resolver's cache. The
default is 1G (1 gigabyte).
Values larger than 16G are treated as 16G, and values smaller than 64M are treated as 64M.
max-cache-ttl
Optional
time-in-seconds
Sets the maximum amount of time for which the server will cache ordinary (positive)
answers. The default is 604800 (7 days).
max-client-ttl
Optional
time-in-seconds
max-client-ttl only affects responses to DNS clients, not actual caching; a DNS record can
remain in the cache for the full amount of time even if clients receive a smaller value.
max-edns-udp-size
Optional
integer
When this field is configured, CacheServe, when sending EDNS queries, advertises that
packets of up to this length (in bytes) can be reassembled. Values smaller than 512 and
larger than 4096 are treated as 512 and 4096, respectively.
max-ncache-ttl
Optional
time-in-seconds
Specifies the maximum amount of time that CacheServe will cache negative answers.
Defaults to 10800 (3 hours).
negative-trust-anchors
Optional
(name ...)
Turns off DNSSEC validation for a domain, even if that domain is under a security root.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
prefetch-ratio
Optional
integer
Adjusts CacheServe's criteria for whether or not it issues prefetch queries. The default is 16,
and values greater than 32 or less than 4 are clamped to 32 or 4 respectively. Setting the
value to 0 completely disables prefetching.
Note: Changing this value is not recommended, and you should only change it under the
direction of Nominum support.
Prefetching is normally performed when a query requests data that's already cached but
will expire soon from the cache. This prevents commonly-accessed data from ever
expiring, and results in a higher cache hit rate and better average latency.
The prefetch-ratio value defines the relationship between the time at which data expires
and the initial TTL (time-to-live) of the data. Specifically, a value of X means that CacheServe
issues a prefetch query if the currently cached data expires in less than 1/X of the initial
TTL.
The default value of 16 is the thoroughly tested balance point betweeen improved
performance and the impact of additional queries; it results in a higher cache rate and
better average latency.
preload
Optional
((name, rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name,
rdatatype and rdata.
preload-nxdomain
Optional
(name ...)
Note: preload-nxdomain affects only a single name; if you want to affect an entire
domain, use synthesize-nxdomain.
preload-nxrrset
Optional
((name, rdatatype) ...)
Note: preload-nxrrset is an option included for the sake of completeness. Don't use it
unless you are specifically told to by Nominum support!
Preloads CacheServe with an indication that no resource record of a given name and type
exists.
For example, to specify that no AAAA record exists for the local hostname:
preload-nxrrset host.domain AAAA
qname-case-randomization
Optional
'enforced' | 'off' | 'silent-enforced' | 'unenforced'
Indicates whether CacheServe should randomize letters in a query name when sending
queries to authoritative servers or forwarders. Defaults to off.
qname-case-randomization-exclusions
Optional
(name ...)
query-source-pool
Optional
(uint16, addrport4)
Sets the address CacheServe will use to send outgoing IPv4 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport4 is nonzero, ports are allocated sequentially, starting at that number.
If you don't specify query-source-pool, CacheServe creates a query source pool with a
number of ports that's appropriate for the OS.
Warning! When you are choosing the number of ports to use, make sure you don't
exceed the OS's file-descriptor limit. Each port uses a file descriptor, and additional file
descriptors are needed for listen-on-matching and things like outgoing and incoming TCP
connections.
query-source-pool-v6
Optional
(uint16, addrport6)
Sets the address CacheServe uses to send outgoing IPv6 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport6 is nonzero, ports are allocated sequentially, starting at that number.
If you don't specify query-source-pool-v6 and CacheServe has been configured to use IPv6
transport (by including type AAAA in server-address-lookup-order), CacheServe creates a
query source pool with an appropriate number of ports for the OS.
Warning! When you are choosing the number of ports to use, make sure you don't
exceed the OS's file-descriptor limit. Each port uses a file descriptor, and additional file
descriptors are needed for listen-on-matching and things like outgoing and incoming TCP
connections.
rrset-order
Optional
'cyclic' | 'fixed' | 'random'
Sets the order in which resource records (RRs) in a resource record set (RRset) are added to
a response. The default is cyclic.
l cyclic configures CacheServe to use a random starting point in the list of RRs and
wrap around to the beginning of the list when the end is reached.
l fixed configures CacheServe to always emit RRs in the order in which they are stored.
server-address-lookup-order
Optional
('A' | 'AAAA' ...)
Defines the order in which CacheServe should use IPv4 or IPv6 server addresses.
The argument is a list of address record types that may be either A or AAAA.
The default is A, which configures CacheServe to use only IPv4 addresses for nameserver
addresses, and thus IPv4 transport only for communications with the authoritative server.
The same value may not occur multiple times in the list, and only nameserver addresses of
the specified types are used, in the listed order.
For example, if your site has some IPv6 connectivity to the Internet, you can specify (A
AAAA), and CacheServe will attempt IPv4 first; if your site has mostly IPv6 connectivity, you
can specify (AAAA A) and CacheServe will attempt IPv6 first.
stub
Optional
((name, ((name, (addrport ...)) ...)) ...)
Queries within each domain are resolved as if the specified servers were delegated
authority for that domain.
Warning! A specific domain may only appear once per stub per resolver, and you cannot
have the same entry in both stub and synthesize-nxdomain.
The main use for stub resolution is in situations where you need to resolve a domain using
a particular set of servers that have not actually been delegated authority.
For example, if you are using RFC1918 private addresses (10.*), you might want to define a
stub for 10.in-addr.arpa, so that queries for that domain get directed to your own set of
internal authoritative servers.
synthesize-nxdomain
Optional
(name ...)
Configures CacheServe to return synthetic NXDOMAIN responses for all queries within the
specified domains.
Note: If you need to return PTR records for RFC1918 addresses, use a stub pointing at one
or more authoritative servers configured with the right reverse mapping data!
trusted-keys
Optional
((name, (rdata ...)) ...)
Defines DNSSEC trusted keys. Enabling this option automatically enables dnssec-aware,
and configures CacheServe to perform DNSSEC verification on all DNS data in a subdomain
of a security root.
The trusted−keys field can contain multiple key entries,each consisting of the key’s domain
name and rdata. If any trusted-keys are defined, DNSSEC information will be requested and
cached as if the dnssec-aware option were enabled.
resolver.delete
Description and usage
Deletes a resolver.
Fields
name
Required
string
layer
Optional
string
resolver.flush
Description and usage
Flushes entries from the resolver's cache.
Fields
name
Required
string
target
Optional
('domain' name | 'name' name )
resolver.get
Description and usage
Retrieves a resolver.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
resolver.inspect
Description and usage
Retrieves information about a name in the resolver’s cache, returning the information in
various forms.
Fields
name
Required
string
domain
Required
name
Returns
client-subnet-specific
{
<subnet> => {
domain => name
exists => boolean
immortal => boolean
nonexistence‐proof => ((name, {
<type> => {
data => (string ...)
sigs => (string ...)
ttl => integer
validated => boolean
}
...
}) ...)
ttl => integer
types => {
<type> => {
data => (string ...)
exists => boolean
immortal => boolean
nonexistence‐proof =>
((name, {
<type> => {
data => (string ...)
sigs => (string ...)
ttl => integer
validated => boolean
}
...
}) ...)
domain
Required
name
exists
Optional
boolean
immortal
Optional
boolean
name
Optional
string
nonexistence-proof
Optional
((name, {
<name> => {
data => (string ...)
sigs => (string ...)
ttl => integer
validated => boolean
}
...
}) ...)
For negative entries, nonexistence-proof displays the information that the server uses to
prove that the entry doesn't exist.
prefetches
integer
If present, and this is a negative entry, the number of times this data has been prefetched
since it was initially cached.
ttl
Optional
integer
An integer representing the number of seconds until the data expires. If there's no ttl, the
data never expires.
types
Optional
{ <name> => {
data => (string ...)
exists => boolean
immortal => boolean
nonexistence-proof => ((name, {
<name> => {
data => (string ...)
sigs => (string...)
ttl => integer
validated => boolean
}
...
}) ...)
origin => addr
prefetches => integer
sigs => (string ...)
ttl => integer
validated => boolean
wildcard-proof => ((name, {
<name> => {
data => (string ...)
sigs => (string ...)
ttl => integer
validated => boolean
}
...
}) ...)
}
...
}
A table mapping DNS record types to subtables which contain information about those
types.
validated
Optional
boolean
If the data has been DNSSEC validated, this field will be present and true.
resolver.inspect-delegation
Description and usage
Retrieves information about a delegation point in the resolver’s cache, returning the
information in various forms.
Fields
name
Required
string
domain
Required
name
Returns
domain
Required
name
immortal
Optional
boolean
name
string
servers
Optional
inspect-delegation-servers
stub
Optional
boolean
synthetic
Optional
boolean
ttl
Optional
integer
Represents the number of seconds until the NS set data expires. If there's no ttl, the data
never expires.
resolver.inspect-forwarders
Description and usage
Retrieves information about a forwarder in the resolver’s cache, returning the information
in various forms.
Fields
name
Required
string
domain
Required
name
Returns
domain
Required
name
forward-mode
Optional
first | off | only
forwarders
Optional
({
address => addrport
edns => {
status => string
ttl => integer
}
outstanding-queries => integer
rtt => integer
} ...)
name
string
resolver.list
Description and usage
Lists resolvers, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the resolver name.
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the resolver name.
resolver.mget
Description and usage
Retrieves multiple resolvers.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the resolver name.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the resolver name.
resolver.recursing
List the resolutions currently in progress.
Fields
name
Required
string
Returns
resolutions
Required
({
name => name
type => rdatatype
} ...)
resolver.replace
Replaces all values on a resolver with new values.
Fields
auth-server-list
Optional
string
client-subnet
Optional
{
blacklist => (name ...)
equivalence-classes => (string ...)
max-source-prefix-v4 (ipv4netlen ...)
max-source-prefix-v6 (ipv6netlen ...)
valid-addresses => (acl-element ...)
whitelist => (name ...)
}
Configures domains that should return responses specific to the source address of the
query.
The whitelist configures domains for which source-specific queries should be enabled, and
the blacklist disables domains.
The max-source-prefix fields for v4 and v6 control how client addresses are truncated for
sending edns-client-subnet options and caching. The specification recommends truncating
IPv4 address to no more than 24 bits; this is the default. No recommendation is provided
for IPv6; the default is 48 bits. Higher values may cause considerable growth in cache
memory. In both cases, the minimum value is 1, and the maximum value is the full length
of an address (32 or 128).
The valid addresses acl specifies which addresses present in edns-client-subnet options
provided by clients are valid. A network is considered valid if it either contains the actual
client address or matches this acl.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default
is false, and DNSSEC signatures are not verified unless dnssec-aware is configured.
Requesting and caching DNSSEC information will significantly increase the amount of
network traffic.
forward
Optional
(( name , 'first' | 'off' | 'only', (addrport ...)) ...)
Causes queries within a specific domain to be forwarded to one or more specific recursive
name servers.
name specifies the domain; first, off or only specify the forwarding mode; and the final
addrport is a list of recursive name servers.
l first: First attempt to use the forwarders. If they do not respond, attempt to resolve
the query.
l off: Disable forwarding for a subdomain. If you specify off, you must leave the server
addrport empty.
l only: Use only the forwarders. If they do not respond, do not attempt to resolve the
query, and let it fail.
hints
Optional
(name, ((name, (addr ...)) ...))
These servers are queried to discover the current set of root servers. If there is no hints
field, this resolver uses a compiled-in set of root hints.
The name must always be . (the root name), as providing hints for domains other than the
root is meaningless.
ignore-first-referral
Optional
boolean
Although it results in a small increase in network traffic, ignore-first-referral reduces the risk
of delegation-spoofing attacks.
layer
Optional
string
log-dnssec
Optional
boolean
When set to true, log-dnssec configures CacheServe to log detailed information about
DNSSEC validation failures. All messages related to DNSSEC validation are logged at priority
LOG_INFO, and log entries are prefixed with "dnssec:".
For log-dnssec to work, you must have DNSSEC trust anchors defined.
log-id-spoofing
Optional
boolean
Configures CacheServe to issue a log message when it suspects an ID spoofing attack. The
log message is only issued when there's a relatively strong suspicion that an actual attack is
taking place.
log-lame
Optional
(name ...)
A list of names. Causes CacheServe to log lame delegations and other configuration errors
detected in authoritative servers during resolution. log-lame domains should belong to
your own organization.
When log-lame is enabled, CacheServe will log other errors from authoritative servers in
addition to lame delegations, such as malformed responses, RCODES indicating a server
error, and NS records pointing at CNAMEs.
managed-keys
Optional
((name, (rdata...)) ...)
A tuple of domain name and rdata that defines DNSSEC managed keys. Each managed-key
domain may include one or more keys, formatted as DNSKEYs (RFC4034).
Managed-keys are similar to trusted-keys, but are automatically maintained (as described
in RFC5011). The set of keys (as well as state) is persistently stored, and maintained over
time, including a periodic refetch of the DNSKEY set.
When managed-keys is initially configured, if there are any keys present for a domain,
CacheServe tries to verify signatures in the retrieved DNSKEY set. If it cannot verify any of
the signatures, CacheServe considers the domain insecure.
Managed-keys are normally used only for the root zone, so CacheServe has the current
root key compiled in. If the root domain is specified in the managed-keys field, but no keys
are specified, CacheServe will use that root key to verify the root DNSKEY set.
AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF \
6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ \
25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk \
1ihz0=")))
max-cache-size
Optional
sizeval
Specifies the maximum amount of memory which can be used by this resolver's cache. The
default is 1G (1 gigabyte).
Values larger than 16G are treated as 16G, and values smaller than 64M are treated as 64M.
max-cache-ttl
Optional
time-in-seconds
Sets the maximum amount of time for which the server will cache ordinary (positive)
answers. The default is 604800 (7 days).
max-client-ttl
Optional
time-in-seconds
max-client-ttl only affects responses to DNS clients, not actual caching; a DNS record can
remain in the cache for the full amount of time even if clients receive a smaller value.
max-edns-udp-size
Optional
integer
When this field is configured, CacheServe, when sending EDNS queries, advertises that
packets of up to this length (in bytes) can be reassembled. Values smaller than 512 and
larger than 4096 are treated as 512 and 4096, respectively.
max-ncache-ttl
Optional
time-in-seconds
Specifies the maximum amount of time that CacheServe will cache negative answers.
Defaults to 10800 (3 hours).
negative-trust-anchors
Optional
(name ...)
Turns off DNSSEC validation for a domain, even if that domain is under a security root.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
prefetch-ratio
Optional
integer
Adjusts CacheServe's criteria for whether or not it issues prefetch queries. The default is 16,
and values greater than 32 or less than 4 are clamped to 32 or 4 respectively. Setting the
value to 0 completely disables prefetching.
Note: Changing this value is not recommended, and you should only change it under the
direction of Nominum support.
Prefetching is normally performed when a query requests data that's already cached but
will expire soon from the cache. This prevents commonly-accessed data from ever
expiring, and results in a higher cache hit rate and better average latency.
The prefetch-ratio value defines the relationship between the time at which data expires
and the initial TTL (time-to-live) of the data. Specifically, a value of X means that CacheServe
issues a prefetch query if the currently cached data expires in less than 1/X of the initial
TTL.
preload
Optional
((name, rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name,
rdatatype and rdata.
preload-nxdomain
Optional
(name ...)
Note: preload-nxdomain affects only a single name; if you want to affect an entire
domain, use synthesize-nxdomain.
preload-nxrrset
Optional
((name, rdatatype) ...)
Note: preload-nxrrset is an option included for the sake of completeness. Don't use it
unless you are specifically told to by Nominum support!
Preloads CacheServe with an indication that no resource record of a given name and type
exists.
For example, to specify that no AAAA record exists for the local hostname:
preload-nxrrset host.domain AAAA
qname-case-randomization
Optional
'enforced' | 'off' | 'silent-enforced' | 'unenforced'
Indicates whether CacheServe should randomize letters in a query name when sending
queries to authoritative servers or forwarders. Defaults to off.
qname-case-randomization-exclusions
Optional
(name ...)
query-source-pool
Optional
(uint16, addrport4)
Sets the address CacheServe will use to send outgoing IPv4 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport4 is nonzero, ports are allocated sequentially, starting at that number.
If you don't specify query-source-pool, CacheServe creates a query source pool with a
number of ports that's appropriate for the OS.
Warning! When you are choosing the number of ports to use, make sure you don't
exceed the OS's file-descriptor limit. Each port uses a file descriptor, and additional file
descriptors are needed for listen-on-matching and things like outgoing and incoming TCP
connections.
query-source-pool-v6
Optional
(uint16, addrport6)
Sets the address CacheServe uses to send outgoing IPv6 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport6 is nonzero, ports are allocated sequentially, starting at that number.
If you don't specify query-source-pool-v6 and CacheServe has been configured to use IPv6
transport (by including type AAAA in server-address-lookup-order), CacheServe creates a
query source pool with an appropriate number of ports for the OS.
Warning! When you are choosing the number of ports to use, make sure you don't
exceed the OS's file-descriptor limit. Each port uses a file descriptor, and additional file
descriptors are needed for listen-on-matching and things like outgoing and incoming TCP
connections.
rrset-order
Optional
'cyclic' | 'fixed' | 'random'
Sets the order in which resource records (RRs) in a resource record set (RRset) are added to
a response. The default is cyclic.
l cyclic configures CacheServe to use a random starting point in the list of RRs and
wrap around to the beginning of the list when the end is reached.
l fixed configures CacheServe to always emit RRs in the order in which they are stored.
server-address-lookup-order
Optional
('A' | 'AAAA' ...)
Defines the order in which CacheServe should use IPv4 or IPv6 server addresses.
The argument is a list of address record types that may be either A or AAAA.
The default is A, which configures CacheServe to use only IPv4 addresses for nameserver
addresses, and thus IPv4 transport only for communications with the authoritative server.
The same value may not occur multiple times in the list, and only nameserver addresses of
the specified types are used, in the listed order.
For example, if your site has some IPv6 connectivity to the Internet, you can specify (A
AAAA), and CacheServe will attempt IPv4 first; if your site has mostly IPv6 connectivity, you
can specify (AAAA A) and CacheServe will attempt IPv6 first.
stub
Optional
((name, ((name, (addrport ...)) ...)) ...)
Queries within each domain are resolved as if the specified servers were delegated
authority for that domain.
Warning! A specific domain may only appear once per stub per resolver, and you cannot
have the same entry in both stub and synthesize-nxdomain.
The main use for stub resolution is in situations where you need to resolve a domain using
a particular set of servers that have not actually been delegated authority.
For example, if you are using RFC1918 private addresses (10.*), you might want to define a
stub for 10.in-addr.arpa, so that queries for that domain get directed to your own set of
internal authoritative servers.
synthesize-nxdomain
Optional
(name ...)
Configures CacheServe to return synthetic NXDOMAIN responses for all queries within the
specified domains.
Note: If you need to return PTR records for RFC1918 addresses, use a stub pointing at one
or more authoritative servers configured with the right reverse mapping data!
trusted-keys
Optional
((name, (rdata ...)) ...)
Defines DNSSEC trusted keys. Enabling this option automatically enables dnssec-aware,
and configures CacheServe to perform DNSSEC verification on all DNS data in a subdomain
of a security root.
The trusted−keys field can contain multiple key entries,each consisting of the key’s domain
name and rdata. If any trusted-keys are defined, DNSSEC information will be requested and
cached as if the dnssec-aware option were enabled.
resolver.statistics
Description and usage
Returns the current values for resolver statistics along with general process statistics.
Fields
name
Required
string
all
Optional
boolean
If set to true, instructs CacheServe to return the values of all tracked statistics, even those
with a value of 0.
reset
Optional
boolean
If set to true, instructs CacheServe to reset all counters to 0 after returning them.
Returns
cache-memory-in-use
uint64
current-time
float-seconds-since-epoch
memory-in-use
uint64
This value represents the amount of memory requested from the memory allocator and
memory used by the cache; it does not include overhead for allocator bookkeeping,
rounding, fragmentation or free lists.
name
string
reset-time
float-seconds-since-epoch
server-start-time
float-seconds-since-epoch
statistics
{
active-recursions => uint64
cache-misses => uint64
dnssec-validations-failure => uint64
dnssec-validations-insecure => uint64
dnssec-validations-success => uint64
dropped-recursions => uint64
id-spoofing-defense-queries => uint64
ignored-referral-lookups => uint64
interrupted-before-recursion => uint64
interrupted-recursion-waits => uint64
interrupted-recursions => uint64
lookups => uint64
proactive-lookups => uint64
queries => uint64
queued-prefetches => uint64
rate-limited-requests => uint64
recursive-lookups => uint64
requests-sent => uint64
responses-by-rcode =>
{
<name> => uint64
...
}
tcp-requests-sent => uint64
}
system-time
time-in-microseconds
user-time
time-in-microseconds
The amount of user CPU time used since the server started.
resolver.update
Updates all values on a resolver with new values.
Fields
name
Required
string
auth-server-list
Optional
string
client-subnet
Optional
{
blacklist => (name ...)
equivalence-classes => (string ...)
max-source-prefix-v4 (ipv4netlen ...)
max-source-prefix-v6 (ipv6netlen ...)
valid-addresses => (acl-element ...)
whitelist => (name ...)
}
Configures domains that should return responses specific to the source address of the
query.
The whitelist configures domains for which source-specific queries should be enabled, and
the blacklist disables domains.
The max-source-prefix fields for v4 and v6 control how client addresses are truncated for
sending edns-client-subnet options and caching. The specification recommends truncating
IPv4 address to no more than 24 bits; this is the default. No recommendation is provided
for IPv6; the default is 48 bits. Higher values may cause considerable growth in cache
memory. In both cases, the minimum value is 1, and the maximum value is the full length
of an address (32 or 128).
The valid addresses acl specifies which addresses present in edns-client-subnet options
provided by clients are valid. A network is considered valid if it either contains the actual
client address or matches this acl.
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
dnssec-aware
Optional
boolean
Indicates whether or not DNSSEC information should be requested and cached. The default
is false, and DNSSEC signatures are not verified unless dnssec-aware is configured.
Requesting and caching DNSSEC information will significantly increase the amount of
network traffic.
forward
Optional
Causes queries within a specific domain to be forwarded to one or more specific recursive
name servers.
name specifies the domain; first, off or only specify the forwarding mode; and the final
addrport is a list of recursive name servers.
l first: First attempt to use the forwarders. If they do not respond, attempt to resolve
the query.
l off: Disable forwarding for a subdomain. If you specify off, you must leave the server
addrport empty.
l only: Use only the forwarders. If they do not respond, do not attempt to resolve the
query, and let it fail.
hints
Optional
(name, ((name, (addr ...)) ...))
These servers are queried to discover the current set of root servers. If there is no hints
field, this resolver uses a compiled-in set of root hints.
The name must always be . (the root name), as providing hints for domains other than the
root is meaningless.
ignore-first-referral
Optional
boolean
Although it results in a small increase in network traffic, ignore-first-referral reduces the risk
of delegation-spoofing attacks.
layer
Optional
string
log-dnssec
Optional
boolean
When set to true, log-dnssec configures CacheServe to log detailed information about
DNSSEC validation failures. All messages related to DNSSEC validation are logged at priority
LOG_INFO, and log entries are prefixed with "dnssec:".
For log-dnssec to work, you must have DNSSEC trust anchors defined.
log-id-spoofing
Optional
boolean
Configures CacheServe to issue a log message when it suspects an ID spoofing attack. The
log message is only issued when there's a relatively strong suspicion that an actual attack is
taking place.
log-lame
Optional
(name ...)
A list of names. Causes CacheServe to log lame delegations and other configuration errors
detected in authoritative servers during resolution. log-lame domains should belong to
your own organization.
When log-lame is enabled, CacheServe will log other errors from authoritative servers in
addition to lame delegations, such as malformed responses, RCODES indicating a server
error, and NS records pointing at CNAMEs.
managed-keys
Optional
((name, (rdata...)) ...)
A tuple of domain name and rdata that defines DNSSEC managed keys. Each managed-key
domain may include one or more keys, formatted as DNSKEYs (RFC4034).
Managed-keys are similar to trusted-keys, but are automatically maintained (as described
in RFC5011). The set of keys (as well as state) is persistently stored, and maintained over
time, including a periodic refetch of the DNSKEY set.
When managed-keys is initially configured, if there are any keys present for a domain,
CacheServe tries to verify signatures in the retrieved DNSKEY set. If it cannot verify any of
the signatures, CacheServe considers the domain insecure.
Managed-keys are normally used only for the root zone, so CacheServe has the current
root key compiled in. If the root domain is specified in the managed-keys field, but no keys
are specified, CacheServe will use that root key to verify the root DNSKEY set.
max-cache-size
Optional
sizeval
Specifies the maximum amount of memory which can be used by this resolver's cache. The
default is 1G (1 gigabyte).
Values larger than 16G are treated as 16G, and values smaller than 64M are treated as 64M.
max-cache-ttl
Optional
time-in-seconds
Sets the maximum amount of time for which the server will cache ordinary (positive)
answers. The default is 604800 (7 days).
max-client-ttl
Optional
time-in-seconds
max-client-ttl only affects responses to DNS clients, not actual caching; a DNS record can
remain in the cache for the full amount of time even if clients receive a smaller value.
max-edns-udp-size
Optional
integer
When this field is configured, CacheServe, when sending EDNS queries, advertises that
packets of up to this length (in bytes) can be reassembled. Values smaller than 512 and
larger than 4096 are treated as 512 and 4096, respectively.
max-ncache-ttl
Optional
time-in-seconds
Specifies the maximum amount of time that CacheServe will cache negative answers.
Defaults to 10800 (3 hours).
negative-trust-anchors
Optional
(name ...)
Turns off DNSSEC validation for a domain, even if that domain is under a security root.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
prefetch-ratio
Optional
integer
Adjusts CacheServe's criteria for whether or not it issues prefetch queries. The default is 16,
and values greater than 32 or less than 4 are clamped to 32 or 4 respectively. Setting the
value to 0 completely disables prefetching.
Note: Changing this value is not recommended, and you should only change it under the
direction of Nominum support.
Prefetching is normally performed when a query requests data that's already cached but
will expire soon from the cache. This prevents commonly-accessed data from ever
expiring, and results in a higher cache hit rate and better average latency.
The prefetch-ratio value defines the relationship between the time at which data expires
and the initial TTL (time-to-live) of the data. Specifically, a value of X means that CacheServe
issues a prefetch query if the currently cached data expires in less than 1/X of the initial
TTL.
preload
Optional
((name, rdatatype, rdata) ...)
Preloads the cache with a fixed resource record, specified by a combination name,
rdatatype and rdata.
preload-nxdomain
Optional
(name ...)
Note: preload-nxdomain affects only a single name; if you want to affect an entire
domain, use synthesize-nxdomain.
preload-nxrrset
Optional
((name, rdatatype) ...)
Note: preload-nxrrset is an option included for the sake of completeness. Don't use it
unless you are specifically told to by Nominum support!
Preloads CacheServe with an indication that no resource record of a given name and type
exists.
For example, to specify that no AAAA record exists for the local hostname:
preload-nxrrset host.domain AAAA
qname-case-randomization
Optional
'enforced' | 'off' | 'silent-enforced' | 'unenforced'
Indicates whether CacheServe should randomize letters in a query name when sending
queries to authoritative servers or forwarders. Defaults to off.
qname-case-randomization-exclusions
Optional
(name ...)
query-source-pool
Optional
(uint16, addrport4)
Sets the address CacheServe will use to send outgoing IPv4 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport4 is nonzero, ports are allocated sequentially, starting at that number.
If you don't specify query-source-pool, CacheServe creates a query source pool with a
number of ports that's appropriate for the OS.
Warning! When you are choosing the number of ports to use, make sure you don't
exceed the OS's file-descriptor limit. Each port uses a file descriptor, and additional file
descriptors are needed for listen-on-matching and things like outgoing and incoming TCP
connections.
query-source-pool-v6
Optional
(uint16, addrport6)
Sets the address CacheServe uses to send outgoing IPv6 UDP queries, configuring
CacheServe to send from a randomly selected port within a pool of multiple source ports.
The uint16 specifies the number of ports. The maximum number of ports is 2048.
l If the addrport6 is nonzero, ports are allocated sequentially, starting at that number.
If you don't specify query-source-pool-v6 and CacheServe has been configured to use IPv6
transport (by including type AAAA in server-address-lookup-order), CacheServe creates a
query source pool with an appropriate number of ports for the OS.
Warning! When you are choosing the number of ports to use, make sure you don't
exceed the OS's file-descriptor limit. Each port uses a file descriptor, and additional file
descriptors are needed for listen-on-matching and things like outgoing and incoming TCP
connections.
rrset-order
Optional
'cyclic' | 'fixed' | 'random'
Sets the order in which resource records (RRs) in a resource record set (RRset) are added to
a response. The default is cyclic.
l cyclic configures CacheServe to use a random starting point in the list of RRs and
wrap around to the beginning of the list when the end is reached.
l fixed configures CacheServe to always emit RRs in the order in which they are stored.
server-address-lookup-order
Optional
('A' | 'AAAA' ...)
Defines the order in which CacheServe should use IPv4 or IPv6 server addresses.
The argument is a list of address record types that may be either A or AAAA.
The default is A, which configures CacheServe to use only IPv4 addresses for nameserver
addresses, and thus IPv4 transport only for communications with the authoritative server.
The same value may not occur multiple times in the list, and only nameserver addresses of
the specified types are used, in the listed order.
For example, if your site has some IPv6 connectivity to the Internet, you can specify (A
AAAA), and CacheServe will attempt IPv4 first; if your site has mostly IPv6 connectivity, you
can specify (AAAA A) and CacheServe will attempt IPv6 first.
stub
Optional
((name, ((name, (addrport ...)) ...)) ...)
Queries within each domain are resolved as if the specified servers were delegated
authority for that domain.
Warning! A specific domain may only appear once per stub per resolver, and you cannot
have the same entry in both stub and synthesize-nxdomain.
The main use for stub resolution is in situations where you need to resolve a domain using
a particular set of servers that have not actually been delegated authority.
For example, if you are using RFC1918 private addresses (10.*), you might want to define a
stub for 10.in-addr.arpa, so that queries for that domain get directed to your own set of
internal authoritative servers.
synthesize-nxdomain
Optional
(name ...)
Configures CacheServe to return synthetic NXDOMAIN responses for all queries within the
specified domains.
Note: If you need to return PTR records for RFC1918 addresses, use a stub pointing at one
or more authoritative servers configured with the right reverse mapping data!
trusted-keys
Optional
((name, (rdata ...)) ...)
Defines DNSSEC trusted keys. Enabling this option automatically enables dnssec-aware,
and configures CacheServe to perform DNSSEC verification on all DNS data in a subdomain
of a security root.
The trusted−keys field can contain multiple key entries,each consisting of the key’s domain
name and rdata. If any trusted-keys are defined, DNSSEC information will be requested and
cached as if the dnssec-aware option were enabled.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
restart
Restarts CacheServe.
selector.add
Description and usage
Creates a new view-selector.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
errors
Optional
(string ...)
A read-only field that indicates any problems with a specific object's configuration. errors
will only be present if there's a problem.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
selector
policy-selector
The boolean AND and OR selectors permit multiple selectors to be evaluated, and the NOT
selector inverts the result of another selector.
selector.delete
Description and usage
Deletes a selector.
Fields
name
Required
string
layer
Optional
string
selector.get
Description and usage
Retrieves a named selector.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
selector.list
Description and usage
Lists named selectors, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Returns
name
Required
string
selector.mget
Description and usage
Retrieves multiple named selectors.
Fields
descending
Optional
boolean
end
Optional
{
name => string
}
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
selector.replace
Description and usage
Replaces values on a named selector.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
selector
policy-selector
The boolean AND and OR selectors permit multiple selectors to be evaluated, and the NOT
selector inverts the result of another selector.
selector.update
Description and usage
Updates values for a named selector.
Fields
name
Required
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
selector
policy-selector
The boolean AND and OR selectors permit multiple selectors to be evaluated, and the NOT
selector inverts the result of another selector.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
server.add
Description and usage
Creates a new server.
Fields
layer
Optional
string
commands-not-logged
Optional
(string ...)
Specifies a list of Command Channel message types that should not be logged when log-
command-channel is enabled.
Defaults to ().
listen-on-matching
Optional
({
instances => integer
interface => string
patterns => (acl-element ...)
port => uint16
} ...)
Configures CacheServe to listen for incoming DNS queries on addresses which match
specified patterns and ports. If no listen-on-matching value is given, CacheServe listens on
all interfaces on the default port (53).
Note: instances takes advantage of certain relatively new Linux features, which permit
multiple sockets listening on a single address and port (SO_REUSEPORT). If you have this
capability, set instances to the number of desired UDP sockets.
listen-on-matching can contain multiple elements, which allows different listener ports to be
specified.
l patterns defaults to an ACL which matches any address. To listen on all interfaces, use
a pattern of 0.0.0.0/0 (IPv4) or ::/0 (IPv6).
l If port is 0 or not specified, CacheServe listens on the port specified by the --dns-port
command-line option, which defaults to the standard DNS port of 53.
Examples
For example, here's how you specify listen-on-matching to use 16 instances on the
IP address 192.168.1.1 and 1 instance on 127.0.0.1, port 5334:
cacheserve> server.update listen-on-matching=({patterns=(192.168.1.1)
instances=16}{patterns=(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
patterns => ('192.168.1.1/32')
instances => '16'
}
{
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
And here's how you specify listen-on-matching with the same values, this time limiting the
interface to eth0:
cacheserve> server.update listen-on-matching=({interface=eth0 pat-
terns=(192.168.1.1) instances=16}{interface=eth0 patterns=(127.0.0.1)
port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
interface => 'eth0'
patterns => ('192.168.1.1/32')
instances => '16'
}
{
interface => 'eth0'
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
log-command-channel
Optional
boolean
Defaults to false.
When set to true, commands are logged at the LOG_INFO priority, and large commands
are truncated.
max-recursive-clients
Optional
integer
An integer that specifies the maximum number of recursive UDP lookups that can occur at
any one time. The default is 25,000, and values over 500,000 are capped at 500,000.
The limit applies equally to recursive lookups coming from UDP clients and lookups that
are generated internally.
max-tcp-clients
Optional
integer
Controls the maximum number of TCP client connections at any one time. The default is
100.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
server-description
Optional
string
A user-specified text description for this server instance. server-description is visible only in
telemetry, and only when present.
server-id
Optional
string-empty-ok
The server ID used to populate the server.id and bind.id values in responses to DNS CH TXT
queries for the server's ID, as well as NSID EDNS responses.
If server-id is empty or set to the literal string "none", CacheServe will refuse all queries for
the server ID, and ignore NSID requests.
server-version
Optional
string-empty-ok
The server version used to populate the version.server and version.bind values in
responses to DNS CH TXT queries for version.server and version.bind.
If server-version is set to the literal string "none", CacheServe will refuse all queries for the
server version. If server-version is empty, CacheServe will respond with the actual software
version.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column
of the IANA tzdb.
versioncheck-interval
Optional
versioncheck-days
Specifies how often CacheServe should check for a newer version. Defaults to 7, with a
minimum of 1 and a maximum of 30.
server.all-errors
Description and usage
Displays all misconfigured CacheServe elements. Individual elements also return
troubleshooting information in the errors field.
Fields
max-results
Optional
integer
server.block-checkpoints
Prevents database checkpoints for a specified amount of time, which permits the database
to be backed up.
Fields
timeout
Optional
time-in-seconds
The duration in seconds for which checkpoints should be suspended. The default is 3600 (1
hour).
server.checkpoint
Forces CacheServe to immediately perform a database checkpoint operation.
server.delete
Deletes a server object.
Fields
layer
Required
string
server.get
Description and usage
Retrieves the server object's configuration.
Fields
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
server.query
Description and usage
Processes a DNS query as if the server had received it.
All of the query attributes can be configured, along with additional configuration beyond
the normal parameters of a DNS query. For example, you can specify a view or resolver.
The response contains all of the normal DNS query response data along with:
Simulated queries sent to the Nominum monitoring utilities are marked with the
SIMULATED flag.
Queries where the client-address and server-address are in different families will not be
posted.
Fields
client-address
Optional
addrport
client-subnet
Optional
addrpat
The value of the edns-client-subnet option. If present, this option enables EDNS processing
for the request.
destination-address
Optional
addrport
device-id
Optional
string
The value of the nom-device-id EDNS option. If present, this option enables EDNS
processing for the request.
edns-buffer-size
Optional
uint16
Indicates the advertised EDNS buffer size, limiting the size of the response.
If this field is present, it enables EDNS in the request as needed; if some other field enables
EDNS and edns-buffer-size is not present, CacheServe uses a buffer size of 4096.
edns-flags
Optional
edns-flag
flags
Optional
dns-flag
force-resolution
Optional
boolean
Indicates whether or not CacheServe should force resolution to occur. The default is false.
If force-resolution is true, CacheServe does not perform the initial cache lookup, and
existing resolutions are not joined.
Note: This does not exclude policy effects: if a terminal policy executes prior to the point
at which resolution would normally occur, it will prevent resolution.
qclass
Optional
rdataclass
qname
Optional
name
qtype
Optional
rdatatype
resolver
Optional
string
Instructs CacheServe to process a query in the context of the named resolver, versus a
context defined by a view-selector.
start-time
Optional
seconds-since-epoch
tcp
Optional
boolean
Indicates whether or not the simulated query should be processed as if it were received via
TCP.
tracing
Optional
boolean
Indicates whether or not tracing should be performed on this simulated query. Defaults to
false.
view
Optional
string
Instructs CacheServe to process a query in the context of the named view, versus a context
defined by a view-selector.
Returns
additional
((name, rdatatype, ttl, rdata) ...)
aliases
(name...)
answer
((name, rdatatype, ttl, rdata) ...)
Note: Only displayed if you have an NXR, N2 or ThreatAvert license in addition to the
CacheServe base license.
authority
((name, rdatatype, ttl, rdata) ...)
client-subnet
(addrpat, integer)
The value of the edns-client-subnet option in the response, if present. The address is
copied from the request, and the integer is the scope of network addresses for which the
tailored answer is intended.
dropped
boolean
flags
(dns-flag ...)
policies
({
match => boolean
parent => string
policy => string
priority => integer
server => string
The list of policies, in order, that were evaluated when processing this query. For each
policy, the policy name and whether or not it matched is included.
If a policy directly associated with a binding, the object it’s bound to (view or server) is
included, as well as the time at which it executes (prequery, postquery, or presend) and the
priority. If the policy is the child of another policy, the parent policy name is included.
Unlike with policy.simulate, this can include the results of multiple passes through the
policy engine, if a query is restarted (such as when following a CNAME).
qclass
rdataclass
qname
name
qtype
rdatatype
rcode
dns-rcode
resolution
boolean
If true, indicates that a resolution was performed as part of processing the query.
resolver
string
response-size
integer
The size of the response packet that would have been sent to the client, in bytes.
response-time
time-in-microseconds
result
string
trace-messages
(string...)
If tracing is enabled, this field contains tracing messages related to processing this query.
These messages contain varying levels of detail, and may or may not be useful or
understandable.
The specific messages are not guaranteed to be consistent between releases; this output is
purely designed for manual inspection.
view
string
Example
cacheserve> server.query qname=www.nominum.com
{
type => 'server.query'
qname => 'www.nominum.com'
qtype => 'A'
rcode => 'NOERROR'
result => 'success'
flags => ('qr' 'rd' 'ra')
answer => (('www.nominum.com' 'A' '3600' '96.126.124.232'))
response-size => '49'
response-time => '0.316730'
resolver => 'world'
view => 'world'
}
}
{
policy => 'strict-067e90f9-6c93-37ef-8859-e8cbba15b799-1'
parent => 'strict-067e90f9-6c93-37ef-8859-e8cbba15b799'
match => 'false'
}
{
policy => 'strict-067e90f9-6c93-37ef-8859-e8cbba15b799-2'
parent => 'strict-067e90f9-6c93-37ef-8859-e8cbba15b799'
match => 'false'
}
{
policy => 'strict-067e90f9-6c93-37ef-8859-e8cbba15b799-3'
parent => 'strict-067e90f9-6c93-37ef-8859-e8cbba15b799'
match => 'true'
}
)
}
cacheserve>
server.replace
Description and usage
Replaces values on a server.
Fields
layer
Optional
string
commands-not-logged
Optional
(string ...)
Specifies a list of Command Channel message types that should not be logged when log-
command-channel is enabled.
Defaults to ().
listen-on-matching
Optional
({
instances => integer
interface => string
patterns => (acl-element ...)
port => uint16
} ...)
Configures CacheServe to listen for incoming DNS queries on addresses which match
specified patterns and ports. If no listen-on-matching value is given, CacheServe listens on
all interfaces on the default port (53).
Note: instances takes advantage of certain relatively new Linux features, which permit
multiple sockets listening on a single address and port (SO_REUSEPORT). If you have this
capability, set instances to the number of desired UDP sockets.
listen-on-matching can contain multiple elements, which allows different listener ports to be
specified.
l patterns defaults to an ACL which matches any address. To listen on all interfaces, use
a pattern of 0.0.0.0/0 (IPv4) or ::/0 (IPv6).
l If port is 0 or not specified, CacheServe listens on the port specified by the --dns-port
command-line option, which defaults to the standard DNS port of 53.
Examples
For example, here's how you specify listen-on-matching to use 16 instances on the
IP address 192.168.1.1 and 1 instance on 127.0.0.1, port 5334:
cacheserve> server.update listen-on-matching=({patterns=(192.168.1.1)
instances=16}{patterns=(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
patterns => ('192.168.1.1/32')
instances => '16'
}
{
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
And here's how you specify listen-on-matching with the same values, this time limiting the
interface to eth0:
cacheserve> server.update listen-on-matching=({interface=eth0 pat-
terns=(192.168.1.1) instances=16}{interface=eth0 patterns=(127.0.0.1)
port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
interface => 'eth0'
patterns => ('192.168.1.1/32')
instances => '16'
}
{
interface => 'eth0'
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
log-command-channel
Optional
boolean
Defaults to false.
When set to true, commands are logged at the LOG_INFO priority, and large commands
are truncated.
max-recursive-clients
Optional
integer
An integer that specifies the maximum number of recursive UDP lookups that can occur at
any one time. The default is 25,000, and values over 500,000 are capped at 500,000.
The limit applies equally to recursive lookups coming from UDP clients and lookups that
are generated internally.
max-tcp-clients
Optional
integer
Controls the maximum number of TCP client connections at any one time. The default is
100.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
server-description
Optional
string
A user-specified text description for this server instance. server-description is visible only in
telemetry, and only when present.
server-id
Optional
string-empty-ok
The server ID used to populate the server.id and bind.id values in responses to DNS CH TXT
queries for the server's ID, as well as NSID EDNS responses.
If server-id is empty or set to the literal string "none", CacheServe will refuse all queries for
the server ID, and ignore NSID requests.
server-version
Optional
string-empty-ok
The server version used to populate the version.server and version.bind values in
responses to DNS CH TXT queries for version.server and version.bind.
If server-version is set to the literal string "none", CacheServe will refuse all queries for the
server version. If server-version is empty, CacheServe will respond with the actual software
version.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column
of the IANA tzdb.
versioncheck-interval
Optional
versioncheck-days
Specifies how often CacheServe should check for a newer version. Defaults to 7, with a
minimum of 1 and a maximum of 30.
server.statistics
Description and usage
Returns the current values for server statistics along with general process statistics.
Fields
all
Optional
boolean
If set to true, instructs CacheServe to return the values of all tracked statistics, even those
with a value of 0.
reset
Optional
boolean
If set to true, instructs CacheServe to reset all counters to 0 after returning them.
Returns
current-time
float-seconds-since-epoch
memory-in-use
uint64
This value represents the amount of memory requested from the memory allocator and
memory used by the cache; it does not include overhead for allocator bookkeeping,
rounding, fragmentation or free lists.
name
string
reset-time
float-seconds-since-epoch
server-start-time
float-seconds-since-epoch
statistics
{
formerr-loop-dropped => uint64
lookups => uint64
malformed-requests-dropped => uint64
rate-limited-requests => uint64
recursion-contexts-in-use => uint64
recursive-lookups => uint64
requests-no-view => uint64
requests-received => uint64
requests-sent => uint64
responses-received => uint64
responses-sent => uint64
suppressed-duplicate-queries => uint64
tcp-clients => uint64
tcp-connections-accepted => uint64
tcp-connections-rejected => uint64
tcp-requests-sent => uint64
}
system-time
time-in-microseconds
user-time
time-in-microseconds
The amount of user CPU time used since the server started.
Example
cacheserve> server.statistics
{
type => 'server.statistics'
reset-time => '1404287789.143226'
current-time => '1404288409.721157'
server-start-time => '1404287788.816544'
user-time => '1.239811'
server.unblock-checkpoints
Unblocks any blocked database checkpoints.
server.usage
Description and usage
Returns the server's current utilization.
Returns
current-time
float-seconds-since-epoch
memory-in-use
uint64
This value represents the amount of memory requested from the memory allocator and
memory used by the cache; it does not include overhead for allocator bookkeeping,
rounding, fragmentation or free lists.
system-time
time-in-microseconds
thread ‐groups
Optional
{
<thread‐group> => {
system‐time => time-in-microseconds
threads => uint64
user‐time => time-in-microseconds
}
...
}
user-time
time-in-microseconds
The amount of user CPU time used since the server started.
server.update
Description and usage
Updates server fields.
Fields
layer
Optional
string
commands-not-logged
Optional
(string ...)
Specifies a list of Command Channel message types that should not be logged when log-
command-channel is enabled.
Defaults to ().
listen-on-matching
Optional
({
instances => integer
interface => string
patterns => (acl-element ...)
port => uint16
} ...)
Configures CacheServe to listen for incoming DNS queries on addresses which match
specified patterns and ports. If no listen-on-matching value is given, CacheServe listens on
all interfaces on the default port (53).
Note: instances takes advantage of certain relatively new Linux features, which permit
multiple sockets listening on a single address and port (SO_REUSEPORT). If you have this
capability, set instances to the number of desired UDP sockets.
listen-on-matching can contain multiple elements, which allows different listener ports to be
specified.
l patterns defaults to an ACL which matches any address. To listen on all interfaces, use
a pattern of 0.0.0.0/0 (IPv4) or ::/0 (IPv6).
l If port is 0 or not specified, CacheServe listens on the port specified by the --dns-port
command-line option, which defaults to the standard DNS port of 53.
Examples
For example, here's how you specify listen-on-matching to use 16 instances on the
IP address 192.168.1.1 and 1 instance on 127.0.0.1, port 5334:
cacheserve> server.update listen-on-matching=({patterns=(192.168.1.1)
instances=16}{patterns=(127.0.0.1) port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
patterns => ('192.168.1.1/32')
instances => '16'
}
{
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
And here's how you specify listen-on-matching with the same values, this time limiting the
interface to eth0:
cacheserve> server.update listen-on-matching=({interface=eth0 pat-
terns=(192.168.1.1) instances=16}{interface=eth0 patterns=(127.0.0.1)
port=5354})
{
type => 'server.update'
}
cacheserve> server.get
{
type => 'server.get'
listen-on-matching => (
{
interface => 'eth0'
patterns => ('192.168.1.1/32')
instances => '16'
}
{
interface => 'eth0'
patterns => ('127.0.0.1/32')
port => '5354'
}
)
}
log-command-channel
Optional
boolean
Defaults to false.
When set to true, commands are logged at the LOG_INFO priority, and large commands
are truncated.
max-recursive-clients
Optional
integer
An integer that specifies the maximum number of recursive UDP lookups that can occur at
any one time. The default is 25,000, and values over 500,000 are capped at 500,000.
The limit applies equally to recursive lookups coming from UDP clients and lookups that
are generated internally.
max-tcp-clients
Optional
integer
Controls the maximum number of TCP client connections at any one time. The default is
100.
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
server-description
Optional
string
A user-specified text description for this server instance. server-description is visible only in
telemetry, and only when present.
server-id
Optional
string-empty-ok
The server ID used to populate the server.id and bind.id values in responses to DNS CH TXT
queries for the server's ID, as well as NSID EDNS responses.
If server-id is empty or set to the literal string "none", CacheServe will refuse all queries for
the server ID, and ignore NSID requests.
server-version
Optional
string-empty-ok
The server version used to populate the version.server and version.bind values in
responses to DNS CH TXT queries for version.server and version.bind.
If server-version is set to the literal string "none", CacheServe will refuse all queries for the
server version. If server-version is empty, CacheServe will respond with the actual software
version.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column
of the IANA tzdb.
versioncheck-interval
Optional
versioncheck-days
Specifies how often CacheServe should check for a newer version. Defaults to 7, with a
minimum of 1 and a maximum of 30.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
stop
Stops CacheServe.
telemetry.get
Description and usage
Retrieves the telemetry object.
Fields
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
telemetry.replace
Description and usage
Replaces all values for the telemetry object.
Fields
layer
Optional
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
enable
boolean
interval
integer
kafka
Optional
kafka-configuration-field
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
record-events
Optional
(event-name ...)
Specifies a list of events to be recorded by the telemetry stream in addition to the standard
periodic sampling. Defaults to no additional events (an empty value).
telemetry.statistics
Description and usage
Returns the current values for server statistics along with general process statistics.
Fields
all
Optional
boolean
If set to true, instructs CacheServe to return the values of all tracked statistics, even those
with a value of 0.
reset
Optional
boolean
If set to true, instructs CacheServe to reset all counters to 0 after returning them.
Returns
current-time
float-seconds-since-epoch
memory-in-use
uint64
This value represents the amount of memory requested from the memory allocator and
memory used by the cache; it does not include overhead for allocator bookkeeping,
rounding, fragmentation or free lists.
node-id
uuid
The node identifier for the system on which the server is running.
reset-time
float-seconds-since-epoch
server-start-time
float-seconds-since-epoch
statistics
{
messages-delivered => uint64
messages-dropped => uint64
messages-produced => uint64
queue-full => uint64
records-delivered => uint64
records-dropped => uint64
records-produced => uint64
system-time
time-in-microseconds
user-time
time-in-microseconds
The amount of user CPU time used since the server started.
Example
cacheserve> telemetry.statistics
{
type => 'telemetry.statistics'
current-time => '1449531574.235686'
server-start-time => '1449531495.749013'
node-id => 'ca875e7c-2d16-5e79-8f43-95ed3d388cee'
user-time => '0.164974'
system-time => '0.092985'
memory-in-use => '79723540'
reset-time => '1449531495.914294'
statistics => {
messages-produced => '42'
}
}
telemetry.update
Description and usage
Updates telemetry fields.
Fields
layer
Optional
string
comment
Optional
string
A comment describing this object. Contains user-specific data relating to or identifying the
containing object.
enable
boolean
interval
integer
kafka
Optional
kafka-configuration-field
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
record-events
Optional
(event-name ...)
Specifies a list of events to be recorded by the telemetry stream in addition to the standard
periodic sampling. Defaults to no additional events (an empty value).
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
uuid
Retrieves CacheServe's uuid.
version
Retrieves information about CacheServe, including the vendor, product, platform and
version of the running server, as well as a list of currently loaded plugins and their
expiration date, if any.
Returns
product
Required
string
expiration
Optional
string
platform
Optional
string
The platform for which CacheServe was built. This will, with rare exceptions, be the same
as the platform CacheServe is running on, and takes the form OS name-OS version-CPU class
plugins
Optional
string
vendor
Optional
string
view-selector.add
Description and usage
Creates a new view-selector.
Fields
view
Required
string
The name of the view that handles requests matching this view-selector (if no other, more
specific view-selector matches).
destination-address
Optional
addrport
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
source-address
Optional
addrpat
view-selector.delete
Description and usage
Deletes a view-selector.
Fields
destination-address
Optional
addrport
layer
Optional
string
source-address
Optional
addrpat
view-selector.get
Description and usage
Retrieves a view-selector.
Fields
destination-address
Optional
addrport
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
source-address
Optional
addrpat
view-selector.list
Description and usage
Lists view-selectors, optionally sorted by various criteria.
Fields
end
Optional
{
destination-address => addrport
source-address => addrpat
}
Defines the last value to be returned. The value is the acceptable addresses for the source
and destination of the view-selector.
descending
Optional
boolean
layer
Optional
string
max-results
Optional
integer
start
Optional
{
destination-address => addrport
source-address => addrpat
}
Defines the first value to be returned. The value is the acceptable addresses for the source
and destination of the view-selector.
view
Optional
string
Returns
destination-address
Optional
addrport
source-address
Optional
addrpat
view-selector.mget
Description and usage
Retrieves multiple view-selectors.
Fields
end
Optional
{
destination-address => addrport
source-address => addrpat
}
Defines the last value to be returned. The value is the acceptable addresses for the source
and destination of the view-selector.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
max-results
Optional
integer
start
Optional
{
destination-address => addrport
source-address => addrpat
}
Defines the first value to be returned. The value is the acceptable addresses for the source
and destination of the view-selector.
view
Optional
string
view-selector.query
Description and usage
Simulates the execution of a query, and returns the view-selector that would match.
Fields
destination-address
Optional
addrport
source-address
Optional
addrpat
Returns
resolver
string
view
string
view-selector
string
view-selector.replace
Description and usage
Replaces values on a view-selector.
Fields
view
Required
string
The name of the view that handles requests matching this view-selector (if no other, more
specific view-selector matches).
destination-address
Optional
addrport
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
source-address
Optional
addrpat
view-selector.mget
Description and usage
Retrieves multiple view-selectors.
Fields
end
Optional
{
destination-address => addrport
source-address => addrpat
}
Defines the last value to be returned. The value is the acceptable addresses for the source
and destination of the view-selector.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
max-results
Optional
integer
start
Optional
{
destination-address => addrport
source-address => addrpat
}
Defines the first value to be returned. The value is the acceptable addresses for the source
and destination of the view-selector.
view
Optional
string
view-selector.update
Description and usage
Updates values for a view-selector.
Fields
destination-address
Optional
addrport
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
source-address
Optional
addrpat
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
view
Optional
string
The name of the view that handles requests matching this view-selector (if no other, more
specific view-selector matches).
view.add
Description and usage
Creates a new view.
Fields
name
Required
string
resolver
Required
string
The name of the resolver associated with this view. All DNS operations are performed in
the context of the resolver.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column
of the IANA tzdb.
view.delete
Description and usage
Deletes a view.
Fields
name
Required
string
layer
Optional
string
view.get
Description and usage
Retrieves a view.
Fields
name
Required
string
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
layer
Optional
string
view.list
Description and usage
Lists views, optionally sorted by various criteria.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the view name.
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
Defines the first value to be returned. The value is the view name.
view.mget
Description and usage
Retrieves multiple views.
Fields
descending
Optional
boolean
end
Optional
{
name => string
Defines the last value to be returned. The value is the view name.
exclude-fields
Optional
(string ...)
fields
Optional
(string ...)
key
Optional
string
layer
Optional
string
max-results
Optional
integer
skip-first
Optional
boolean
If present, skip-first causes the object where the key matches start to be skipped.
start
Optional
{
name => string
}
Defines the first value to be returned. The value is the name of a list.
view.replace
Description and usage
Replace values on a view.
Fields
name
Required
string
resolver
Required
string
The name of the resolver associated with this view. All DNS operations are performed in
the context of the resolver.
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column
of the IANA tzdb.
view.update
Description and usage
Updates values on a view.
Fields
name
Required
string
layer
Optional
string
post-edits
Optional
(std-layered-edit-operation ...)
pre-edits
Optional
(std-layered-edit-operation ...)
resolver
Optional
string
The resolver associated with this view. All DNS resolution and caching is performed within
the context of a resolver, which may be shared between multiple views.
time-zone
Optional
string
Identifies the timezone CacheServe will use. Values must match an entry in the 'TZ' column
of the IANA tzdb.
unset
Optional
(string ...)
Note: When unset is invoked upon a field, the field is emptied, and CacheServe treats the
field as if no value were specified (for instance, populating the field with a default value if
necessary).
Returns
name
string
address-list.changed
Indicates that an address-list has been modified.
Returns
name
string
address-node.changed
Indicates that an address-node has been modified.
Returns
address
addrpat
list
string
auth-monitoring.changed
Indicates that the auth-monitoring object has been modified.
auth-server-list.changed
Indicates that an auth-server-list has been modified.
Returns
name
string
auth-server-node.changed
Indicates that an auth-server-node has been modified.
Returns
name
string
binding.changed
Indicates that a ratelimiter has been modified.
Returns
policy
string
server
'1'
Indicates that the binding target is the server, and that the binding matches all queries.
view
string
Indicates that the binding target is a view, and that this binding matches all queries
handled by that view.
dns64.changed
Indicates that a dns64 layer has been modified.
Returns
name
string
layer.changed
Signals that a layer has changed.
Returns
name
Required
string
layer.provisioning-connected
Signals that a connection was (re)established to the provisioning server. layer.provisioning-
connected is only sent when a previous layer.provisioning-connection-failure event exists.
Returns
name
Required
string
layer.provisioning-connection-failure
Signals that a connection could not be established with the provisioning server, and that
CacheServe will continue to attempt to connect.
Returns
error
string
name
string
layer.provisioning-disconnected
Signals that the connection to the provisioning server was closed by the remote end of the
connection.
Returns
name
string
layer.provisioning-reimaging
Signals that provisioning is reimaging, either because this is the first synchronization with
the provisioning server, or because the database ID of the provisioning server has changed.
Returns
name
string
layer.provisioning-update-failure
Signals that an update failed.
Returns
error
string
name
string
layer.provisioning-update-success
Signals that an update was successful.
name
string
monitoring.changed
Indicates that the monitoring object has been modified.
Nominum monitoring manuals: Monitoring Query and Request Data on Nominum Engines and
Nominum statmon Utility and Query Store Command Reference.
name-group.changed
Indicates that a name-group has been modified.
Returns
name
string
name-list.changed
Indicates that a name-list has been modified.
Returns
name
string
name-node.changed
Indicates that a ratelimiter has been modified.
Returns
list
string
name
name
policy.changed
Indicates that a policy has been modified.
Returns
name
string
policy.hit
Indicates that a policy matched a query.
Returns
client
addrport
name
string
qname
name
qtype
rdatatype
view
string
ratelimiter.abate
Signals that a previously limited ratelimiter entry has not hit its limit(s) for 5 minutes.
Returns
bps
integer
client-network
addr
client-network-family
ipv4 | ipv6
client-network-mask-length
ipv6netlen
creation-time
float-seconds-since-epoch
entry-creation-time
float-seconds-since-epoch
fields
('client-network' | 'query-name' | 'query-type' ...)
last-limited-time
float-seconds-since-epoch
last-use-time
float-seconds-since-epoch
name
string
qps
integer
query-name
name
query-name-labels
name-label-count
query-type
rdatatype
unenforced
boolean
If this value is set, CacheServe will collect statistics, log messages and events related to
rate-limiting, but will not actually drop or truncate queries.
ratelimiter.changed
Indicates that a ratelimiter has been modified.
Returns
name
string
ratelimiter.onset
Signals that a previously limited ratelimiter entry has hit its limit(s).
Returns
bps
integer
client-network
addr
client-network-family
ipv4 | ipv6
client-network-mask-length
ipv6netlen
creation-time
float-seconds-since-epoch
entry-creation-time
float-seconds-since-epoch
fields
('client-network' | 'query-name' | 'query-type' ...)
last-limited-time
float-seconds-since-epoch
last-use-time
float-seconds-since-epoch
name
string
qps
integer
query-name
name
query-name-labels
name-label-count
query-type
rdatatype
unenforced
boolean
If this value is set, CacheServe will collect statistics, log messages and events related to
rate-limiting, but will not actually drop or truncate queries.
resolver.changed
Indicates that a resolver has been modified.
Returns
name
string
resolver.flush
Indicates that the resolver has flushed its cache.
Returns
name
string
target
('domain' name) | ('name' name)
resolver.id-spoofing-suspected
Indicates that CacheServe suspects an an ID spoofing attack; this event is issued under the
same conditions as the log message enabled by log-id-spoofing.
Returns
name
string
qname
name
qtype
rdatatype
selector.changed
Indicates that a named selector has been modified.
Returns
name
string
server.changed
Indicates that the server has been modified.
server.configuration-error
Indicates that an error occurred when applying a configuration change.
Returns
errors
string
object
string
server.formerr-loop
Indicates that CacheServe has detected a FORMERR loop with another server. FORMERR
loops consist of servers sending packets back and forth, and usually occur as the result of
a misconfiguration or malicious behavior.
Returns
address
addrport
The address and port of the other end of the FORMERR loop.
server.restart
Indicates that CacheServe is restarting.
server.stop
Indicates that CacheServe is shutting down.
server.tcp-client-limit
Indicates that the number of clients with open TCP connections exceeds the configured
value for max-tcp-clients.
server.udp-recursion-limit
Indicates that the number of UDP queries requiring recursion has exceeded the configured
value of max-recursive-clients.
telemetry.changed
Indicates that the telemetry object has been modified.
view-selector.changed
Indicates that a view-selector has been modified.
Returns
destination-address
addrport
The destination address required by the view-selector; all requests must match this value.
If the value includes a port number, the query's destination address must match both the
port number and the address.
source-address
addrport
The source address required by the view-selector; the client sending the request must have
an address originating within this network.
view.changed
Indicates that a view has been modified.
Returns
name
string
ACLs are evaluated by matching an IP address against each ACL element in turn.
An ACL matches if the IP address being evaluated matches the ACL element.
An ACL does not match if the IP address being evaluated either does not match the ACL
element, or the IP address being evaluated doesn't match any ACL element.
To match all IPv4 addresses, use 0.0.0.0/0. To match all IPv6 addresses, use ::/0.
acl-element
An Access Control List.
127.0.0.0/8
or
11:22::/16.
acl-element4
An Access Control List comprised of IPv4 addresses only, like
127.0.0.0/8
acl-element6
An Access Control List comprised of IPv6 addresses only, like
11:22::/16.
addr
An IP address.
addr-or-name
An IP address or domain name.
addr4
An IPv4 address.
addr6
An IPv6 address.
addrpat
An IP address with an optional netmask length, expressed as address or address/masklength.
Unless otherwise specified, mask length defaults to the full length of the address: 32 bits
for IPv4, and 128 bits for IPv6.
addrpat4
An IPv4 address with an optional netmask length, expressed as <ad dr> or
<addr>/<masklength>. When no mask length is specified, the mask length is assumed to
be the full length of the address (32 bits). The host portion of the address must be 0.
addrpat6
An IPv6 address with an optional netmask length, expressed as <ad dr> or
<addr>/<masklength>. When no mask length is specified, the mask length is assumed to
be the full length of the address (128 bits). The host portion of the address must be 0.
addrport
An IP address with an (optional) port, expressed as address or address/#port
addrport4
An IPv4 address with an (optional) port, expressed as address or address/#port
addrport6
An IPv6 address with an (optional) port, expressed as address or address/#port
addrport-or-name
Either an IP address with an optional port, expressed as addr or addr#port, or a domain
name with an optional port, expressed as name or name#port.
addrrange
A range of IP addresses expressed by a start and end address, separated by "-":
192.168.1.1-192.168.2.1
anonymization-key-file-path
The path to a key file used by CacheServe for client IP anonymization. Defaults to /etc/nom_
ipanon.key.
boolean
A true or false value.
Nominum software, when interpreting a boolean value, accepts the following values for
TRUE (all values are case-insensitive):
l "true"
l "t"
l "yes"
l positive integers
Accepts the following values for FALSE (all values are case-insensitive):
l "false"
l "f"
l "no"
l 0
dns-flag
A DNS header flag.
'aa': Authoritative answer.
dns-rcode
A DNS result code.
FORMERR: Format error.
NOERROR: No error.
NOTAUTH: Not authorized.
NOTIMP: Not implemented.
NOTZONE: Name not contained in zone.
edns-flag
A DNS extended header flag.
'do'
event-name
The name of a Nominum Command Channel event. May be any of the following:
'address-list.changed'
'address-node.changed'
'auth-monitoring.changed'
'binding.changed'
'dns64.changed'
'layer.changed'
'layer.provisioning-connected'
'layer.provisioning-connection-failure'
'layer.provisioning-disconnected'
'layer.provisioning-reimaging'
'layer.provisioning-update-failure'
'layer.provisioning-update-success'
'monitoring.changed'
'name-list.changed'
'name-node.changed'
'policy.changed'
'policy.hit'
'ratelimiter.abate'
'ratelimiter.changed'
'ratelimiter.onset'
'resolver.changed'
'resolver.flush'
'resolver.id-spoofing-suspected'
'server.changed'
'server.configuration-error'
'server.formerr-loop'
'server.restart'
'server.stop'
'server.tcp-client-limit'
'server.udp-recursion-limit'
'view-selector.changed'
'view.changed'
float-seconds-since-epoch
A floating-point number representing a time in seconds since the UNIX epoch (00:00 UTC,
January 1, 1970).
inspect-delegation-servers
Information about the name service at a delegation point in the cache.
Format:
({
addresses => ({
addresses => ({
address => addr
rtt => integer
} ...)
glue => boolean
immortal => boolean
origin => addr
status => string
ttl => integer
type => rdatatype
} ...)
server => name
status => {
status => string
ttl => integer
}
} ...)
integer
A 32-bit unsigned integer.
Integers may be signed or unsigned: signed integers may encompass negative numbers,
where unsigned integers may not.
ipv4netlen
A value between 1 and 32, representing the number of bits of for an IPv4 netmask.
ipv6netlen
A value between 1 and 128, representing the number of bits of for an IPv6 netmask.
kafka-configuration-field
Configures Kafka messaging for a partition of a topic. The brokers for the topic are
specified with the brokers option.
kafka-configuration-field
{
brokers => (addrport-or-name ...)
global-properties => {
<property> => string-empty-ok
...
}
partition => integer
topic => string
topic-properties => {
<property> => string-empty-ok
...
}
}
It is not necessary to list all brokers in the Kafka cluster, but for redundancy it is wise to list
more than one. The topic is specified with an appropriate value based on context.
The partition is specified with the partition option, and defaults to the unspecified partition
(-1) in producer contexts, and 0 in consumer contexts.
In keyed producer contexts where hashing is used to determine the partition, specifying
this option is meaningless.
brokers
Optional. Specifies the list of Kafka brokers.
global-properties
Optional. Specifies Kafka global properties.
Format:
{
<property> => string-empty-ok
...
}
partition
Optional. Specifies the Kafka partition. Defaults to -1.
Format: integer
If partition isn't specified, Kafka producers will use the unspecified partition (-1) and Kafka
consumers will use partition 0.
topic
Optional. Specifies the Kafka topic.
Format: string
If topic is not specified, a default appropriate to the given object is used: nom-dns-base for
the monitoring object, nom-dns-res for the auth-monitoring object, and nom-telemetry for
the telemetry object.
topic-properties
Format:
{
<property> => string-empty-ok
...
}
monitor-log-switch
A Command Channel flag denoting a type of command.
monitoring-statistics
{
messages-delivered => uint64
messages-dropped => uint64
messages-produced => uint64
queue-full => uint64
records-delivered => uint64
records-dropped => uint64
records-not-produced => uint64
records-produced => uint64
messages-delivered
The number of messages successfully delivered.
messages-dropped
The number of messages dropped.
messages-produced
The number of monitoring messages produced.
queue-full
The number of times the output queue was full. This statistic applies only to Kafka
connections.
records-delivered
The number of records successfully delivered. This statistic applies only to Kafka
connections.
records-dropped
The number of records dropped when producing. This statistic applies only to Kafka
connections.
records-not-produced
The number of request records that are intentionally not sent into the monitoring system.
This includes invalid records that the monitoring system could not usefully process.
This statistic is primarily useful for identifying differences between the Server object's
requests-recieved statistic and statistics produced by the statmon utility.
records-produced
The number of records produced.
name
A domain name. If the textual input is not a fully-qualified domain name, it will be
converted into an FQDN by using the root domain as the origin.
name-empty-ok
A domain name. If the textual input is not absolute, it will be converted into an absolute
name by using the root domain as the origin, with the exception of '@', which represents
the empty name and will not be made absolute.
name-label-count
A value between 0 and 128, representing the number of labels to retain in a DNS name,
starting from the least specific and moving to most specific.
The root label is included in this count. A value of 0 means to use the entire name,
unaltered.
policy-action
Specifies an action to be taken on a query. Some actions only have an effect at certain
points in the query process.
Format:
('answer-cname' string)
'answer-noerror'
'answer-nxdomain'
('answer-ttl' (((rdatatype, rdata) ...), ttl)) ('answer'
((rdatatype, rdata) ...)) ('assign' (string name))
('dns64' string)
('dns64-reverse' string)
'drop'
'fail'
'no-op'
'refuse'
'send-event'
('sort-addresses' ((string ...), boolean))
'stop'
'truncate'
Adds annotations, which will be recorded by statmon. The annotation is specified as a key
and a value, and is a non-terminal action.
Synthesizes an answer for a query. The answer is specified as a tuple of rdatatype and
rdata, where:
The returned answer will always have a TTL of 0; if you want a non-zero TTL, use answer-ttl
instead.
Synthesizes an answer for a query, optionally using a different query name or resolver. The
name may be specified as a variable or a literal domain name. If both are specified, and
the variable has been assigned to a valid domain name, the variable takes precedence. If a
resolver is specified, it is used instead of the resolver normally associated with the query.
('answer-byname' name)
Stage: Prequery, postquery
Synthesizes an answer for a query. name is a DNS name, and CacheServe uses name
instead of the query name when determining the answer. The answer can come from
cache, or it can come as the result of a DNS resolution (as if the name was queried
directly).
('answer-byresolver' string)
Stage: Prequery, postquery
Answers the query using the resolver specified by stringinstead of the resolver normally
associated with the query.
answer-byresolver uses the specified resolver to retrieve the answer to the query. The
appropriate response (e.g. an RRset if found, is returned from the alternate resolver to the
policy running the query as if it had been found by the original resolver. Resolver options
that affect packet generation (rrset-order, max-client-ttl) and statistics use the original
resolver.
('answer-cname' string)
Stage: Prequery, postquery
Synthesizes an answer containing a CNAME. The CNAME is specified as a DNS name, and
that DNS name is used as the target of the CNAME. The CNAME is added to the DNS
response and then followed.
'answer-noerror'
Stage: Prequery, postquery
'answer-nxdomain'
Stage: Prequery, postquery
Synthesizes an answer for a query. The answer is specified as a tuple of rdatatype and
rdata, with an optional ttl that affects all records in the answer:
('dns64' string)
Stage: Postquery
Applies DNS64 transformation, if the query is for the AAAA type, and the result is either:
l The name occurs and no AAAA records exist
('dns64-reverse' string)
Stage: Prequery, postquery
If the query is for type PTR and the qname matches the specified dns64 object, applies
DNS64 reverse transformation.
'drop'
Stage: All
'fail'
Stage: All
'no-op'
Stage: All
Do nothing. This is a non-terminal action, and has no effect; this action is useful when you
want to match a policy without taking any action.
'refuse'
Stage: All
'send-event'
Stage: All
Sorts answers according to a defined set of priorities. Priorities are defined as an ordered
list of address-lists, with the first address-list in the list having the highest priority.
The priority of each address in the answer is based on the position of the address-list that
contains it. CacheServe determines which address-list contains an address by either exactly
matching the address, or using the closest matching network.
The boolean denotes 'remove-unmatched', and controls CacheServe's behavior when some
addresses in the answer don't match any address-list:
Stops executing the current set of bindings (defined as all bindings in the current stage in
the query process).
'truncate'
Stage: All
If the query was received over UDP, returns a "truncated" response. If the query was
received over TCP, has no effect.
policy-calendar-selector
A local-time-zone-based policy selector configuration.
Format:
{
end-time => string
not-after => string
not-before => string
start-time => string
time-zone => string
week-days => (string ...)
}
l After not-before
l Prior to not-after
Both not-before and not-after are specified as yyyymmddThhmmss, where yyyy indicates the
year, mm indicates the numeric month, dd indicates the numeric day, T is a literal 'T' acting
as a delimiter, hh indicates the hour (on a 24-hour clock), mm indicates minutes, and ss
indicates seconds.
time-zone is specified as a string that matches an entry in the 'TZ' column of the IANA tzdb.
week-days takes the form of a list of strings denoting the day of the week. Valid week-days
are su, mo, tu, we, th, fr, and sa.
policy-result-type
The result of a policy.
Format:
'cname' | 'dname' | 'failure' | 'noerror' | 'nxdomain' | 'nxrrset'
Result Description
noerror The lookup succeeded: the queried name exists and records of the queried
type exist at the queried name.
nxdomain The lookup resulted in an NXDOMAIN response: the queried name does not
exist.
policy-selector
Criteria for selecting a policy to apply to a query. It's important to note that some selectors
have an effect only at certain points in the query process.
Format:
('device-id' string)
'initial-qname'
('named-selector' string)
('not' (policy-selector))
('or' (policy-selector ...))
('qflag' 'AD' | 'CD' | 'DO' | 'EDNS' | 'RD')
('qname' (string, 'exact' | 'exact-or-www' | 'subdomain'))
('qname-in-group' string)
('qname-is' (name, 'exact' | 'exact-or-www' | 'proper-
subdomain' | 'subdomain'))
('qname-prefix' string)
('qtype' (rdatatype ...))
('ratelimiter' string)
('response-size' uint16)
('result' (policy-result-type ...))
('server-address' string)
('synthesized')
('type-exists-at-qname' rdatatype)
Compound selector; matches only if all selectors in the set of selectors match.
('answer-address' string)
Stage: Postquery
Matches if the response contains A or AAAA records, and any address in the set of
responses matches an IP address or a network on the list.
('client-address' string)
Stage: All
Matches if the client address matches an IP address or network in the specified acl-
element.
('destination-address' string)
Stage: All
Matches if the destination address of the client's query matches an IP address or network
on the list.
Matches if the destination address of the client's query matches an IP address or network
in the specified acl-element.
('device' (string)
Stage: All
Matches if the query contains a nom-device-id EDNS option, and both the content of the
option and the current view match a device-node on the list.
Matches if the query contains a nom-device-id EDNS option, and the content of the option
matches one of the strings in this list.
('device-id' string)
Stage: All
Matches if the query contains a nom-device-id EDNS option, and the content of the option
matches this value.
'initial-qname'
Stage: All
Matches if the current query name matches the query name in the received packet (no
CNAME or DNAME has been followed).
('named-selector' string)
Stage: All
Executes the specified named selector and matches if the specified named selector
matches.
('not' (policy-selector))
Stage: All
Matches if the query class matches one of the query classes associated with the selector.
Matches if the query has the corresponding flag set. RD, AD and CD correspond to flags in
the DNS header. DO corresponds to the extended flag in the EDNS OPT record. EDNS
corresponds to the presence of an EDNS OPT record.
Matches if the query name matches an entry on the name-list. exact specifies an exact
match, exact-or-www specifies an exact match where the www prefix, if present, is ignored,
proper-subdomain specifies a proper subdomain match, and subdomain specifies a
subdomain match.
l prequery or postquery, the selector refers to the current query name, which may be
the result of a followed CNAME or DNAME.
l presend, the selector refers to the query name from the DNS packet.
('qname-in-group' string)
Stage: Varies: see below
Matches if the query name matches any of the lists associated with the specified name-
group, using the matching criteria associated with each name-list in the group.
l prequery or postquery, the selector refers to the current query name, which may be
the result of a followed CNAME or DNAME.
l presend, the selector refers to the query name from the DNS packet.
('qname-is' (name, 'exact' | 'exact-or-www' | 'proper-subdomain' | 'sub-
domain'))
Stage: Varies: see below
Matches if the query name matches name. exact specifies an exact match, exact-or-www
specifies an exact match where the www prefix, if present, is ignored, proper-subdomain
specifies a proper subdomain match, and subdomain specifies a subdomain match.
l prequery or postquery, the selector refers to the current query name, which may be
the result of a followed CNAME or DNAME.
l presend, the selector refers to the query name from the DNS packet.
('qname-prefix' string)
Stage: Varies: see below
Matches if a name consisting of the query name's prefix (first label) exactly matches a
query name on a name-list. Never match the root name.
l prequery or postquery, the selector refers to the current query name, which may be
the result of a followed CNAME or DNAME.
l presend, the selector refers to the query name from the DNS packet.
('ratelimiter' string)
Stage: All
Matches UDP queries when the TCP and UDP query rate from matched clients exceeds the
thresholds of the specified ratelimiter.
('response-size' uint16)
Stage: Presend
Matches if the size of the response packet is greater than or equal to the specified value.
('server-address' string)
Stage: Postquery
Matches if the address of the authoritative server that originally provided the response
matches an entry in the address-list.
('synthesized')
Stage: Postquery, presend
('type-exists-at-qname' rdatatype)
Stage: All
Matches if there are any records of the specified rdatatype at the current query name.
port-mask
A 16-bit unsigned integer representing a port mask. May be specified as hexadecimal,
octal, or decimal values. Hex values begin with 0x and octal values begin with 0.
positive-integer
A 32-bit unsigned integer greater than 0.
provisioning-status
Identifies the status of the current provisioning session. The status value indicates the
current status.
Format:
{
current-time => seconds-since-epoch
database-id => string
error => string
last-update => seconds-since-epoch
status => string
versions => {
<name> => string-empty-ok
...
}
}
Status values
Status Description
initial Initializing
When a recoverable error occurs (like a connection being dropped), the provisioning client
will close the current connection and start over with the initial state and a fresh session.
Non-recoverable errors create a faulted state, and you will have to manually intervene to
fix them, either by issuing a layer.clear-fault command or breaking the connection to the
provisioning server.
ratelimiter-statistics
{
all-indications => uint64
current-entry-count => uint64
current-limited-count => uint64
expiring-entry-age => uint64
indications-by-bps => uint64
indications-by-qps => uint64
uses => uint64
}
all-indications
The number of times a ratelimiter has limited a query for any reason.
current-entry-count
The number of ratelimit entry slots in use. This number will increase to the maximum
configured value, and will not typically decrease unless the rate limiter is configured.
If all slots are in use, older ones will be evicted. If the older slots are evicted too quickly,
especially if they are limited when they are evicted, this indicates rate limiting may not be
effective. See expiring-entry-age and current-limited-count for more information.
current-limited-count
The number of ratelimit entry slots which are currently limited.
expiring-entry-age
The time, in microseconds, that a rate limiting tracking entry was last used before it was
destroyed. If this is cycling quickly, it indicates there may not be sufficient rate limiting
entries confgured to effectively enforce rate limiting.
indications-by-bps
The number of times a ratelimiter has limited a query based on the BPS threshold.
indications-by-qps
The number of times a ratelimiter has limited a query based on the QPS threshold.
uses
The number of times the ratelimiter has been asked to make a decision to limit a query or
allow it to proceed.
rdata
DNS RDATA (RFC1035), represented as a text string.
rdataclass
A DNS rdata class. This is typically IN for the Internet class, but other classes such as CH
and HS are also supported.
rdatatype
A DNS rdata type.
report-max-memory-arg
The maximum amount of memory statmon will use to maintain all report intervals for a
single source, in bytes. By default, there is no limit. The minimum permissible value is 1M.
resolver-statistics
{
active-recursions => uint64
cache-misses => uint64
dnssec-validations-failure => uint64
dnssec-validations-insecure => uint64
dnssec-validations-success => uint64
dropped-recursions => uint64
id-spoofing-defense-queries => uint64
ignored-referral-lookups => uint64
interrupted-before-recursion => uint64
interrupted-recursion-waits => uint64
interrupted-recursions => uint64
lookups => uint64
proactive-lookups => uint64
queries => uint64
queued-prefetches => uint64
active-recursions
The number of recursions currently in progress.
cache-misses
The number of cache misses that have occurred as part of resolutions. The number of
cache misses is not strictly related to the number of queries received, as one query may
result in zero, one, or multiple cache misses.
The number of cache hits may be calculated as the difference between lookups and cache-
misses.
dnssec-validations-failure
The number of failed DNSSEC validations.
dnssec-validations-insecure
The number of DNSSEC validations which determined that the data being validated is
provably insecure.
dnssec-validations-success
The number of successful DNSSEC validations.
dropped-recursions
The number of recursions preemptively dropped due to excessive load. A dropped
recursion typically leads to a query not receiving a response.
id-spoofing-defense-queries
The number of times a query has been sent to an authoritative server using TCP instead of
UDP in order to defend against suspected ID spoofing attacks.
ignored-referral-lookups
The number of referrals ignored as part of subdelegation attack defenses. Ignoring some
referrals is a normal part of the server-s defense strategy and does not indicate that the
interrupted-before-recursion
The number of times that query processing was interrupted because of excessive load,
before either starting a recursion or joining an existing recursion. An interrupted recursion
typically leads to a SERVFAIL response.
interrupted-recursion-waits
The number of times that query processing was interrupted due to an interrupting while
CacheServe was waiting for an existing resolution to complete. An interrupted recursion
typically leads to a SERVFAIL response.
interrupted-recursions
The number of recursions interrupted due to excessive load. An interrupted recursion
typically leads to a SERVFAIL response.
lookups
The number of DNS lookups performed by this resolver. This is different from queries
because resolving a single client DNS query can involve multiple lookups due to following
CNAME or DNAME chains, looking up name server addresses and DNSSEC keys, root server
priming, etc.
proactive-lookups
The number of proactive DNS queries (queries performed as part of prefetching) issued.
queries
The number of queries processed by this resolver.
queued-prefetches
The number of prefetches queued due to excessive load. A prefetch is queued when there
are no available recursion slots and the name matches an entry on the resolver's
prioritized-domains list.
rate-limited-requests
The number of DNS requests not sent by this resolver to other DNS servers as a result of
server-based rate-limiting.
recursive-lookups
The number of DNS lookups (as reported in lookups) that could not be satisfied from the
cache.
requests-sent
The number of DNS requests sent to other DNS servers from this resolver.
responses-by-rcode
The number of responses sent with each DNS result code (dns-rcode). The most common
rcode values are NOERROR (the name queried for exists), NXDOMAIN (the name queried
for does not exist), and SERVFAIL (a failure occurred processing the request).
tcp-requests-sent
The number of DNS request messages sent to other DNS servers using TCP from this
resolver. This includes TCP requests made due to UDP message truncation as well as those
made due to suspected ID spoofing attacks.
seconds-since-epoch
A 64-bit unsigned integer representing a time in seconds since the epoch (00:00 UCT,
January 1, 1970).
server-statistics
{
formerr-loop-dropped => uint64
lookups => uint64
malformed-requests-dropped => uint64
rate-limited-requests => uint64
recursion-contexts-in-use => uint64
recursive-lookups => uint64
requests-no-view => uint64
requests-received => uint64
requests-sent => uint64
responses-received => uint64
responses-sent => uint64
suppressed-duplicate-queries => uint64
tcp-clients => uint64
tcp-connections-accepted => uint64
tcp-connections-rejected => uint64
tcp-requests-sent => uint64
}
formerr-loop-dropped
The number of DNS requests for which a FORMERR loop was detected (see the
server.formerr-loop event) and for which no response was sent.
lookups
The total number of DNS lookups performed. Note that this does not match the number of
incoming queries, because resolving a single client DNS query can result in multiple
lookups due to CNAME or DNAME chains, looking up nameserver addresses and DNSSEC
keys, root server priming, and so forth.
malformed-requests-dropped
The number of DNS requests received which were so malformed that CacheServe dropped
them immediately, without further processing. This includes packets which didn't include a
full DNS header, or packets for which the DNS header indicated a DNS response, not a
request.
rate-limited-requests
The number of DNS requests not sent to other DNS servers due to server-based rate-
limiting.
recursion-contexts-in-use
The number of clients currently executing recursive DNS lookups. This cannot exceed the
limit configured in the server's max-recursive-clients field.
recursive-lookups
The total number of DNS lookups (as reported in lookups) that CacheServe could not
satisfy from the cache.
requests-no-view
The number of DNS requests refused because they did not match any of the configured
view-selectors.
requests-received
The number of DNS requests received from clients.
requests-sent
The number of DNS requests sent to other DNS servers.
responses-received
The number of DNS responses received from other DNS servers.
responses-sent
The number of DNS responses sent to clients.
suppressed-duplicate-queries
The number of queries dropped because the source address, source port, and query ID
exactly matched a query already being processed. Typically, this kind of match indicates a
malicious or misbehaving client.
tcp-clients
The current number of open TCP connections from clients. This cannot exceed the limit
configured in the server's max-tcp-clients field.
tcp-connections-accepted
The number of TCP connections accepted from clients. This may not match the number of
TCP requests received, because there may be multiple connections sent over a connection,
or there may be none in some cases.
tcp-connections-rejected
The number of TCP connections rejected due to the limit configured in max-tcp-clients.
tcp-requests-sent
The number of DNS request messages sent to other DNS servers using TCP. This includes
TCP requests made due to UDP message truncation as well as those made due to
suspected query ID spoofing attacks.
sizeval
An integer optionally followed by a scaling factor: K or k for kilobytes, M or m for
megabytes, and G or g for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024,
respectively.
std-layered-edit-operation
A layered configuration edit operation. Takes the form
('defaults' (string ...)) | ('hide' (string ...))
Parameter Description
('defaults' (string ...)) The "defaults" edit takes a list of of field names
and sets them back to their default values.
string
A simple text string.
string-empty-ok
A string which may be empty.
telemetry-statistics
{
messages-delivered => uint64
messages-dropped => uint64
messages-produced => uint64
queue-full => uint64
records-delivered => uint64
records-dropped => uint64
records-produced => uint64
messages-delivered
The number of messages successfully delivered to Kafka.
messages-dropped
The number of messages dropped when producing into Kafka. In general, this occurs when
the server is unable to send to the leader for a partition, and small drops may occur when
Kafka leadership changes.
messages-produced
The number of messages produced (queued) into Kafka.
queue-full
queue-full refers to Kafka's internal queue for sent messages, and indicates time spent by
CacheServe waiting for Kafka to accept produced messages. The value of the statistic is the
number of times that the Kafka cluster informed CacheServe that the queue was full when
CacheServe tried to produce messages.
records-delivered
The number of records successfully delivered to Kafka.
records-dropped
The number of records dropped when producing into Kafka. In general, this occurs when
CacheServe can't contact the current leader for a given partition. During leadership
changes, you may see small drops: this is normal.
records-produced
The number of records produced (queued) into Kafka.
threshold-abate
A 32 bit unsigned integer representing the QPS at which a threshold will become inactive.
threshold-duration
A 32 bit unsigned integer representing the time in seconds over which to track data for a
threshold.
threshold-onset
A 32 bit unsigned integer representing the QPS at which a threshold will become active.
time-in-microseconds
A floating-point number representing a number of seconds with microsecond precision.
time-in-seconds
A 64-bit unsigned integer representing an amount of time in seconds. The integer may be
followed by a scaling factor:
s or S Seconds
m or M Minutes
h or H Hours
d or D Days
w or W Weeks
ttl
A DNS TTL. This is similar to a scaled time value, except that it can contain mixed units
(1d1h, for example).
uint16
A 16-bit unsigned integer.
uint64
A 64-bit unsigned integer.
unparsed
Data with no defined structure.
uuid
A universially unique identifier (UUID).
versioncheck-days
An integer between 1 and 30.
Migration guidelines
1. Don't convert your database in the working directory. Convert your database
somewhere other than /var/nom/cacheserve, like /tmp. Only move the converted data-
base once you are sure the conversion is complete and the results are to your liking.
2. Not all parts of a Vantio CacheServe 5 configuration can be automatically con-
verted; more complicated Vantio configurations may require additional help.
Migration procedure
To migrate from Vantio CacheServe 5 to Vantio CacheServe 7:
3. Import the dumped Vantio CacheServe 5 data into the Vantio CacheServe 7 database:
shell# /usr/local/nom/sbin/cacheserve-convertconf -c
/var/nom/cacheserve/cacheserve <file>
where <file> represents the name of the file containing the dumped Vantio
CacheServe 5 data.
4. If you are satisfied with the results of the import, stop Vantio CacheServe 5, and start
Vantio CacheServe 7:
shell# /usr/local/nom/sbin/nom-tell vantio stop
5. If you encounter unresolvable problems, you can revert to your previous Vantio
CacheServe 5 installation by restoring any changes that you made to startup scripts in
step 1, and starting Vantio.
1. Create the directory in which you are going to run CacheServe. You can use
/var/nom/cacheserve if that's convenient.
2. Choose the user as which you are going to run CacheServe (create the user, if neces-
sary).
3. Make sure that the chroot directory and all the files in it are owned by that user:
%> chown -R username chroot-directory
4. Make sure that the directory has the right permissions for that user:
%> chmod 700 chroot-directory
CACHESERVE_ROOTDIR="chroot-directory"
CACHESERVE_USER="username"
6. Start CacheServe.
Note: If you stop the server and modify files in the chroot directory using something like
cacheserve-loadconf, you should repeat steps 3 and 4 to make sure ownership and
permissions are correct.
General changes
The following CacheServe 5 features are no longer supported:
l DNSAUTH.
l DNS classes other than IN (with the exception of magic CHAOS TXT queries).
l Lock files.
l The default DNS port can only be specified on the command line (see --dns-port).
Server object
The following server object features are no longer supported:
l server.layer-order. Layer ordering is now controlled by the layer object's priority field.
l check-responses.
l delegation-only.
l Most view-level statistics have their equivalent in resolver-statistics, with the following
exceptions:
l The cache cannot be dumped. Use resolver.inspect to view the cache contents.
l All managed-keys commands have been replaced with the managed-keys field, and
the managed-keys-state field returned by resolver.get or resolver.mget.
DNS64 objects
l DNS64 has been simplified and integrated into the policy engine.
l DNS64 processing is enabled using the dns64 and dns64-reverse policy actions.
Statistics
l For anything other than simple counters, use the Statmon utility instead.
Command channel
l Interactions with the actual Command Channel connection, like enabling events, are
managed by the connection object.
l list-bindings and composite lists no longer exist, including the LVP exact selector.
l The log action has been removed; use the Nominum statmon utility instead.
l Policy bindings now have a when field, which defines the point in the query process
Database
Checkpoints are now automatically carried out at 3 hours and 5 minutes past midnight at
local server time. To explicitly trigger a checkpoint, use server.checkpoint.
Monitoring
Monitoring functions are now provided entirely by the Nominum statmon utility,
supported by CacheServe 7 with the auth-monitoring and monitoring configuration
elements.
Ratelimiting
Ratelimiting is discussed in detail in Ratelimiting.
Many of the ratelimiting features from earlier CacheServe releases have changed:
post-edits 146
name 146
auth-server-list.update 246 B
C --address 134
--udp-acl 125
delete method 60
resolver.inspect 382
name-node.changed 485
exclude foreground
important files K
inspect-forwarders last-use-time
log managed-keys-state
log-dnssec mapped
NOMINUM-SMI-MIB 109
O observer-address 114
qname 514
qr header 499 R
log-id-spoofing 184
configuring 107
tcp-clients 524
unenforced versioncheck-interval
V errors 207
source-port-prefix 208 W
view-selector.changed 493 Y
view-selector.delete 461 YXDOMAIN 500
view-selector.get 461 YXRRSET 500
view-selector.list 462 Z
view-selector.mget 464, 467 Zookeeper 67
view-selector.query 465
view-selector.replace 466
view-selector.update 469
view.add 470
view.changed 494
view.delete 471
view.get 472
view.list 473
view.mget 473
view.replace 475
view.update 476