glfs/server/other/bind.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

<!ENTITY bind-download-http "http://gd.tuwien.ac.at/infosys/servers/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
<!ENTITY bind-download-ftp "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
<!ENTITY bind-size "4.6 MB">
<!ENTITY bind-buildsize "138 MB">
<!ENTITY bind-time "0.67 SBU">

]>

<sect1 id="bind" xreflabel="BIND-&bind-version;">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="bind.html"?>
<title><acronym>BIND</acronym>-&bind-version;</title>

<sect2>
<title>Introduction to <application><acronym>BIND</acronym></application></title>

<para>The <application><acronym>BIND</acronym></application> package
provides a <acronym>DNS</acronym> server and client utilities. If you
are only interested in the utilities, refer to the <xref linkend="bind-utils"/>.</para>

<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink url="&bind-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink url="&bind-download-ftp;"/></para></listitem>
<listitem><para>Download size: &bind-size;</para></listitem>
<listitem><para>Estimated Disk space required: &bind-buildsize;</para></listitem>
<listitem><para>Estimated build time: &bind-time;</para></listitem></itemizedlist>
</sect3>

<sect3><title><application><acronym>BIND</acronym></application> dependencies</title>
<sect4><title>Optional</title>
<para>
<xref linkend="openssl"/>,
<xref linkend="db"/>,
<xref linkend="openjade"/> and
<xref linkend="jadetex"/>
</para></sect4>
</sect3>

</sect2>

<sect2>
<title>Installation of <application><acronym>BIND</acronym></application></title>

<para>Install <application><acronym>BIND</acronym></application> by
running the following commands:</para>

<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc &amp;&amp;
make &amp;&amp;
make install</command></userinput></screen>

</sect2>

<sect2>
<title>Configuring
<application><acronym>BIND</acronym></application></title>

<sect3><title>Config files</title>
<para><filename>named.conf</filename>, <filename>root.hints</filename>,
<filename>127.0.0</filename>, <filename>rndc.conf</filename></para>
</sect3>

<sect3><title>Configuration Information</title>

<para><application><acronym>BIND</acronym></application> will configured
to run in a chroot jail as an unprivileged user (named). This configuration 
is more secure in that a <acronym>DNS</acronym> compromise can only affect 
a few files in the named user's <envar>HOME</envar> directory.</para> 

<para>Create the unprivileged user and group named:</para>

<screen><userinput><command>groupadd named &amp;&amp;
useradd -m -g named -s /bin/false named</command></userinput></screen>

<para>Set up some files, directories and devices needed by
<application><acronym>BIND</acronym></application>:</para>

<screen><userinput><command>cd /home/named &amp;&amp;
mkdir -p dev etc/namedb/slave var/run &amp;&amp;
mknod /home/named/dev/null c 1 3 &amp;&amp;
mknod /home/named/dev/random c 1 8 &amp;&amp;
chmod 666 /home/named/dev/{null,random} &amp;&amp;
mkdir /home/named/etc/namedb/pz &amp;&amp;
cp /etc/localtime /home/named/etc</command></userinput></screen>

<para>Then, generate a key for use in the <filename>named.conf</filename> 
and <filename>rdnc.conf</filename> files using the 
<command>rndc-confgen</command> command:</para>

<screen><userinput><command>rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2</command></userinput></screen>

<para>Create the <filename>named.conf</filename> file from which named
will read the location of zone files, root name servers and secure
<acronym>DNS</acronym> keys:</para>

<screen><userinput><command>cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF"</command>
 options {
     directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";
       
 };
 controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 key "rndc_key" {
     algorithm hmac-md5;
     secret "<replaceable>[Insert secret from rndc-confgen's output here]</replaceable>";
 };
 zone "." {
     type hint;
     file "root.hints";
 };
 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };
<command>EOF</command></userinput></screen>

<para>Create the <filename>rndc.conf</filename> with the following commands:</para>
                                                                                                                     
<screen><userinput><command>cat &gt; /etc/rndc.conf &lt;&lt; "EOF"</command>
key rndc_key {
algorithm "hmac-md5";
    secret
    "<replaceable>[Insert secret from rndc-confgen's output here]</replaceable>";
    };
options {
    default-server localhost;
    default-key    rndc_key;
};
<command>EOF</command></userinput></screen>
                                                                                                                     
<para>The <filename>rndc.conf</filename> file contains information for
controlling named operations with the <command>rndc</command>
utility.</para>

<para>Create a zone file with the following contents:</para>

<screen><userinput><command>cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"</command>
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
<command>EOF</command></userinput></screen>

<para>Create the <filename>root.hints</filename> file with the following
commands:</para>

<note><para>Caution must be used to ensure no leading spaces in this
file.</para></note>

<screen><userinput><command>cat &gt; /home/named/etc/namedb/root.hints &lt;&lt; "EOF"</command>
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     6D  IN      A       128.9.0.107
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
<command>EOF</command></userinput></screen>

<para>The <filename>root.hints</filename> file is a list of root name
servers. This file must be updated periodically with the
<command>dig</command> utility.
Consult the <ulink url="http://www.bind9.net/Bv9ARM.html"><application><acronym>BIND</acronym></application> 9 Administrator Reference Manual</ulink> for
details.</para>

<para>Create or modify <filename>resolv.conf</filename> to use the new
name server with the following commands:</para>

<note><para>Replace yourdomain.com with your own valid domain
name.</para></note>

<screen><userinput><command>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
cat &gt; /etc/resolv.conf &lt;&lt; "EOF"</command>
search <replaceable>[yourdomain.com]</replaceable>
nameserver 127.0.0.1
<command>EOF</command></userinput></screen>

<para>Set permissions on the chroot jail with the following
command:</para>

<screen><userinput><command>chown -R named.named /home/named</command></userinput></screen>

<para>To start the DNS server at boot, install the <filename>/etc/rc.d/init.d/bind</filename>
init script included in the <xref linkend="intro-important-bootscripts"/> package.</para>
                                                                                                                
<screen><userinput><command>make install-bind</command></userinput></screen>

<para>Now start <application><acronym>BIND</acronym></application> with
the new boot script:</para>

<screen><userinput><command>/etc/rc.d/init.d/bind start</command></userinput></screen>

</sect3>

<sect3><title>Testing <application><acronym>BIND</acronym></application></title>

<para>Test out the new
<application><acronym>BIND</acronym></application> 9 installation. First
query the local host address with <command>dig</command>:</para>

<screen><userinput><command>dig -x 127.0.0.1</command></userinput></screen>

<para>Now try an external name lookup, taking note of the speed
difference in repeated lookups due to the caching. Run the dig command
twice on the same address:</para>

<para><screen><userinput><command>dig www.linuxfromscratch.org &amp;&amp;
dig www.linuxfromscratch.org</command></userinput></screen>
You can see almost instantaneous results with the named caching lookups.
Consult <filename>bind-&bind-version;/doc/arm/Bv9ARM.html</filename>,
the <application><acronym>BIND</acronym></application> Administrator
Reference Manual for further configuration options.</para>

</sect3>

</sect2>

<sect2>
<title>Contents</title>

<para>The <application><acronym>BIND</acronym></application> package contains
<command>dig</command>,
<command>host</command>,
<command>isc-config.sh</command>,
<command>nslookup</command>,
<command>rndc</command>,
<command>rndc-confgen</command>,
<command>named-checkconf</command>,
<command>named-checkzone</command>,
<command>lwresd</command>,
<command>named</command>,
<command>dnssec-signzone</command>,
<command>dnssec-signkey</command>,
<command>dnssec-keygen</command>,
<command>dnssec-makekeyset</command> and
<command>nsupdate</command>.</para>
</sect2>

<sect2><title>Description</title>

<sect3><title>dig</title>
<para><command>dig</command> interrogates <acronym>DNS</acronym>
servers.</para></sect3>

<sect3><title>host</title>
<para><command>host</command> is a utility for <acronym>DNS</acronym>
lookups.</para></sect3>

<sect3><title>nslookup</title>
<para><command>nslookup</command> is a program used to query Internet
domain nameservers.</para></sect3>

<sect3><title>rndc</title>
<para><command>rndc</command> controls the operation of
<application><acronym>BIND</acronym></application>.</para></sect3>

<sect3><title>rndc-confgen</title>
<para><command>rndc-confgen</command> generates
<filename>rndc.conf</filename> files.</para></sect3>

<sect3><title>named-checkconf</title>
<para><command>named-checkconf</command> checks the syntax of
<filename>named.conf</filename> files.</para></sect3>

<sect3><title>named-checkzone</title>
<para><command>named-checkzone</command> checks zone file
validity.</para></sect3>

<sect3><title>lwresd</title>
<para><command>lwresd</command> is a caching-only name server for local
process use.</para></sect3>

<sect3><title>named</title>
<para><command>named</command> is the name server daemon.</para></sect3>

<sect3><title>dnssec-signzone</title>
<para><command>dnssec-signzone</command> generates signed versions of
zone files.</para></sect3>

<sect3><title>dnssec-signkey</title>
<para><command>dnssec-signkey</command> signs zone file key
sets.</para></sect3>

<sect3><title>dnssec-keygen</title>
<para><command>dnssec-keygen</command> is a key generator for secure
<acronym>DNS</acronym>.</para></sect3>

<sect3><title>dnssec-makekeyset</title>
<para><command>dnssec-makekeyset</command> generates a key set from one
or more keys created by dnssec-keygen.</para></sect3>

<sect3><title>nsupdate</title>
<para><command>nsupdate</command> is used to submit
<acronym>DNS</acronym> update requests.</para></sect3>

</sect2>

</sect1>