glfs/server/major/bind.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
   "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

    <!-- Inserted as a reminder to do this. The mention of a test suite
         is usually right before the root user installation commands. Please
         delete these 12 (including one blank) lines after you are done.-->

    <!-- Use one of the two mentions below about a test suite,
         delete the line that is not applicable. Of course, if the
         test suite uses syntax other than "make check", revise the
         line to reflect the actual syntax to run the test suite -->

    <!-- <para>This package does not come with a test suite.</para> -->
    <!-- <para>To test the results, issue: <command>make check</command>.</para> -->

  <!ENTITY bind-download-http "http://gd.tuwien.ac.at/infosys/servers/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
  <!ENTITY bind-download-ftp "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
  <!ENTITY bind-md5sum "a7912bf7b4cb770cfc42fdad">
  <!ENTITY bind-size "5.2 MB">
  <!ENTITY bind-buildsize "77.1 MB">
  <!ENTITY bind-time "1.7 SBU (additional 11 minutes, processor independent, to run the complete test suite)">
]>

<sect1 id="bind" xreflabel="BIND-&bind-version;">
  <?dbhtml filename="bind.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>BIND-&bind-version;</title>

  <indexterm zone="bind">
    <primary sortas="a-BIND">BIND</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to BIND</title>

    <para>The <application>BIND</application> package provides a DNS server
    and client utilities. If you are only interested in the utilities, refer
    to the <xref linkend="bind-utils"/>.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&bind-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&bind-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &bind-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &bind-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &bind-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &bind-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">BIND Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional"><xref linkend="openssl"/></para>

    <bridgehead renderas="sect4">Optional (to Run the Test Suite)</bridgehead>
    <para role="optional"><xref linkend="net-tools"/> (for <command>ifconfig</command>)
    and <xref linkend="perl-net-dns"/></para>

    <bridgehead renderas="sect4">Optional (to [Re]Build
    Documentation)</bridgehead>
    <para role="optional">
    <xref linkend="tetex"/> and
    <xref linkend="libxslt"/></para>

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/bind"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of BIND</title>

    <para>Install <application>BIND</application> by running the
    following commands:</para>

<screen><userinput>sed -i 's/#ifdef SO_BSDCOMPAT/#if 0/' lib/isc/unix/socket.c &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc \
    --enable-threads --with-libtool &amp;&amp;
make</userinput></screen>

    <para>Issue the following commands to run the complete suite of tests.
    First, as <systemitem class="username">root</systemitem>, set up some test
    interfaces:</para>

<screen role="root"><userinput>bin/tests/system/ifconfig.sh up</userinput></screen>

    <para>Now run the test suite as an unprivileged user:</para>

<screen><userinput>make check 2&gt;&amp;1 | tee check.log</userinput></screen>

    <para>Again as <systemitem class="username">root</systemitem>, clean up the
    test interfaces:</para>

<screen role="root"><userinput>bin/tests/system/ifconfig.sh down</userinput></screen>

    <para>Issue the following command to check that all 144 tests
    ran successfully:</para>

<screen><userinput>grep "R:PASS" check.log | wc -l</userinput></screen>

    <para>Finally, install the package as the <systemitem
    class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;
chmod 755 /usr/lib/{lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.?} &amp;&amp;
cd doc &amp;&amp;
install -v -d -m755 /usr/share/doc/bind-&bind-version;/{arm,draft,misc,rfc} &amp;&amp;
install -v -m644 arm/*.html \
    /usr/share/doc/bind-&bind-version;/arm &amp;&amp;
install -v -m644 draft/*.txt \
    /usr/share/doc/bind-&bind-version;/draft &amp;&amp;
install -v -m644 rfc/* \
    /usr/share/doc/bind-&bind-version;/rfc &amp;&amp;
install -v -m644 \
    misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \
    /usr/share/doc/bind-&bind-version;/misc</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><command>sed -i -e '247a #undef SO_BSDCOMPAT\n'
    lib/isc/unix/socket.c</command>: This command removes an obsolete reference
    so that the <application>bind</application> daemon does not generate
    messages about it in the log.</para>

    <para><parameter>--sysconfdir=/etc</parameter>: This parameter forces
    <application>BIND</application> to look for configuration
    files in <filename class='directory'>/etc</filename> instead of
    <filename class='directory'>/usr/etc</filename>.</para>

    <para><parameter>--enable-threads</parameter>: This parameter enables
    multi-threading capability.</para>

    <para><parameter>--with-libtool</parameter>: This parameter forces the
    building of dynamic libraries and links the installed binaries to these
    libraries.</para>

    <para><command>chmod 755
    /usr/lib/{lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.?}</command>:
    Enable the execute bit to prevent a warning when using
    <command>ldd</command> to check library dependencies.</para>

    <para><command>cd doc; install ...</command>: These commands install the
    additional package documentation. Optionally, omit any or all of these
    commands.</para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring BIND</title>

    <sect3 id="bind-config">
      <title>Config files</title>

      <para><filename>named.conf</filename>,
      <filename>root.hints</filename>,
      <filename>127.0.0</filename>,
      <filename>rndc.conf</filename> and
      <filename>resolv.conf</filename></para>

      <indexterm zone="bind bind-config">
        <primary sortas="e-etc-named.conf">/etc/named.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
      <primary sortas="e-etc-rndc.conf">/etc/rndc.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary sortas="e-etc-resolv.conf">/etc/resolv.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary sortas="e-etc-namedb-root.hints">/etc/namedb/root.hints</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary sortas="e-etc-namedb-pz-127.0.0.0">/etc/namedb/pz/127.0.0.0</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para><application>BIND</application> will be configured to run in a
      <command>chroot</command> jail as an unprivileged user (<systemitem
      class="username">named</systemitem>). This configuration is more secure
      in that a DNS compromise can only affect a few files in the <systemitem
      class="username">named</systemitem> user's <envar>HOME</envar>
      directory.</para>

      <para>Create the unprivileged user and group <systemitem
      class="username">named</systemitem>:</para>

<screen role="root"><userinput>groupadd -g 20 named &amp;&amp;
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named
install -d -m770 -o named -g named /srv/named</userinput></screen>

      <para>Set up some files, directories and devices needed by
      <application>BIND</application>:</para>

<screen role="root"><userinput>cd /srv/named &amp;&amp;
mkdir -p dev etc/namedb/slave var/run &amp;&amp;
mknod /srv/named/dev/null c 1 3 &amp;&amp;
mknod /srv/named/dev/random c 1 8 &amp;&amp;
chmod 666 /srv/named/dev/{null,random} &amp;&amp;
mkdir /srv/named/etc/namedb/pz &amp;&amp;
cp /etc/localtime /srv/named/etc</userinput></screen>

      <para>Then, generate a key for use in the <filename>named.conf</filename>
      and <filename>rdnc.conf</filename> files using the
      <command>rndc-confgen</command> command:</para>

<screen role="root"><userinput>rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2</userinput></screen>

      <para>Create the <filename>named.conf</filename> file from which
      <command>named</command> will read the location of zone files, root
      name servers and secure DNS keys:</para>

<screen role="root"><userinput>cat &gt; /srv/named/etc/named.conf &lt;&lt; "EOF"
<literal> options {
     directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

 };
 controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 key "rndc_key" {
     algorithm hmac-md5;
     secret "<replaceable>&lt;Insert secret from rndc-confgen's output here&gt;</replaceable>";
 };
 zone "." {
     type hint;
     file "root.hints";
 };
 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
     category default { default_syslog; default_debug; };
     category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
     null;                                // toss anything sent to
                                          // this channel
  };
};</literal>

EOF</userinput></screen>

      <para>Create the <filename>rndc.conf</filename> file with the following
      commands:</para>

<screen role="root"><userinput>cat &gt; /etc/rndc.conf &lt;&lt; "EOF"
<literal>key rndc_key {
algorithm "hmac-md5";
    secret
    "<replaceable>&lt;Insert secret from rndc-confgen's output here&gt;</replaceable>";
    };
options {
    default-server localhost;
    default-key    rndc_key;
};</literal>
EOF</userinput></screen>

      <para>The <filename>rndc.conf</filename> file contains information for
      controlling <command>named</command> operations with the
      <command>rndc</command> utility.</para>

      <para>Create a zone file with the following contents:</para>

<screen role="root"><userinput>cat &gt; /srv/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"
<literal>$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.</literal>
EOF</userinput></screen>

      <para>Create the <filename>root.hints</filename> file with the following
      commands:</para>

      <note>
        <para>Caution must be used to ensure there are no leading spaces in
        this file.</para>
      </note>

<screen role="root"><userinput>cat &gt; /srv/named/etc/namedb/root.hints &lt;&lt; "EOF"
<literal>.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33</literal>
EOF</userinput></screen>

      <para>The <filename>root.hints</filename> file is a list of root
      name servers. This file must be updated periodically with the
      <command>dig</command> utility. A current copy of root.hints can be
      obtained from <ulink url="ftp://rs.internic.net/domain/named.root" />.
      Consult the <ulink url="http://www.bind9.net/Bv9ARM.html">BIND 9
      Administrator Reference Manual</ulink> for details.</para>

      <para>Create or modify <filename>resolv.conf</filename> to use the new
      name server with the following commands:</para>

      <note>
        <para>Replace <replaceable>&lt;yourdomain.com&gt;</replaceable> with
        your own valid domain name.</para>
      </note>

<screen role="root"><userinput>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
cat &gt; /etc/resolv.conf &lt;&lt; "EOF"
<literal>search <replaceable>&lt;yourdomain.com&gt;</replaceable>
nameserver 127.0.0.1</literal>
EOF</userinput></screen>

      <para>Set permissions on the <command>chroot</command> jail with the
      following command:</para>

<screen role="root"><userinput>chown -R named.named /srv/named</userinput></screen>

    </sect3>

    <sect3  id="bind-init">
      <title>Boot Script</title>

      <para>To start the DNS server at boot, install the
      <filename>/etc/rc.d/init.d/bind</filename> init script included
      in the <xref linkend="bootscripts"/> package.</para>

      <indexterm zone="bind bind-init">
        <primary sortas="f-bind">bind</primary>
      </indexterm>

<screen role="root"><userinput>make install-bind</userinput></screen>

      <para>Now start <application>BIND</application> with
      the new boot script:</para>

<screen role="root"><userinput>/etc/rc.d/init.d/bind start</userinput></screen>

    </sect3>

    <sect3>
      <title>Testing BIND</title>

      <para>Test out the new <application>BIND</application> 9 installation.
      First query the local host address with <command>dig</command>:</para>

<screen><userinput>dig -x 127.0.0.1</userinput></screen>

      <para>Now try an external name lookup, taking note of the speed
      difference in repeated lookups due to the caching. Run the
      <command>dig</command> command twice on the same address:</para>

<screen><userinput>dig www.linuxfromscratch.org &amp;&amp;
dig www.linuxfromscratch.org</userinput></screen>

      <para>You can see almost instantaneous results with the named caching
      lookups. Consult the <application>BIND</application> Administrator
      Reference Manual located at <filename>doc/arm/Bv9ARM.html</filename>
      in the package source tree, for further configuration options.</para>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>dig, dnssec-keygen, dnssec-signzone, host, isc-config.sh, lwresd,
        named, named-checkconf, named-checkzone, nslookup, nsupdate, rndc, and
        rndc-confgen</seg>
        <seg>libbind9.{so,a}, libdns.{so,a}, libisc.{so,a}, libisccc.{so,a},
        libisccfg.{so,a}, and liblwres.{so,a}</seg>
        <seg>/srv/named, /usr/include/bind9, /usr/include/dns, /usr/include/dst,
        /usr/include/isc, /usr/include/isccc, /usr/include/isccfg,
        /usr/include/lwres, and /usr/share/doc/bind-&bind-version;</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="dig">
        <term><command>dig</command></term>
        <listitem>
          <para>interrogates DNS servers.</para>
          <indexterm zone="bind dig">
            <primary sortas="b-dig">dig</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-keygen">
        <term><command>dnssec-keygen</command></term>
        <listitem>
          <para>is a key generator for secure DNS.</para>
          <indexterm zone="bind dnssec-keygen">
            <primary sortas="b-dnssec-keygen">dnssec-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-signzone">
        <term><command>dnssec-signzone</command></term>
        <listitem>
          <para>generates signed versions of zone files.</para>
          <indexterm zone="bind dnssec-signzone">
            <primary sortas="b-dnssec-signzone">dnssec-signzone</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="host">
        <term><command>host</command></term>
        <listitem>
          <para>is a utility for DNS lookups.</para>
          <indexterm zone="bind host">
            <primary sortas="b-host">host</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="lwresd">
        <term><command>lwresd</command></term>
        <listitem>
          <para>is a caching-only name server for local process use.</para>
          <indexterm zone="bind lwresd">
            <primary sortas="b-lwresd">lwresd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named">
        <term><command>named</command></term>
        <listitem>
          <para>is the name server daemon.</para>
          <indexterm zone="bind named">
            <primary sortas="b-named">named</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-checkconf">
        <term><command>named-checkconf</command></term>
        <listitem>
          <para>checks the syntax of <filename>named.conf</filename>
          files.</para>
          <indexterm zone="bind named-checkconf">
            <primary sortas="b-named-checkconf">named-checkconf</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-checkzone">
        <term><command>named-checkzone</command></term>
        <listitem>
          <para>checks zone file validity.</para>
          <indexterm zone="bind named-checkzone">
            <primary sortas="b-named-checkzone">named-checkzone</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nslookup">
        <term><command>nslookup</command></term>
        <listitem>
          <para>is a program used to query Internet domain nameservers.</para>
          <indexterm zone="bind nslookup">
            <primary sortas="b-nslookup">nslookup</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nsupdate">
        <term><command>nsupdate</command></term>
        <listitem>
          <para>is used to submit DNS update requests.</para>
          <indexterm zone="bind nsupdate">
            <primary sortas="b-nsupdate">nsupdate</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rndc">
        <term><command>rndc</command></term>
        <listitem>
          <para>controls the operation of <application>BIND</application>.</para>
          <indexterm zone="bind rndc">
            <primary sortas="b-rndc">rndc</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rndc-confgen">
        <term><command>rndc-confgen</command></term>
        <listitem>
          <para>generates <filename>rndc.conf</filename> files.</para>
          <indexterm zone="bind rndc-confgen">
            <primary sortas="b-rndc-confgen">rndc-confgen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>