glfs/server/major/bind.xml

613 lines
22 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY bind-download-http " ">
<!ENTITY bind-download-ftp "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
<!ENTITY bind-md5sum "2ca3474c5cefebbbeea32710b048cd1c">
<!ENTITY bind-size "8.0 MB">
<!ENTITY bind-buildsize "102 MB (additional 43 MB to run the test suite)">
<!ENTITY bind-time "1.1 SBU (additional 16 minutes, processor independent, to run the complete test suite)">
]>
<sect1 id="bind" xreflabel="BIND-&bind-version;">
<?dbhtml filename="bind.html"?>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<title>BIND-&bind-version;</title>
<indexterm zone="bind">
<primary sortas="a-BIND">BIND</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to BIND</title>
<para>The <application>BIND</application> package provides a DNS server
and client utilities. If you are only interested in the utilities, refer
to the <xref linkend="bind-utils"/>.</para>
&lfs76_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Download (HTTP): <ulink url="&bind-download-http;"/></para>
</listitem>
<listitem>
<para>Download (FTP): <ulink url="&bind-download-ftp;"/></para>
</listitem>
<listitem>
<para>Download MD5 sum: &bind-md5sum;</para>
</listitem>
<listitem>
<para>Download size: &bind-size;</para>
</listitem>
<listitem>
<para>Estimated disk space required: &bind-buildsize;</para>
</listitem>
<listitem>
<para>Estimated build time: &bind-time;</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">Additional Downloads</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>Optional patch (if net-tools is not installed):
<ulink
url="&patch-root;/bind-&bind-version;-use_iproute2-1.patch"/></para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">BIND Dependencies</bridgehead>
<bridgehead renderas="sect4">Optional</bridgehead>
<para role="optional">
<xref linkend="libcap-pam"/>,
<xref linkend="libxml2"/>,
<xref linkend="mitkrb"/>, and
<xref linkend="openssl"/>
</para>
<bridgehead renderas="sect4">Optional database backends</bridgehead>
<para role="optional">
<xref linkend="postgresql"/>,
<xref linkend="mariadb"/> or <ulink url="http://www.mysql.com/">MySQL</ulink>,
<xref linkend="db"/>,
<xref linkend="openldap"/>, and
<xref linkend="unixodbc"/>
</para>
<bridgehead renderas="sect4">Optional (to run the test suite)</bridgehead>
<para role="optional">
<xref linkend="perl-net-dns"/> and
<xref linkend="net-tools"/> (you may omit net-tools by using the optional
patch to utilize iproute2, but the IPv6 tests will fail)
</para>
<bridgehead renderas="sect4">Optional (to rebuild the documentation)</bridgehead>
<para role="optional">
<xref linkend="doxygen"/>,
<xref linkend="texlive"/> (or <xref linkend="tl-installer"/>), and
<xref linkend="libxslt"/>
</para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/bind"/></para>
</sect2>
<sect2 role="installation">
<title>Installation of BIND</title>
<para>If you have chosen not to install net-tools, apply the iproute2
patch with the following command:</para>
<screen><userinput>patch -Np1 -i ../bind-&bind-version;-use_iproute2-1.patch</userinput></screen>
<para>Install <application>BIND</application> by running the
following commands:</para>
<screen><userinput>./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--mandir=/usr/share/man \
--enable-threads \
--with-libtool \
--disable-static \
--with-randomdev=/dev/urandom &amp;&amp;
make</userinput></screen>
<para>Issue the following commands to run the complete suite of tests.
First, as the <systemitem class="username">root</systemitem> user, set up
some test interfaces:</para>
<note><para>If IPv6 is not enabled in the kernel, there will be several
error messages: "RTNETLINK answers: Operation not permitted". These
messages do not afffect the tests.</para></note>
<screen role="root"><userinput>bin/tests/system/ifconfig.sh up</userinput></screen>
<para>As an unprivileged user, remove some tests that fail:</para>
<screen><userinput>sed -e 's/ecdsa //' \
-e 's/tsiggss //' \
-i bin/tests/system/conf.sh</userinput></screen>
<para>Now run the test suite as an unprivileged user:</para>
<screen><userinput>make check</userinput></screen>
<para>Again as <systemitem class="username">root</systemitem>, clean up the
test interfaces:</para>
<screen role="root"><userinput>bin/tests/system/ifconfig.sh down</userinput></screen>
<para>Finally, install the package as the <systemitem
class="username">root</systemitem> user:</para>
<screen role="root"><userinput>make install &amp;&amp;
chmod -v 0755 /usr/lib/lib{bind9,dns,isc{,cc,cfg},lwres}.so &amp;&amp;
install -v -m755 -d /usr/share/doc/bind-&bind-version;/{arm,misc} &amp;&amp;
install -v -m644 doc/arm/*.html \
/usr/share/doc/bind-&bind-version;/arm &amp;&amp;
install -v -m644 \
doc/misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \
/usr/share/doc/bind-&bind-version;/misc</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<para><command>sed ... bin/tests/system/conf.sh</command>: This command
removes tests that fail (some for unknown reasons).</para>
<para><parameter>--sysconfdir=/etc</parameter>: This parameter forces
<application>BIND</application> to look for configuration
files in <filename class='directory'>/etc</filename> instead of
<filename class='directory'>/usr/etc</filename>.</para>
<para><parameter>--enable-threads</parameter>: This parameter enables
multi-threading capability.</para>
<para><parameter>--with-libtool</parameter>: This parameter forces the
building of dynamic libraries and links the installed binaries to these
libraries.</para>
<para><parameter>--with-randomdev=/dev/urandom</parameter>: This parameter
specifes a non-blocking random device for use with digital signatures.</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../xincludes/static-libraries.xml"/>
<para><command>chmod 0755
/usr/lib/{lib{bind9,dns,isc{,cc,cfg},lwres}.so</command>:
Enable the execute bit to prevent a warning when using
<command>ldd</command> to check library dependencies.</para>
<para><command>cd doc; install ...</command>: These commands install
additional package documentation. Omit any or all of these commands if
desired.</para>
</sect2>
<sect2 role="configuration">
<title>Configuring BIND</title>
<sect3 id="bind-config">
<title>Config files</title>
<para><filename>named.conf</filename>,
<filename>root.hints</filename>,
<filename>127.0.0</filename>,
<filename>rndc.conf</filename> and
<filename>resolv.conf</filename></para>
<indexterm zone="bind bind-config">
<primary sortas="e-etc-named.conf">/etc/named.conf</primary>
</indexterm>
<indexterm zone="bind bind-config">
<primary sortas="e-etc-rndc.conf">/etc/rndc.conf</primary>
</indexterm>
<indexterm zone="bind bind-config">
<primary sortas="e-etc-resolv.conf">/etc/resolv.conf</primary>
</indexterm>
<indexterm zone="bind bind-config">
<primary
sortas="e-etc-namedb-root.hints">/etc/namedb/root.hints</primary>
</indexterm>
<indexterm zone="bind bind-config">
<primary
sortas="e-etc-namedb-pz-127.0.0.0">/etc/namedb/pz/127.0.0.0</primary>
</indexterm>
</sect3>
<sect3>
<title>Configuration Information</title>
<para><application>BIND</application> will be configured to run in a
<command>chroot</command> jail as an unprivileged user (<systemitem
class="username">named</systemitem>). This configuration is more secure
in that a DNS compromise can only affect a few files in the <systemitem
class="username">named</systemitem> user's <envar>HOME</envar>
directory.</para>
<para>Create the unprivileged user and group <systemitem
class="username">named</systemitem>:</para>
<screen role="root"><userinput>groupadd -g 20 named &amp;&amp;
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &amp;&amp;
install -d -m770 -o named -g named /srv/named</userinput></screen>
<para>Set up some files, directories and devices needed by
<application>BIND</application>:</para>
<screen role="root"><userinput>cd /srv/named &amp;&amp;
mkdir -p dev etc/namedb/{slave,pz} usr/lib/engines var/run/named &amp;&amp;
mknod /srv/named/dev/null c 1 3 &amp;&amp;
mknod /srv/named/dev/urandom c 1 9 &amp;&amp;
chmod 666 /srv/named/dev/{null,urandom} &amp;&amp;
cp /etc/localtime etc &amp;&amp;
touch /srv/named/managed-keys.bind &amp;&amp;
cp /usr/lib/engines/libgost.so usr/lib/engines &amp;&amp;
[ $(uname -m) = x86_64 ] &amp;&amp; ln -sv lib usr/lib64</userinput></screen>
<para>The <filename>rndc.conf</filename> file contains information for
controlling <command>named</command> operations with the
<command>rndc</command> utility. Generate a key for use in the <filename>named.conf</filename> and <filename>rdnc.conf</filename> with the
<command>rndc-confgen</command> command:</para>
<screen role="root"><userinput>rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf &amp;&amp;
sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf</userinput></screen>
<para>Complete the <filename>named.conf</filename> file from which
<command>named</command> will read the location of zone files, root
name servers and secure DNS keys:</para>
<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt;&gt; /srv/named/etc/named.conf &lt;&lt; "EOF"
<literal>options {
directory "/etc/namedb";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
};
zone "." {
type hint;
file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
};
// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
channel default_syslog {
syslog daemon; // send to syslog's daemon
// facility
severity info; // only send priority info
// and higher
};
channel default_debug {
file "named.run"; // write to named.run in
// the working directory
// Note: stderr is used instead
// of "named.run"
// if the server is started
// with the '-f' option.
severity dynamic; // log at the server's
// current debug level
};
channel default_stderr {
stderr; // writes to stderr
severity info; // only send priority info
// and higher
};
channel null {
null; // toss anything sent to
// this channel
};
};</literal>
EOF</userinput></screen>
<para>Create a zone file with the following contents:</para>
<screen role="root"><userinput>cat &gt; /srv/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"
<literal>$TTL 3D
@ IN SOA ns.local.domain. hostmaster.local.domain. (
1 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS ns.local.domain.
1 PTR localhost.</literal>
EOF</userinput></screen>
<para>Create the <filename>root.hints</filename> file with the following
commands:</para>
<note>
<para>Caution must be used to ensure there are no leading spaces in
this file.</para>
</note>
<screen role="root"><userinput>cat &gt; /srv/named/etc/namedb/root.hints &lt;&lt; "EOF"
<literal>. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33</literal>
EOF</userinput></screen>
<para>The <filename>root.hints</filename> file is a list of root
name servers. This file must be updated periodically with the
<command>dig</command> utility. A current copy of root.hints can be
obtained from <ulink url="ftp://rs.internic.net/domain/named.root" />.
Consult the <ulink url="http://www.bind9.net/Bv9ARM.html">BIND 9
Administrator Reference Manual</ulink> for details.</para>
<para>Create or modify <filename>resolv.conf</filename> to use the new
name server with the following commands:</para>
<note>
<para>Replace <replaceable>&lt;yourdomain.com&gt;</replaceable> with
your own valid domain name.</para>
</note>
<screen role="root"><userinput>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
cat &gt; /etc/resolv.conf &lt;&lt; "EOF"
<literal>search <replaceable>&lt;yourdomain.com&gt;</replaceable>
nameserver 127.0.0.1</literal>
EOF</userinput></screen>
<para>Set permissions on the <command>chroot</command> jail with the
following command:</para>
<screen role="root"><userinput>chown -R named:named /srv/named</userinput></screen>
</sect3>
<sect3 id="bind-init">
<title>Boot Script</title>
<para>To start the DNS server at boot, install the
<filename>/etc/rc.d/init.d/bind</filename> init script included
in the <xref linkend="bootscripts"/> package.</para>
<indexterm zone="bind bind-init">
<primary sortas="f-bind">bind</primary>
</indexterm>
<screen role="root"><userinput>make install-bind</userinput></screen>
<para>Now start <application>BIND</application> with
the new boot script:</para>
<screen role="root"><userinput>/etc/rc.d/init.d/bind start</userinput></screen>
</sect3>
<sect3>
<title>Testing BIND</title>
<para>Test out the new <application>BIND</application> 9 installation.
First query the local host address with <command>dig</command>:</para>
<screen><userinput>dig -x 127.0.0.1</userinput></screen>
<para>Now try an external name lookup, taking note of the speed
difference in repeated lookups due to the caching. Run the
<command>dig</command> command twice on the same address:</para>
<screen><userinput>dig www.&lfs-domainname; &amp;&amp;
dig www.&lfs-domainname;</userinput></screen>
<para>You can see almost instantaneous results with the named caching
lookups. Consult the <application>BIND</application> Administrator
Reference Manual located at <filename>doc/arm/Bv9ARM.html</filename>
in the package source tree, for further configuration options.</para>
</sect3>
</sect2>
<sect2 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>arpaname, bind9-config hardlinked to isc-config.sh, ddns-confgen,
delv, dig, dnssec-checkds, dnssec-coverage, dnssec-dsfromkey,
dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, dnssec-revoke,
dnssec-settime, dnssec-signzone, dnssec-verify, genrandom, host,
isc-hmac-fixup, lwresd hardlinked to named, named-checkconf,
named-checkzone, named-compilezone (symlink), named-journalprint,
named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, rndc-confgen,
and tsig-keygen (symlink)</seg>
<seg>libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so,
libisccfg.so, and liblwres.so</seg>
<seg>/usr/include/{bind9,dns,dst,irs,isc,isccc,isccfg,lwres,pk11,pkcs11},
/usr/share/doc/bind-&bind-version; and /srv/named</seg>
</seglistitem>
</segmentedlist>
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
<varlistentry id="dig">
<term><command>dig</command></term>
<listitem>
<para>interrogates DNS servers.</para>
<indexterm zone="bind dig">
<primary sortas="b-dig">dig</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="dnssec-keygen">
<term><command>dnssec-keygen</command></term>
<listitem>
<para>is a key generator for secure DNS.</para>
<indexterm zone="bind dnssec-keygen">
<primary sortas="b-dnssec-keygen">dnssec-keygen</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="dnssec-signzone">
<term><command>dnssec-signzone</command></term>
<listitem>
<para>generates signed versions of zone files.</para>
<indexterm zone="bind dnssec-signzone">
<primary sortas="b-dnssec-signzone">dnssec-signzone</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="host">
<term><command>host</command></term>
<listitem>
<para>is a utility for DNS lookups.</para>
<indexterm zone="bind host">
<primary sortas="b-host">host</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="lwresd">
<term><command>lwresd</command></term>
<listitem>
<para>is a caching-only name server for local process use.</para>
<indexterm zone="bind lwresd">
<primary sortas="b-lwresd">lwresd</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="named">
<term><command>named</command></term>
<listitem>
<para>is the name server daemon.</para>
<indexterm zone="bind named">
<primary sortas="b-named">named</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="named-checkconf">
<term><command>named-checkconf</command></term>
<listitem>
<para>checks the syntax of <filename>named.conf</filename>
files.</para>
<indexterm zone="bind named-checkconf">
<primary sortas="b-named-checkconf">named-checkconf</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="named-checkzone">
<term><command>named-checkzone</command></term>
<listitem>
<para>checks zone file validity.</para>
<indexterm zone="bind named-checkzone">
<primary sortas="b-named-checkzone">named-checkzone</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="nslookup">
<term><command>nslookup</command></term>
<listitem>
<para>is a program used to query Internet domain nameservers.</para>
<indexterm zone="bind nslookup">
<primary sortas="b-nslookup">nslookup</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="nsupdate">
<term><command>nsupdate</command></term>
<listitem>
<para>is used to submit DNS update requests.</para>
<indexterm zone="bind nsupdate">
<primary sortas="b-nsupdate">nsupdate</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="rndc">
<term><command>rndc</command></term>
<listitem>
<para>controls the operation of <application>BIND</application>.</para>
<indexterm zone="bind rndc">
<primary sortas="b-rndc">rndc</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="rndc-confgen">
<term><command>rndc-confgen</command></term>
<listitem>
<para>generates <filename>rndc.conf</filename> files.</para>
<indexterm zone="bind rndc-confgen">
<primary sortas="b-rndc-confgen">rndc-confgen</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>