From 16473a92c824f9ba7978eba82647a253b4568d46 Mon Sep 17 00:00:00 2001 From: Randy McMurchy Date: Fri, 10 Dec 2004 03:33:21 +0000 Subject: [PATCH] Updated BIND server instructions git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3095 af4574ff-66df-0310-9fd7-8a98e5e911e0 --- introduction/welcome/changelog.xml | 6 +- server/other/bind.xml | 278 ++++++++++++++++++----------- 2 files changed, 178 insertions(+), 106 deletions(-) diff --git a/introduction/welcome/changelog.xml b/introduction/welcome/changelog.xml index 7fd43a63f2..a60b44ced5 100644 --- a/introduction/welcome/changelog.xml +++ b/introduction/welcome/changelog.xml @@ -24,8 +24,10 @@ who wrote what. December 9th, 2004 [randy]: Added a chown command to the GStreamer instructions to fix incorrect permissions on installed -documentation; added Net::DNS Perl Module (and dependency -modules). +documentation; added Net::DNS Perl Module (and dependency modules); modified +BIND server instructions to build shared libraries and multi-threaded +binaries, install additional documentation, removed BDB dependency and +instructions to run the full test suite. December 8th, 2004 [igor]: Changed ProFTPD login shell to /usr/lib/proftpd/proftpdshell as suggested by Nathan diff --git a/server/other/bind.xml b/server/other/bind.xml index 0a3ec90f4d..18e8146edc 100644 --- a/server/other/bind.xml +++ b/server/other/bind.xml @@ -7,9 +7,8 @@ - - - + + ]> @@ -21,42 +20,112 @@ <acronym>BIND</acronym>-&bind-version; -Introduction to <application><acronym>BIND</acronym></application> +Introduction to +<application><acronym>BIND</acronym></application> The BIND package provides a DNS server and client utilities. If you -are only interested in the utilities, refer to the . +are only interested in the utilities, refer to the +. Package information -Download (HTTP): -Download (FTP): -Download size: &bind-size; -Estimated Disk space required: &bind-buildsize; -Estimated build time: &bind-time; +Download (HTTP): + +Download (FTP): + +Download size: +&bind-size; +Estimated disk space required: +&bind-buildsize; +Estimated build time: +&bind-time; -<application><acronym>BIND</acronym></application> dependencies +<application><acronym>BIND</acronym></application> +dependencies Optional - -, -, - and - - + + + +Optional (to run the full test suite) + (for ifconfig) and +: Net-DNS + + +Optional (to [re]build documentation) +, +, + + -Installation of <application><acronym>BIND</acronym></application> +Installation of +<application><acronym>BIND</acronym></application> Install BIND by running the following commands: -./configure --prefix=/usr --sysconfdir=/etc && +sed -i -e "s/dsssl-stylesheets/&-1.78/g" configure && +./configure --prefix=/usr --sysconfdir=/etc \ + --enable-threads --with-libtool && make && -make install +make install && +chmod 755 \ + /usr/lib/{lib{bind9,isc{,cc,cfg},lwres}.so.?.?.?,libdns.so.20.0.0} && +mv /usr/share/man/man8/named.conf.5 /usr/share/man/man5 && +cd doc && +install -d -m755 /usr/share/doc/bind-9.3.0/{arm,draft,misc,rfc} && +install -m644 arm/*.html \ + /usr/share/doc/bind-9.3.0/arm && +install -m644 draft/*.txt \ + /usr/share/doc/bind-9.3.0/draft && +install -m644 rfc/* \ + /usr/share/doc/bind-9.3.0/rfc && +install -m644 misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \ + /usr/share/doc/bind-9.3.0/misc + +In order to run the complete test suite before installing the +package, you need to set up some dummy interfaces (requires +ifconfig). Issue the following commands to run the +complete suite of tests: + +bin/tests/system/ifconfig.sh up && +make check >check.log 2>&1 && +bin/tests/system/ifconfig.sh down + +If desired, issue the following command to ensure all 145 tests ran +successfully: + +grep "R:PASS" check.log | wc -l + + + + +Command explanations + +sed -i -e ... configure: This command forces +configure to look for the DSSSL +stylesheets in the standard BLFS location. + +--sysconfdir=/etc: This parameter forces +BIND to look for configuration +files in /etc instead of +/usr/etc. + +--enable-threads: This parameter enables +multi-threading capability. + +--with-libtool: This parameter forces the +building of dynamic libraries and links the installed binaries to these +libraries. + +cd doc; install ...: These commands install the +additional package documentation. Optionally, omit any or all of these +commands. @@ -65,23 +134,24 @@ make install BIND Config files -named.conf, root.hints, +named.conf, root.hints, 127.0.0, rndc.conf Configuration Information -BIND will configured -to run in a chroot jail as an unprivileged user (named). This configuration -is more secure in that a DNS compromise can only affect -a few files in the named user's HOME directory. +BIND will be configured +to run in a chroot jail as an unprivileged user (named). +This configuration is more secure in that a DNS compromise +can only affect a few files in the named user's HOME +directory. Create the unprivileged user and group named: groupadd named && -useradd -m -g named -s /bin/false named +useradd -m -c "BIND Owner" -g named -s /bin/false named -Set up some files, directories and devices needed by +Set up some files, directories and devices needed by BIND: cd /home/named && @@ -98,8 +168,8 @@ and rdnc.conf files using the rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2 -Create the named.conf file from which named -will read the location of zone files, root name servers and secure +Create the named.conf file from which named +will read the location of zone files, root name servers and secure DNS keys: cat > /home/named/etc/named.conf << "EOF" @@ -166,8 +236,9 @@ logging { EOF -Create the rndc.conf with the following commands: - +Create the rndc.conf file with the following +commands: + cat > /etc/rndc.conf << "EOF" key rndc_key { algorithm "hmac-md5"; @@ -179,9 +250,9 @@ options { default-key rndc_key; }; EOF - -The rndc.conf file contains information for -controlling named operations with the rndc + +The rndc.conf file contains information for +controlling named operations with the rndc utility. Create a zone file with the following contents: @@ -201,7 +272,7 @@ $TTL 3D Create the root.hints file with the following commands: -Caution must be used to ensure no leading spaces in this +Caution must be used to ensure there are no leading spaces in this file. cat > /home/named/etc/namedb/root.hints << "EOF" @@ -233,18 +304,19 @@ L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 EOF -The root.hints file is a list of root name -servers. This file must be updated periodically with the -dig utility. A current copy of root.hints can be -obtained from . -Consult the BIND 9 Administrator Reference Manual for -details. +The root.hints file is a list of root name servers. +This file must be updated periodically with the dig +utility. A current copy of root.hints can be obtained from +. Consult the + +BIND 9 Administrator Reference Manual +for details. -Create or modify resolv.conf to use the new +Create or modify resolv.conf to use the new name server with the following commands: -Replace yourdomain.com with your own valid domain -name. +Replace [yourdomain.com] with your own +valid domain name. cp /etc/resolv.conf /etc/resolv.conf.bak && cat > /etc/resolv.conf << "EOF" @@ -252,14 +324,15 @@ search [yourdomain.com] nameserver 127.0.0.1 EOF -Set permissions on the chroot jail with the following -command: +Set permissions on the chroot jail with the +following command: chown -R named.named /home/named -To start the DNS server at boot, install the /etc/rc.d/init.d/bind -init script included in the package. - +To start the DNS server at boot, install the +/etc/rc.d/init.d/bind init script included in the + package. + make install-bind Now start BIND with @@ -278,16 +351,17 @@ query the local host address with dig: dig -x 127.0.0.1 Now try an external name lookup, taking note of the speed -difference in repeated lookups due to the caching. Run the dig command -twice on the same address: +difference in repeated lookups due to the caching. Run the +dig command twice on the same address: -dig www.linuxfromscratch.org && +dig www.linuxfromscratch.org && dig www.linuxfromscratch.org -You can see almost instantaneous results with the named caching lookups. -Consult bind-&bind-version;/doc/arm/Bv9ARM.html, -the BIND Administrator -Reference Manual for further configuration options. +You can see almost instantaneous results with the named caching lookups. +Consult the BIND Administrator +Reference Manual located at +doc/arm/Bv9ARM.html in the package source tree, for +further configuration options. @@ -295,22 +369,26 @@ Reference Manual for further configuration options. Contents -The BIND package contains -dig, -host, -isc-config.sh, -nslookup, -rndc, -rndc-confgen, -named-checkconf, -named-checkzone, -lwresd, -named, -dnssec-signzone, -dnssec-signkey, -dnssec-keygen, -dnssec-makekeyset and -nsupdate. +The BIND package contains +dig, +dnssec-keygen, +dnssec-signzone, +host, +isc-config.sh, +lwresd, +named, +named-checkconf, +named-checkzone, +nslookup, +nsupdate, +rndc, +rndc-confgen, +libbind9, +libdns, +libisc, +libisccc, +libisccfg and +liblwres. Description @@ -319,21 +397,24 @@ Reference Manual for further configuration options. dig interrogates DNS servers. +dnssec-keygen +dnssec-keygen is a key generator for secure +DNS. + +dnssec-signzone +dnssec-signzone generates signed versions of +zone files. + host host is a utility for DNS lookups. -nslookup -nslookup is a program used to query Internet -domain nameservers. +lwresd +lwresd is a caching-only name server for local +process use. -rndc -rndc controls the operation of -BIND. - -rndc-confgen -rndc-confgen generates -rndc.conf files. +named +named is the name server daemon. named-checkconf named-checkconf checks the syntax of @@ -343,33 +424,22 @@ domain nameservers. named-checkzone checks zone file validity. -lwresd -lwresd is a caching-only name server for local -process use. - -named -named is the name server daemon. - -dnssec-signzone -dnssec-signzone generates signed versions of -zone files. - -dnssec-signkey -dnssec-signkey signs zone file key -sets. - -dnssec-keygen -dnssec-keygen is a key generator for secure -DNS. - -dnssec-makekeyset -dnssec-makekeyset generates a key set from one -or more keys created by dnssec-keygen. +nslookup +nslookup is a program used to query Internet +domain nameservers. nsupdate nsupdate is used to submit DNS update requests. +rndc +rndc controls the operation of +BIND. + +rndc-confgen +rndc-confgen generates +rndc.conf files. +