Ticket #143: bind.patch

File bind.patch, 14.0 KB (added by billy@…, 19 years ago)

Adds BIND 9

  • bind/bind-config-exp.xml

    diff --exclude=CVS -Naur ./bind/bind-config-exp.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-config-exp.xml
    old new  
     1<sect2>
     2<title>Configuration command explanations</title>
     3<para><userinput>
     4groupadd -g 200 named &amp;&amp;
     5useradd -m -g named -u 200 -s /bin/false named &amp;&amp;
     6cd /home/named &amp;&amp;
     7mkdir -p dev etc/namedb/slave var/run &amp;&amp;
     8mknod /home/named/dev/null c 1 3 &amp;&amp;
     9mknod /home/named/dev/random c 1 8 &amp;&amp;
     10chmod 666 /home/named/dev/{null,random} &amp;&amp;
     11mkdir /home/named/etc/namedb/pz &amp;&amp;
     12cp /etc/localtime /home/named/etc : </userinput>
     13
     14Create the unprivileged user and group named, along with device files
     15that named will need access to inside the chroot jail.</para>
     16
     17<para><userinput>
     18cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF" : </userinput>
     19Create the BIND configuration file, from which named will read the
     20location of zone files, root nameservers and secure DNS keys.</para>
     21<para><userinput>
     22cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF" : </userinput>
     23Create a single zone file.</para>
     24<para><userinput>
     25cat > /home/named/etc/namedb/root.hints << "EOF" : </userinput>
     26The root.hints file is a list of root nameservers.  This file must be
     27updated periodically with the dig utility.  Consult the BIND 9
     28Administrator Reference Manual for details.</para>
     29<para><userinput>
     30cat > /etc/rndc.conf << "EOF" : </userinput>
     31The rncd.conf file contains information for controlling named
     32operations with the rndc utility.</para>
     33
     34<para><userinput>
     35cat > /etc/resolv.conf << "EOF" : </userinput>
     36The resolv.conf file will specify the local host(127.0.0.1) as the
     37nameserver.</para>
     38
     39<para><userinput>
     40cat > /etc/rc.d/init.d/bind << "EOF" : </userinput>
     41Create the boot script for BIND 9, used to start and stop the name
     42server daemon, named.</para>
     43
     44
     45
     46</sect2>
     47
  • bind/bind-config.xml

    diff --exclude=CVS -Naur ./bind/bind-config.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-config.xml
    old new  
     1<sect2>
     2<title>Configuring BIND</title>
     3<para>We will configure BIND to run in a chroot jail as an unprivileged
     4user(named).  This configuration is more secure in that a DNS
     5compromise can only affect a few files in the named user's $HOME
     6directory </para>
     7
     8<para>First we set up some files and directories needed by
     9BIND:</para>
     10<para><screen><userinput>
     11groupadd -g 200 named &amp;&amp;
     12useradd -m -g named -u 200 -s /bin/false named &amp;&amp;
     13cd /home/named &amp;&amp;
     14mkdir -p dev etc/namedb/slave var/run &amp;&amp;
     15mknod /home/named/dev/null c 1 3 &amp;&amp;
     16mknod /home/named/dev/random c 1 8 &amp;&amp;
     17chmod 666 /home/named/dev/{null,random} &amp;&amp;
     18mkdir /home/named/etc/namedb/pz &amp;&amp;
     19cp /etc/localtime /home/named/etc
     20</userinput></screen></para>
     21
     22<sect3><title>Config files</title>
     23<para><userinput>named.conf, root.hints, 127.0.0, rndc.conf
     24</userinput></para>
     25
     26<para>Create the named.conf file with the following commands:</para>
     27<para><screen><userinput>
     28cat > /home/named/etc/named.conf << "EOF"
     29 options {
     30     directory "/etc/namedb";
     31    pid-file "/var/run/named.pid";
     32    statistics-file "/var/run/named.stats";
     33       
     34 };
     35 controls {
     36     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
     37 };
     38 key "rndc_key" {
     39     algorithm hmac-md5;
     40     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
     41 };
     42 zone "." {
     43     type hint;
     44     file "root.hints";
     45 };
     46 zone "0.0.127.in-addr.arpa" {
     47     type master;
     48     file "pz/127.0.0";
     49 };
     50EOF
     51</userinput></screen></para>
     52<para>Create a zone file with the following contents: </para>
     53<para><screen><userinput>
     54cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt "EOF"
     55$TTL 3D
     56@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
     57                        1       ; Serial
     58                        8H      ; Refresh
     59                        2H      ; Retry
     60                        4W      ; Expire
     61                        1D)     ; Minimum TTL
     62                NS      ns.local.domain.
     631               PTR     localhost.
     64EOF
     65</userinput></screen></para>
     66
     67<para>Create the root.hints file with the following commands: </para>
     68<note><para>Caution must be used to insure no leading spaces in this
     69file.</para></note>
     70<para><screen><userinput>
     71cat > /home/named/etc/namedb/root.hints << "EOF"
     72.                       6D  IN      NS      A.ROOT-SERVERS.NET.
     73.                       6D  IN      NS      B.ROOT-SERVERS.NET.
     74.                       6D  IN      NS      C.ROOT-SERVERS.NET.
     75.                       6D  IN      NS      D.ROOT-SERVERS.NET.
     76.                       6D  IN      NS      E.ROOT-SERVERS.NET.
     77.                       6D  IN      NS      F.ROOT-SERVERS.NET.
     78.                       6D  IN      NS      G.ROOT-SERVERS.NET.
     79.                       6D  IN      NS      H.ROOT-SERVERS.NET.
     80.                       6D  IN      NS      I.ROOT-SERVERS.NET.
     81.                       6D  IN      NS      J.ROOT-SERVERS.NET.
     82.                       6D  IN      NS      K.ROOT-SERVERS.NET.
     83.                       6D  IN      NS      L.ROOT-SERVERS.NET.
     84.                       6D  IN      NS      M.ROOT-SERVERS.NET.
     85A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
     86B.ROOT-SERVERS.NET.     6D  IN      A       128.9.0.107
     87C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
     88D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
     89E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
     90F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
     91G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
     92H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
     93I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
     94J.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.10
     95K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
     96L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
     97M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
     98EOF
     99</userinput></screen></para>
     100
     101<para>Create the rndc.conf with the following commands:</para>
     102<para><screen><userinput>
     103cat > /etc/rndc.conf << "EOF"
     104key rndc_key {
     105algorithm "hmac-md5";
     106    secret
     107    "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
     108    };
     109options {
     110    default-server localhost;
     111    default-key    rndc_key;
     112};
     113EOF
     114</userinput></screen></para>
     115
     116<para>Create or modify resolv.conf to use the new nameserver with the
     117following commands: </para>
     118<note><para>Replace yourdomain.com with your own valid domain
     119name.</para></note>
     120
     121<para><screen><userinput>
     122cp /etc/resolv.conf /etc/resolv.conf.bak
     123cat > /etc/resolv.conf << "EOF"
     124search yourdomain.com
     125nameserver 127.0.0.1
     126EOF
     127</userinput></screen></para>
     128
     129<para>Set permissions on the chroot jail with the following
     130command:</para>
     131<para><screen><userinput>
     132chown -R named.named /home/named
     133</userinput></screen></para>
     134
     135<para>Create the BIND boot script:</para>
     136<para><screen><userinput>
     137cat &gt; /etc/rc.d/init.d/bind &lt;&lt; "EOF"
     138#!/bin/bash
     139# Begin $rc_base/init.d/bind
     140# Based on sysklogd script from LFS-3.1 and earlier.
     141# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
     142source /etc/sysconfig/rc
     143source $rc_functions
     144case "$1" in
     145        start)
     146                echo "Starting named..."
     147                loadproc /usr/sbin/named -u named -t /home/named -c \
     148                        /etc/named.conf
     149                ;;
     150        stop)
     151                echo "Stopping named..."
     152                killproc /usr/sbin/named
     153                ;;
     154        restart)
     155                $0 stop
     156                sleep 1
     157                $0 start
     158                ;;
     159   reload)
     160                echo "Reloading named..."
     161                /usr/sbin/rndc -c /etc/rndc.conf reload
     162                ;;
     163                                       
     164        status)
     165                statusproc /usr/sbin/named
     166                ;;
     167        *)
     168                echo "Usage: $0 {start|stop|restart|status}"
     169                exit 1
     170                ;;
     171esac
     172# End $rc_base/init.d/bind
     173EOF
     174</userinput></screen></para>
     175
     176<para>Add the run level symlinks:</para>
     177<para><screen><userinput>
     178chmod 754 /etc/rc.d/init.d/bind &&
     179ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K90bind &&
     180ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K90bind &&
     181ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K90bind &&
     182ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S600bind &&
     183ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S600bind &&
     184ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S600bind &&
     185ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K90bind
     186</userinput></screen></para>
     187
     188<para>Now start BIND with the new boot script: </para>
     189<para><screen><userinput>
     190/etc/rc.d/init.d/bind start
     191</userinput></screen></para></sect3>
     192
     193<sect3><title>Testing BIND</title>
     194<para>Test out the new BIND 9 installation.  First query the local
     195host address with dig:</para>
     196<para><screen><userinput>
     197dig -x 127.0.0.1
     198</userinput></screen></para>
     199<para>Now try an external name lookup, taking note of the speed
     200difference in repeated lookups due to the caching.  Run the dig
     201command twice on the same address:</para>
     202<para><screen><userinput>
     203dig beyond.linuxfromscratch.org &amp;&amp;
     204dig beyond.linuxfromscratch.org
     205</userinput></screen>
     206You can see almost instantaneous results with the named caching
     207lookups.  Consult bind-&bind-version;/doc/arm/Bv9ARM.html, the BIND
     208Administrator Reference Manual for further configuration options.
     209</para></sect3>
     210</sect2>
     211
  • bind/bind-desc.xml

    diff --exclude=CVS -Naur ./bind/bind-desc.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-desc.xml
    old new  
     1<sect2>
     2<title>Contents</title>
     3
     4<para>The BIND package contains
     5<userinput>dig</userinput>,
     6<userinput>host</userinput>,
     7<userinput>rndc</userinput>,
     8<userinput>rndc-confgen</userinput>,
     9<userinput>named-checkconf</userinput>,
     10<userinput>named-checkzone</userinput>,
     11<userinput>lwresd</userinput>,
     12<userinput>named</userinput>,
     13<userinput>dnssec-signzone</userinput>,
     14<userinput>dnssec-signkey</userinput>,
     15<userinput>dnssec-keygen</userinput>,
     16<userinput>dnssec-makekeyset</userinput> and
     17<userinput>nsupdate</userinput>.</para>
     18</sect2>
     19
     20<sect2><title>Description</title>
     21
     22<sect3><title>dig</title>
     23<para>dig interrogates DNS servers.</para></sect3>
     24<sect3><title>host</title>
     25<para>host is a utility for DNS lookups.</para></sect3>
     26<sect3><title>rndc</title>
     27<para>rndc controls the operation of BIND.</para></sect3>
     28<sect3><title>rndc-confgen</title>
     29<para>rndc-confgen generates rndc.conf files.</para></sect3>
     30<sect3><title>named-checkconf</title>
     31<para>named-checkconf checks the syntax of named.conf
     32files.</para></sect3>
     33<sect3><title>named-checkzone</title>
     34<para>named-checkzone checks zone file validity.</para></sect3>
     35<sect3><title>lwresd</title>
     36<para>lwresd is a caching-only name server for local process
     37use.</para></sect3>
     38<sect3><title>named</title>
     39<para>named is the name server daemon.</para></sect3>
     40<sect3><title>dnssec-signzone</title>
     41<para>dnssec-signzone generates signed versions of zone
     42files.</para></sect3>
     43<sect3><title>dnssec-signkey</title>
     44<para>dnssec-signkey signs zone file key sets.</para></sect3>
     45<sect3><title>dnssec-keygen</title>
     46<para>dnssec-keygen is a key generator for secure DNS.</para></sect3>
     47<sect3><title>dnssec-makekeyset</title>
     48<para>dnssec-makekeyset generates a key set from one or more keys
     49created by dnssec-keygen.</para></sect3>
     50<sect3><title>nsupdate</title>
     51<para>nsupdate is used to submit DNS update requests.</para></sect3>
     52</sect2>
     53
  • bind/bind-inst.xml

    diff --exclude=CVS -Naur ./bind/bind-inst.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-inst.xml
    old new  
     1<sect2>
     2<title>Installation of BIND</title>
     3
     4<para>Install BIND by running the following commands:</para>
     5
     6<para><screen><userinput>
     7./configure --prefix=/usr &amp;&amp;
     8make &amp;&amp;
     9make install
     10</userinput></screen></para>
     11</sect2>
     12
  • bind/bind-intro.xml

    diff --exclude=CVS -Naur ./bind/bind-intro.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-intro.xml
    old new  
     1<sect2>
     2<title>Introduction to BIND &bind-version;</title>
     3
     4<screen>Download location (HTTP):       <ulink url="&bind-download-ftp;"/>
     5Version used:                   &bind-version;
     6Package size:                   &bind-size;
     7Estimated Disk space required:  &bind-buildsize;</screen>
     8
     9<para>The Bind package provides a DNS server and client
     10utilities.</para></sect2>
     11
  • bind/bind.ent

    diff --exclude=CVS -Naur ./bind/bind.ent /home/billy/NEWBLFS/BOOK/server/other/bind/bind.ent
    old new  
    11<!ENTITY bind SYSTEM "../bind.xml">
     2<!ENTITY bind-intro SYSTEM "bind-intro.xml">
     3<!ENTITY bind-inst SYSTEM "bind-inst.xml">
     4<!ENTITY bind-exp SYSTEM "bind-exp.xml">
     5<!ENTITY bind-config-exp SYSTEM "bind-config-exp.xml">
     6<!ENTITY bind-desc SYSTEM "bind-desc.xml">
     7<!ENTITY bind-config SYSTEM "bind-config.xml">
     8<!ENTITY bind-buildsize "37 MB">
     9<!ENTITY bind-version "9.2.2rc1">
     10<!ENTITY bind-download-ftp
     11"ftp://ftp.isc.org/isc/bind9/9.2.2rc1/bind-9.2.2rc1.tar.gz">
     12<!ENTITY bind-download-ftp "">
     13<!ENTITY bind-size "5.3 MB">
  • bind.xml

    diff --exclude=CVS -Naur ./bind.xml /home/billy/NEWBLFS/BOOK/server/other/bind.xml
    old new  
    1 <sect1 id="bind" xreflabel="bind">
     1<sect1 id="bind" xreflabel="bind-&bind-version;">
    22<?dbhtml filename="bind.html" dir="server"?>
    3 <title>bind</title>
     3<title>BIND &bind-version;</title>
    44
    5 <para>TO BE DONE</para>
     5&bind-intro;
     6&bind-inst;
     7&bind-config;
     8&bind-config-exp;
     9&bind-desc;
    610
    711</sect1>
    812