Ticket #143: bind.patch
File bind.patch, 14.0 KB (added by , 22 years ago) |
---|
-
bind/bind-config-exp.xml
diff --exclude=CVS -Naur ./bind/bind-config-exp.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-config-exp.xml
old new 1 <sect2> 2 <title>Configuration command explanations</title> 3 <para><userinput> 4 groupadd -g 200 named && 5 useradd -m -g named -u 200 -s /bin/false named && 6 cd /home/named && 7 mkdir -p dev etc/namedb/slave var/run && 8 mknod /home/named/dev/null c 1 3 && 9 mknod /home/named/dev/random c 1 8 && 10 chmod 666 /home/named/dev/{null,random} && 11 mkdir /home/named/etc/namedb/pz && 12 cp /etc/localtime /home/named/etc : </userinput> 13 14 Create the unprivileged user and group named, along with device files 15 that named will need access to inside the chroot jail.</para> 16 17 <para><userinput> 18 cat > /home/named/etc/named.conf << "EOF" : </userinput> 19 Create the BIND configuration file, from which named will read the 20 location of zone files, root nameservers and secure DNS keys.</para> 21 <para><userinput> 22 cat > /home/named/etc/namedb/pz/127.0.0 << "EOF" : </userinput> 23 Create a single zone file.</para> 24 <para><userinput> 25 cat > /home/named/etc/namedb/root.hints << "EOF" : </userinput> 26 The root.hints file is a list of root nameservers. This file must be 27 updated periodically with the dig utility. Consult the BIND 9 28 Administrator Reference Manual for details.</para> 29 <para><userinput> 30 cat > /etc/rndc.conf << "EOF" : </userinput> 31 The rncd.conf file contains information for controlling named 32 operations with the rndc utility.</para> 33 34 <para><userinput> 35 cat > /etc/resolv.conf << "EOF" : </userinput> 36 The resolv.conf file will specify the local host(127.0.0.1) as the 37 nameserver.</para> 38 39 <para><userinput> 40 cat > /etc/rc.d/init.d/bind << "EOF" : </userinput> 41 Create the boot script for BIND 9, used to start and stop the name 42 server daemon, named.</para> 43 44 45 46 </sect2> 47 -
bind/bind-config.xml
diff --exclude=CVS -Naur ./bind/bind-config.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-config.xml
old new 1 <sect2> 2 <title>Configuring BIND</title> 3 <para>We will configure BIND to run in a chroot jail as an unprivileged 4 user(named). This configuration is more secure in that a DNS 5 compromise can only affect a few files in the named user's $HOME 6 directory </para> 7 8 <para>First we set up some files and directories needed by 9 BIND:</para> 10 <para><screen><userinput> 11 groupadd -g 200 named && 12 useradd -m -g named -u 200 -s /bin/false named && 13 cd /home/named && 14 mkdir -p dev etc/namedb/slave var/run && 15 mknod /home/named/dev/null c 1 3 && 16 mknod /home/named/dev/random c 1 8 && 17 chmod 666 /home/named/dev/{null,random} && 18 mkdir /home/named/etc/namedb/pz && 19 cp /etc/localtime /home/named/etc 20 </userinput></screen></para> 21 22 <sect3><title>Config files</title> 23 <para><userinput>named.conf, root.hints, 127.0.0, rndc.conf 24 </userinput></para> 25 26 <para>Create the named.conf file with the following commands:</para> 27 <para><screen><userinput> 28 cat > /home/named/etc/named.conf << "EOF" 29 options { 30 directory "/etc/namedb"; 31 pid-file "/var/run/named.pid"; 32 statistics-file "/var/run/named.stats"; 33 34 }; 35 controls { 36 inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; 37 }; 38 key "rndc_key" { 39 algorithm hmac-md5; 40 secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; 41 }; 42 zone "." { 43 type hint; 44 file "root.hints"; 45 }; 46 zone "0.0.127.in-addr.arpa" { 47 type master; 48 file "pz/127.0.0"; 49 }; 50 EOF 51 </userinput></screen></para> 52 <para>Create a zone file with the following contents: </para> 53 <para><screen><userinput> 54 cat > /home/named/etc/namedb/pz/127.0.0 << "EOF" 55 $TTL 3D 56 @ IN SOA ns.local.domain. hostmaster.local.domain. ( 57 1 ; Serial 58 8H ; Refresh 59 2H ; Retry 60 4W ; Expire 61 1D) ; Minimum TTL 62 NS ns.local.domain. 63 1 PTR localhost. 64 EOF 65 </userinput></screen></para> 66 67 <para>Create the root.hints file with the following commands: </para> 68 <note><para>Caution must be used to insure no leading spaces in this 69 file.</para></note> 70 <para><screen><userinput> 71 cat > /home/named/etc/namedb/root.hints << "EOF" 72 . 6D IN NS A.ROOT-SERVERS.NET. 73 . 6D IN NS B.ROOT-SERVERS.NET. 74 . 6D IN NS C.ROOT-SERVERS.NET. 75 . 6D IN NS D.ROOT-SERVERS.NET. 76 . 6D IN NS E.ROOT-SERVERS.NET. 77 . 6D IN NS F.ROOT-SERVERS.NET. 78 . 6D IN NS G.ROOT-SERVERS.NET. 79 . 6D IN NS H.ROOT-SERVERS.NET. 80 . 6D IN NS I.ROOT-SERVERS.NET. 81 . 6D IN NS J.ROOT-SERVERS.NET. 82 . 6D IN NS K.ROOT-SERVERS.NET. 83 . 6D IN NS L.ROOT-SERVERS.NET. 84 . 6D IN NS M.ROOT-SERVERS.NET. 85 A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 86 B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107 87 C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 88 D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90 89 E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 90 F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 91 G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 92 H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53 93 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 94 J.ROOT-SERVERS.NET. 6D IN A 198.41.0.10 95 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 96 L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12 97 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 98 EOF 99 </userinput></screen></para> 100 101 <para>Create the rndc.conf with the following commands:</para> 102 <para><screen><userinput> 103 cat > /etc/rndc.conf << "EOF" 104 key rndc_key { 105 algorithm "hmac-md5"; 106 secret 107 "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; 108 }; 109 options { 110 default-server localhost; 111 default-key rndc_key; 112 }; 113 EOF 114 </userinput></screen></para> 115 116 <para>Create or modify resolv.conf to use the new nameserver with the 117 following commands: </para> 118 <note><para>Replace yourdomain.com with your own valid domain 119 name.</para></note> 120 121 <para><screen><userinput> 122 cp /etc/resolv.conf /etc/resolv.conf.bak 123 cat > /etc/resolv.conf << "EOF" 124 search yourdomain.com 125 nameserver 127.0.0.1 126 EOF 127 </userinput></screen></para> 128 129 <para>Set permissions on the chroot jail with the following 130 command:</para> 131 <para><screen><userinput> 132 chown -R named.named /home/named 133 </userinput></screen></para> 134 135 <para>Create the BIND boot script:</para> 136 <para><screen><userinput> 137 cat > /etc/rc.d/init.d/bind << "EOF" 138 #!/bin/bash 139 # Begin $rc_base/init.d/bind 140 # Based on sysklogd script from LFS-3.1 and earlier. 141 # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org 142 source /etc/sysconfig/rc 143 source $rc_functions 144 case "$1" in 145 start) 146 echo "Starting named..." 147 loadproc /usr/sbin/named -u named -t /home/named -c \ 148 /etc/named.conf 149 ;; 150 stop) 151 echo "Stopping named..." 152 killproc /usr/sbin/named 153 ;; 154 restart) 155 $0 stop 156 sleep 1 157 $0 start 158 ;; 159 reload) 160 echo "Reloading named..." 161 /usr/sbin/rndc -c /etc/rndc.conf reload 162 ;; 163 164 status) 165 statusproc /usr/sbin/named 166 ;; 167 *) 168 echo "Usage: $0 {start|stop|restart|status}" 169 exit 1 170 ;; 171 esac 172 # End $rc_base/init.d/bind 173 EOF 174 </userinput></screen></para> 175 176 <para>Add the run level symlinks:</para> 177 <para><screen><userinput> 178 chmod 754 /etc/rc.d/init.d/bind && 179 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K90bind && 180 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K90bind && 181 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K90bind && 182 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S600bind && 183 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S600bind && 184 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S600bind && 185 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K90bind 186 </userinput></screen></para> 187 188 <para>Now start BIND with the new boot script: </para> 189 <para><screen><userinput> 190 /etc/rc.d/init.d/bind start 191 </userinput></screen></para></sect3> 192 193 <sect3><title>Testing BIND</title> 194 <para>Test out the new BIND 9 installation. First query the local 195 host address with dig:</para> 196 <para><screen><userinput> 197 dig -x 127.0.0.1 198 </userinput></screen></para> 199 <para>Now try an external name lookup, taking note of the speed 200 difference in repeated lookups due to the caching. Run the dig 201 command twice on the same address:</para> 202 <para><screen><userinput> 203 dig beyond.linuxfromscratch.org && 204 dig beyond.linuxfromscratch.org 205 </userinput></screen> 206 You can see almost instantaneous results with the named caching 207 lookups. Consult bind-&bind-version;/doc/arm/Bv9ARM.html, the BIND 208 Administrator Reference Manual for further configuration options. 209 </para></sect3> 210 </sect2> 211 -
bind/bind-desc.xml
diff --exclude=CVS -Naur ./bind/bind-desc.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-desc.xml
old new 1 <sect2> 2 <title>Contents</title> 3 4 <para>The BIND package contains 5 <userinput>dig</userinput>, 6 <userinput>host</userinput>, 7 <userinput>rndc</userinput>, 8 <userinput>rndc-confgen</userinput>, 9 <userinput>named-checkconf</userinput>, 10 <userinput>named-checkzone</userinput>, 11 <userinput>lwresd</userinput>, 12 <userinput>named</userinput>, 13 <userinput>dnssec-signzone</userinput>, 14 <userinput>dnssec-signkey</userinput>, 15 <userinput>dnssec-keygen</userinput>, 16 <userinput>dnssec-makekeyset</userinput> and 17 <userinput>nsupdate</userinput>.</para> 18 </sect2> 19 20 <sect2><title>Description</title> 21 22 <sect3><title>dig</title> 23 <para>dig interrogates DNS servers.</para></sect3> 24 <sect3><title>host</title> 25 <para>host is a utility for DNS lookups.</para></sect3> 26 <sect3><title>rndc</title> 27 <para>rndc controls the operation of BIND.</para></sect3> 28 <sect3><title>rndc-confgen</title> 29 <para>rndc-confgen generates rndc.conf files.</para></sect3> 30 <sect3><title>named-checkconf</title> 31 <para>named-checkconf checks the syntax of named.conf 32 files.</para></sect3> 33 <sect3><title>named-checkzone</title> 34 <para>named-checkzone checks zone file validity.</para></sect3> 35 <sect3><title>lwresd</title> 36 <para>lwresd is a caching-only name server for local process 37 use.</para></sect3> 38 <sect3><title>named</title> 39 <para>named is the name server daemon.</para></sect3> 40 <sect3><title>dnssec-signzone</title> 41 <para>dnssec-signzone generates signed versions of zone 42 files.</para></sect3> 43 <sect3><title>dnssec-signkey</title> 44 <para>dnssec-signkey signs zone file key sets.</para></sect3> 45 <sect3><title>dnssec-keygen</title> 46 <para>dnssec-keygen is a key generator for secure DNS.</para></sect3> 47 <sect3><title>dnssec-makekeyset</title> 48 <para>dnssec-makekeyset generates a key set from one or more keys 49 created by dnssec-keygen.</para></sect3> 50 <sect3><title>nsupdate</title> 51 <para>nsupdate is used to submit DNS update requests.</para></sect3> 52 </sect2> 53 -
bind/bind-inst.xml
diff --exclude=CVS -Naur ./bind/bind-inst.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-inst.xml
old new 1 <sect2> 2 <title>Installation of BIND</title> 3 4 <para>Install BIND by running the following commands:</para> 5 6 <para><screen><userinput> 7 ./configure --prefix=/usr && 8 make && 9 make install 10 </userinput></screen></para> 11 </sect2> 12 -
bind/bind-intro.xml
diff --exclude=CVS -Naur ./bind/bind-intro.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-intro.xml
old new 1 <sect2> 2 <title>Introduction to BIND &bind-version;</title> 3 4 <screen>Download location (HTTP): <ulink url="&bind-download-ftp;"/> 5 Version used: &bind-version; 6 Package size: &bind-size; 7 Estimated Disk space required: &bind-buildsize;</screen> 8 9 <para>The Bind package provides a DNS server and client 10 utilities.</para></sect2> 11 -
bind/bind.ent
diff --exclude=CVS -Naur ./bind/bind.ent /home/billy/NEWBLFS/BOOK/server/other/bind/bind.ent
old new 1 1 <!ENTITY bind SYSTEM "../bind.xml"> 2 <!ENTITY bind-intro SYSTEM "bind-intro.xml"> 3 <!ENTITY bind-inst SYSTEM "bind-inst.xml"> 4 <!ENTITY bind-exp SYSTEM "bind-exp.xml"> 5 <!ENTITY bind-config-exp SYSTEM "bind-config-exp.xml"> 6 <!ENTITY bind-desc SYSTEM "bind-desc.xml"> 7 <!ENTITY bind-config SYSTEM "bind-config.xml"> 8 <!ENTITY bind-buildsize "37 MB"> 9 <!ENTITY bind-version "9.2.2rc1"> 10 <!ENTITY bind-download-ftp 11 "ftp://ftp.isc.org/isc/bind9/9.2.2rc1/bind-9.2.2rc1.tar.gz"> 12 <!ENTITY bind-download-ftp ""> 13 <!ENTITY bind-size "5.3 MB"> -
bind.xml
diff --exclude=CVS -Naur ./bind.xml /home/billy/NEWBLFS/BOOK/server/other/bind.xml
old new 1 <sect1 id="bind" xreflabel="bind ">1 <sect1 id="bind" xreflabel="bind-&bind-version;"> 2 2 <?dbhtml filename="bind.html" dir="server"?> 3 <title> bind</title>3 <title>BIND &bind-version;</title> 4 4 5 <para>TO BE DONE</para> 5 &bind-intro; 6 &bind-inst; 7 &bind-config; 8 &bind-config-exp; 9 &bind-desc; 6 10 7 11 </sect1> 8 12