bind.patch on Ticket #143 – Attachment – BLFS Trac

bind/bind-config-exp.xml

diff --exclude=CVS -Naur ./bind/bind-config-exp.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-config-exp.xml

-              old
+              new
+<sect2>
+<title>Configuration command explanations</title>
+<para><userinput>
+groupadd -g 200 named &amp;&amp;
+useradd -m -g named -u 200 -s /bin/false named &amp;&amp;
+cd /home/named &amp;&amp;
+mkdir -p dev etc/namedb/slave var/run &amp;&amp;
+mknod /home/named/dev/null c 1 3 &amp;&amp;
+mknod /home/named/dev/random c 1 8 &amp;&amp;
+chmod 666 /home/named/dev/{null,random} &amp;&amp;
+mkdir /home/named/etc/namedb/pz &amp;&amp;
+cp /etc/localtime /home/named/etc : </userinput>
+Create the unprivileged user and group named, along with device files
+that named will need access to inside the chroot jail.</para>
+<para><userinput>
+cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF" : </userinput>
+Create the BIND configuration file, from which named will read the
+location of zone files, root nameservers and secure DNS keys.</para>
+<para><userinput>
+cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF" : </userinput>
+Create a single zone file.</para>
+<para><userinput>
+cat > /home/named/etc/namedb/root.hints << "EOF" : </userinput>
+The root.hints file is a list of root nameservers.  This file must be
+updated periodically with the dig utility.  Consult the BIND 9
+Administrator Reference Manual for details.</para>
+<para><userinput>
+cat > /etc/rndc.conf << "EOF" : </userinput>
+The rncd.conf file contains information for controlling named
+operations with the rndc utility.</para>
+<para><userinput>
+cat > /etc/resolv.conf << "EOF" : </userinput>
+The resolv.conf file will specify the local host(127.0.0.1) as the
+nameserver.</para>
+<para><userinput>
+cat > /etc/rc.d/init.d/bind << "EOF" : </userinput>
+Create the boot script for BIND 9, used to start and stop the name
+server daemon, named.</para>
+</sect2>

bind/bind-config.xml

diff --exclude=CVS -Naur ./bind/bind-config.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-config.xml

-              old
+              new
+<sect2>
+<title>Configuring BIND</title>
+<para>We will configure BIND to run in a chroot jail as an unprivileged
+user(named).  This configuration is more secure in that a DNS
+compromise can only affect a few files in the named user's $HOME
+directory </para>
+<para>First we set up some files and directories needed by
+BIND:</para>
+<para><screen><userinput>
+groupadd -g 200 named &amp;&amp;
+useradd -m -g named -u 200 -s /bin/false named &amp;&amp;
+cd /home/named &amp;&amp;
+mkdir -p dev etc/namedb/slave var/run &amp;&amp;
+mknod /home/named/dev/null c 1 3 &amp;&amp;
+mknod /home/named/dev/random c 1 8 &amp;&amp;
+chmod 666 /home/named/dev/{null,random} &amp;&amp;
+mkdir /home/named/etc/namedb/pz &amp;&amp;
+cp /etc/localtime /home/named/etc
+</userinput></screen></para>
+<sect3><title>Config files</title>
+<para><userinput>named.conf, root.hints, 127.0.0, rndc.conf
+</userinput></para>
+<para>Create the named.conf file with the following commands:</para>
+<para><screen><userinput>
+cat > /home/named/etc/named.conf << "EOF"
+ options {
+     directory "/etc/namedb";
+    pid-file "/var/run/named.pid";
+    statistics-file "/var/run/named.stats";
+ };
+ controls {
+     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
+ };
+ key "rndc_key" {
+     algorithm hmac-md5;
+     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+ };
+ zone "." {
+     type hint;
+     file "root.hints";
+ };
+ zone "0.0.127.in-addr.arpa" {
+     type master;
+     file "pz/127.0.0";
+ };
+EOF
+</userinput></screen></para>
+<para>Create a zone file with the following contents: </para>
+<para><screen><userinput>
+cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt "EOF"
+$TTL 3D
+@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
+       ; Serial
+H      ; Refresh
+H      ; Retry
+W      ; Expire
+D)     ; Minimum TTL
+                NS      ns.local.domain.
+               PTR     localhost.
+EOF
+</userinput></screen></para>
+<para>Create the root.hints file with the following commands: </para>
+<note><para>Caution must be used to insure no leading spaces in this
+file.</para></note>
+<para><screen><userinput>
+cat > /home/named/etc/namedb/root.hints << "EOF"
+.                       6D  IN      NS      A.ROOT-SERVERS.NET.
+.                       6D  IN      NS      B.ROOT-SERVERS.NET.
+.                       6D  IN      NS      C.ROOT-SERVERS.NET.
+.                       6D  IN      NS      D.ROOT-SERVERS.NET.
+.                       6D  IN      NS      E.ROOT-SERVERS.NET.
+.                       6D  IN      NS      F.ROOT-SERVERS.NET.
+.                       6D  IN      NS      G.ROOT-SERVERS.NET.
+.                       6D  IN      NS      H.ROOT-SERVERS.NET.
+.                       6D  IN      NS      I.ROOT-SERVERS.NET.
+.                       6D  IN      NS      J.ROOT-SERVERS.NET.
+.                       6D  IN      NS      K.ROOT-SERVERS.NET.
+.                       6D  IN      NS      L.ROOT-SERVERS.NET.
+.                       6D  IN      NS      M.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
+B.ROOT-SERVERS.NET.     6D  IN      A       128.9.0.107
+C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
+D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
+E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
+F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
+G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
+H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
+I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
+J.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.10
+K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
+L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
+M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
+EOF
+</userinput></screen></para>
+<para>Create the rndc.conf with the following commands:</para>
+<para><screen><userinput>
+cat > /etc/rndc.conf << "EOF"
+key rndc_key {
+algorithm "hmac-md5";
+    secret
+    "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+    };
+options {
+    default-server localhost;
+    default-key    rndc_key;
+};
+EOF
+</userinput></screen></para>
+<para>Create or modify resolv.conf to use the new nameserver with the
+following commands: </para>
+<note><para>Replace yourdomain.com with your own valid domain
+name.</para></note>
+<para><screen><userinput>
+cp /etc/resolv.conf /etc/resolv.conf.bak
+cat > /etc/resolv.conf << "EOF"
+search yourdomain.com
+nameserver 127.0.0.1
+EOF
+</userinput></screen></para>
+<para>Set permissions on the chroot jail with the following
+command:</para>
+<para><screen><userinput>
+chown -R named.named /home/named
+</userinput></screen></para>
+<para>Create the BIND boot script:</para>
+<para><screen><userinput>
+cat &gt; /etc/rc.d/init.d/bind &lt;&lt; "EOF"
+#!/bin/bash
+# Begin $rc_base/init.d/bind
+# Based on sysklogd script from LFS-3.1 and earlier.
+# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
+source /etc/sysconfig/rc
+source $rc_functions
+case "$1" in
+        start)
+                echo "Starting named..."
+                loadproc /usr/sbin/named -u named -t /home/named -c \
+                        /etc/named.conf
+                ;;
+        stop)
+                echo "Stopping named..."
+                killproc /usr/sbin/named
+                ;;
+        restart)
+                $0 stop
+                sleep 1
+                $0 start
+                ;;
+   reload)
+                echo "Reloading named..."
+                /usr/sbin/rndc -c /etc/rndc.conf reload
+                ;;
+        status)
+                statusproc /usr/sbin/named
+                ;;
+        *)
+                echo "Usage: $0 {start|stop|restart|status}"
+                exit 1
+                ;;
+esac
+# End $rc_base/init.d/bind
+EOF
+</userinput></screen></para>
+<para>Add the run level symlinks:</para>
+<para><screen><userinput>
+chmod 754 /etc/rc.d/init.d/bind &&
+ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K90bind &&
+ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K90bind &&
+ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K90bind &&
+ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S600bind &&
+ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S600bind &&
+ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S600bind &&
+ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K90bind
+</userinput></screen></para>
+<para>Now start BIND with the new boot script: </para>
+<para><screen><userinput>
+/etc/rc.d/init.d/bind start
+</userinput></screen></para></sect3>
+<sect3><title>Testing BIND</title>
+<para>Test out the new BIND 9 installation.  First query the local
+host address with dig:</para>
+<para><screen><userinput>
+dig -x 127.0.0.1
+</userinput></screen></para>
+<para>Now try an external name lookup, taking note of the speed
+difference in repeated lookups due to the caching.  Run the dig
+command twice on the same address:</para>
+<para><screen><userinput>
+dig beyond.linuxfromscratch.org &amp;&amp;
+dig beyond.linuxfromscratch.org
+</userinput></screen>
+You can see almost instantaneous results with the named caching
+lookups.  Consult bind-&bind-version;/doc/arm/Bv9ARM.html, the BIND
+Administrator Reference Manual for further configuration options.
+</para></sect3>
+</sect2>

bind/bind-desc.xml

diff --exclude=CVS -Naur ./bind/bind-desc.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-desc.xml

-              old
+              new
+<sect2>
+<title>Contents</title>
+<para>The BIND package contains
+<userinput>dig</userinput>,
+<userinput>host</userinput>,
+<userinput>rndc</userinput>,
+<userinput>rndc-confgen</userinput>,
+<userinput>named-checkconf</userinput>,
+<userinput>named-checkzone</userinput>,
+<userinput>lwresd</userinput>,
+<userinput>named</userinput>,
+<userinput>dnssec-signzone</userinput>,
+<userinput>dnssec-signkey</userinput>,
+<userinput>dnssec-keygen</userinput>,
+<userinput>dnssec-makekeyset</userinput> and
+<userinput>nsupdate</userinput>.</para>
+</sect2>
+<sect2><title>Description</title>
+<sect3><title>dig</title>
+<para>dig interrogates DNS servers.</para></sect3>
+<sect3><title>host</title>
+<para>host is a utility for DNS lookups.</para></sect3>
+<sect3><title>rndc</title>
+<para>rndc controls the operation of BIND.</para></sect3>
+<sect3><title>rndc-confgen</title>
+<para>rndc-confgen generates rndc.conf files.</para></sect3>
+<sect3><title>named-checkconf</title>
+<para>named-checkconf checks the syntax of named.conf
+files.</para></sect3>
+<sect3><title>named-checkzone</title>
+<para>named-checkzone checks zone file validity.</para></sect3>
+<sect3><title>lwresd</title>
+<para>lwresd is a caching-only name server for local process
+use.</para></sect3>
+<sect3><title>named</title>
+<para>named is the name server daemon.</para></sect3>
+<sect3><title>dnssec-signzone</title>
+<para>dnssec-signzone generates signed versions of zone
+files.</para></sect3>
+<sect3><title>dnssec-signkey</title>
+<para>dnssec-signkey signs zone file key sets.</para></sect3>
+<sect3><title>dnssec-keygen</title>
+<para>dnssec-keygen is a key generator for secure DNS.</para></sect3>
+<sect3><title>dnssec-makekeyset</title>
+<para>dnssec-makekeyset generates a key set from one or more keys
+created by dnssec-keygen.</para></sect3>
+<sect3><title>nsupdate</title>
+<para>nsupdate is used to submit DNS update requests.</para></sect3>
+</sect2>

bind/bind-inst.xml

diff --exclude=CVS -Naur ./bind/bind-inst.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-inst.xml

-              old
+              new
+<sect2>
+<title>Installation of BIND</title>
+<para>Install BIND by running the following commands:</para>
+<para><screen><userinput>
+./configure --prefix=/usr &amp;&amp;
+make &amp;&amp;
+make install
+</userinput></screen></para>
+</sect2>

bind/bind-intro.xml

diff --exclude=CVS -Naur ./bind/bind-intro.xml /home/billy/NEWBLFS/BOOK/server/other/bind/bind-intro.xml

-              old
+              new
+<sect2>
+<title>Introduction to BIND &bind-version;</title>
+<screen>Download location (HTTP):       <ulink url="&bind-download-ftp;"/>
+Version used:                   &bind-version;
+Package size:                   &bind-size;
+Estimated Disk space required:  &bind-buildsize;</screen>
+<para>The Bind package provides a DNS server and client
+utilities.</para></sect2>

bind/bind.ent

diff --exclude=CVS -Naur ./bind/bind.ent /home/billy/NEWBLFS/BOOK/server/other/bind/bind.ent

-              old
+              new
 <!ENTITY bind SYSTEM "../bind.xml">
+<!ENTITY bind-intro SYSTEM "bind-intro.xml">
+<!ENTITY bind-inst SYSTEM "bind-inst.xml">
+<!ENTITY bind-exp SYSTEM "bind-exp.xml">
+<!ENTITY bind-config-exp SYSTEM "bind-config-exp.xml">
+<!ENTITY bind-desc SYSTEM "bind-desc.xml">
+<!ENTITY bind-config SYSTEM "bind-config.xml">
+<!ENTITY bind-buildsize "37 MB">
+<!ENTITY bind-version "9.2.2rc1">
+<!ENTITY bind-download-ftp
+"ftp://ftp.isc.org/isc/bind9/9.2.2rc1/bind-9.2.2rc1.tar.gz">
+<!ENTITY bind-download-ftp "">
+<!ENTITY bind-size "5.3 MB">

bind.xml

diff --exclude=CVS -Naur ./bind.xml /home/billy/NEWBLFS/BOOK/server/other/bind.xml

-              old
+              new
 <sect1 id="bind" xreflabel="bind">
+<sect1 id="bind" xreflabel="bind-&bind-version;">
 <?dbhtml filename="bind.html" dir="server"?>
 <title>bind</title>
+<title>BIND &bind-version;</title>
+<para>TO BE DONE</para>
+&bind-intro;
+&bind-inst;
+&bind-config;
+&bind-config-exp;
+&bind-desc;
 </sect1>

Context Navigation

Ticket #143: bind.patch

bind/bind-config-exp.xml

bind/bind-config.xml

bind/bind-desc.xml

bind/bind-inst.xml

bind/bind-intro.xml

bind/bind.ent

bind.xml

Download in other formats: