Context Navigation

bind-systemd.xml@ 6e8b058

Visit:

krejzi/svn

Last change on this file since 6e8b058 was 1be4837c, checked in by Krejzi <krejzi@…>, 10 years ago

Convert entire Servers section.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/krejzi@14757 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 22.6 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY bind-download-http " ">
8	<!ENTITY bind-download-ftp
9	"ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
10	<!ENTITY bind-md5sum "82a69faf01b569568d9233f2666e744d">
11	<!ENTITY bind-size "8.0 MB">
12	<!ENTITY bind-buildsize "107 MB (additional 50 MB to run the test suite)">
13	<!ENTITY bind-time "1.0 SBU (additional 21 minutes, processor independent, to run the complete test suite)">
14	]>
15
16	<sect1 id="bind" xreflabel="BIND-&bind-version;">
17	<?dbhtml filename="bind.html"?>
18
19	<sect1info>
20	<othername>$LastChangedBy$</othername>
21	<date>$Date$</date>
22	</sect1info>
23
24	<title>BIND-&bind-version;</title>
25
26	<indexterm zone="bind">
27	<primary sortas="a-BIND">BIND</primary>
28	</indexterm>
29
30	<sect2 role="package">
31	<title>Introduction to BIND</title>
32
33	<para>The <application>BIND</application> package provides a DNS server
34	and client utilities. If you are only interested in the utilities, refer
35	to the <xref linkend="bind-utils"/>.</para>
36
37	&lfs76_checked;
38
39	<bridgehead renderas="sect3">Package Information</bridgehead>
40	<itemizedlist spacing="compact">
41	<listitem>
42	<para>Download (HTTP): <ulink url="&bind-download-http;"/></para>
43	</listitem>
44	<listitem>
45	<para>Download (FTP): <ulink url="&bind-download-ftp;"/></para>
46	</listitem>
47	<listitem>
48	<para>Download MD5 sum: &bind-md5sum;</para>
49	</listitem>
50	<listitem>
51	<para>Download size: &bind-size;</para>
52	</listitem>
53	<listitem>
54	<para>Estimated disk space required: &bind-buildsize;</para>
55	</listitem>
56	<listitem>
57	<para>Estimated build time: &bind-time;</para>
58	</listitem>
59	</itemizedlist>
60
61	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
62	<itemizedlist spacing='compact'>
63	<listitem>
64	<para>Optional patch (if net-tools is not installed):
65	<ulink
66	url="&patch-root;/bind-&bind-version;-use_iproute2-1.patch"/></para>
67	</listitem>
68	</itemizedlist>
69
70	<bridgehead renderas="sect3">BIND Dependencies</bridgehead>
71
72	<bridgehead renderas="sect4">Optional</bridgehead>
73	<para role="optional">
74	<xref linkend="libxml2"/>,
75	<xref linkend="mitkrb"/>, and
76	<xref linkend="openssl"/>
77	</para>
78
79	<bridgehead renderas="sect4">Optional database backends</bridgehead>
80	<para role="optional">
81	<xref linkend="postgresql"/>,
82	<xref linkend="mariadb"/> or <ulink url="http://www.mysql.com/">MySQL</ulink>,
83	<xref linkend="db"/>,
84	<xref linkend="openldap"/>, and
85	<xref linkend="unixodbc"/>
86	</para>
87
88	<bridgehead renderas="sect4">Optional (to run the test suite)</bridgehead>
89	<para role="optional">
90	<xref linkend="perl-net-dns"/> and
91	<xref linkend="net-tools"/> (you may omit net-tools by using the optional
92	patch to utilize iproute2, but the IPv6 tests will fail)
93	</para>
94
95	<bridgehead renderas="sect4">Optional (to rebuild the documentation)</bridgehead>
96	<para role="optional">
97	<xref linkend="doxygen"/>,
98	<xref linkend="texlive"/>, and
99	<xref linkend="libxslt"/>
100	</para>
101
102	<para condition="html" role="usernotes">User Notes:
103	<ulink url="&blfs-wiki;/bind"/></para>
104
105	</sect2>
106
107	<sect2 role="installation">
108	<title>Installation of BIND</title>
109
110	<para>If you have chosen not to install net-tools, apply the iproute2
111	patch with the following command:</para>
112
113	<screen><userinput>patch -Np1 -i ../bind-&bind-version;-use_iproute2-1.patch</userinput></screen>
114
115	<para>Install <application>BIND</application> by running the
116	following commands:</para>
117
118	<screen><userinput>sed -e 's/resolver //' \
119	-e 's/rpz //' \
120	-e 's/statistics //' \
121	-e 's/xfer //' \
122	-i bin/tests/system/conf.sh.in &&
123
124	./configure --prefix=/usr \
125	--sysconfdir=/etc \
126	--localstatedir=/var \
127	--mandir=/usr/share/man \
128	--enable-threads \
129	--with-libtool \
130	--disable-static \
131	--with-randomdev=/dev/urandom &&
132	make</userinput></screen>
133
134	<para>Issue the following commands to run the complete suite of tests.
135	First, as the <systemitem class="username">root</systemitem> user, set up
136	some test interfaces:</para>
137
138	<note><para>If IPv6 is not enabled in the kernel, there will be several
139	error messages: "RTNETLINK answers: Operation not permitted". These
140	messages do not afffect the tests.</para></note>
141
142	<screen role="root"><userinput>bin/tests/system/ifconfig.sh up</userinput></screen>
143
144	<para>Now run the test suite as an unprivileged user:</para>
145
146	<screen><userinput>make check</userinput></screen>
147
148	<para>Again as <systemitem class="username">root</systemitem>, clean up the
149	test interfaces:</para>
150
151	<screen role="root"><userinput>bin/tests/system/ifconfig.sh down</userinput></screen>
152
153	<para>Finally, install the package as the <systemitem
154	class="username">root</systemitem> user:</para>
155
156	<screen role="root"><userinput>make install &&
157	chmod -v 755 /usr/lib/lib{bind9,dns,isc{,cc,cfg},lwres}.so &&
158
159	install -v -dm755 /usr/share/doc/bind-&bind-version;/{arm,misc} &&
160	install -v -m644 doc/arm/*.html \
161	/usr/share/doc/bind-&bind-version;/arm &&
162	install -v -m644 \
163	doc/misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \
164	/usr/share/doc/bind-&bind-version;/misc</userinput></screen>
165	</sect2>
166
167	<sect2 role="commands">
168	<title>Command Explanations</title>
169
170	<para><command>sed ... bin/tests/system/conf.sh.in</command>:
171	This command removes tests that fail (some for unknown reasons).</para>
172
173	<para><parameter>--sysconfdir=/etc</parameter>: This parameter forces
174	<application>BIND</application> to look for configuration
175	files in <filename class='directory'>/etc</filename> instead of
176	<filename class='directory'>/usr/etc</filename>.</para>
177
178	<para><parameter>--enable-threads</parameter>: This parameter enables
179	multi-threading capability.</para>
180
181	<para><parameter>--with-libtool</parameter>: This parameter forces the
182	building of dynamic libraries and links the installed binaries to these
183	libraries.</para>
184
185	<para><parameter>--with-randomdev=/dev/urandom</parameter>: This parameter
186	specifes a non-blocking random device for use with digital signatures.</para>
187
188	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
189	href="../../xincludes/static-libraries.xml"/>
190
191	<para><command>chmod 0755
192	/usr/lib/{lib{bind9,dns,isc{,cc,cfg},lwres}.so</command>:
193	Enable the execute bit to prevent a warning when using
194	<command>ldd</command> to check library dependencies.</para>
195
196	<para><command>cd doc; install ...</command>: These commands install
197	additional package documentation. Omit any or all of these commands if
198	desired.</para>
199	</sect2>
200
201	<sect2 role="configuration">
202	<title>Configuring BIND</title>
203
204	<sect3 id="bind-config">
205	<title>Config files</title>
206
207	<para><filename>named.conf</filename>,
208	<filename>root.hints</filename>,
209	<filename>127.0.0</filename>,
210	<filename>rndc.conf</filename> and
211	<filename>resolv.conf</filename></para>
212
213	<indexterm zone="bind bind-config">
214	<primary sortas="e-etc-named.conf">/etc/named.conf</primary>
215	</indexterm>
216
217	<indexterm zone="bind bind-config">
218	<primary sortas="e-etc-rndc.conf">/etc/rndc.conf</primary>
219	</indexterm>
220
221	<indexterm zone="bind bind-config">
222	<primary sortas="e-etc-resolv.conf">/etc/resolv.conf</primary>
223	</indexterm>
224
225	<indexterm zone="bind bind-config">
226	<primary
227	sortas="e-etc-namedb-root.hints">/etc/namedb/root.hints</primary>
228	</indexterm>
229
230	<indexterm zone="bind bind-config">
231	<primary
232	sortas="e-etc-namedb-pz-127.0.0.0">/etc/namedb/pz/127.0.0.0</primary>
233	</indexterm>
234	</sect3>
235
236	<sect3>
237	<title>Configuration Information</title>
238
239	<para><application>BIND</application> will be configured to run in a
240	<command>chroot</command> jail as an unprivileged user (<systemitem
241	class="username">named</systemitem>). This configuration is more secure
242	in that a DNS compromise can only affect a few files in the <systemitem
243	class="username">named</systemitem> user's <envar>HOME</envar>
244	directory.</para>
245
246	<para>Create the unprivileged user and group <systemitem
247	class="username">named</systemitem>:</para>
248
249	<screen role="root"><userinput>groupadd -g 20 named &&
250	useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &&
251	install -d -m770 -o named -g named /srv/named</userinput></screen>
252
253	<para>Set up some files, directories and devices needed by
254	<application>BIND</application>:</para>
255
256	<screen role="root"><userinput>cd /srv/named &&
257	mkdir -pv dev etc/namedb/{slave,pz} usr/lib/engines var/run/named &&
258	mknod /srv/named/dev/null c 1 3 &&
259	mknod /srv/named/dev/urandom c 1 9 &&
260	chmod -v 666 /srv/named/dev/{null,urandom} &&
261	cp -Lv /etc/localtime etc &&
262	touch /srv/named/managed-keys.bind &&
263	cp -v /usr/lib/engines/libgost.so usr/lib/engines &&
264	[ $(uname -m) = x86_64 ] && ln -sfv lib usr/lib64</userinput></screen>
265
266	<para>The <filename>rndc.conf</filename> file contains information for
267	controlling <command>named</command> operations with the
268	<command>rndc</command> utility. Generate a key for use in the <filename>named.conf</filename> and <filename>rdnc.conf</filename> with the
269	<command>rndc-confgen</command> command:</para>
270
271	<screen role="root"><userinput>rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf &&
272	sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf</userinput></screen>
273
274	<para>Complete the <filename>named.conf</filename> file from which
275	<command>named</command> will read the location of zone files, root
276	name servers and secure DNS keys:</para>
277
278	<screen role="root"><?dbfo keep-together="auto"?><userinput>cat >> /srv/named/etc/named.conf << "EOF"
279	<literal>options {
280	directory "/etc/namedb";
281	pid-file "/var/run/named.pid";
282	statistics-file "/var/run/named.stats";
283
284	};
285	zone "." {
286	type hint;
287	file "root.hints";
288	};
289	zone "0.0.127.in-addr.arpa" {
290	type master;
291	file "pz/127.0.0";
292	};
293
294	// Bind 9 now logs by default through syslog (except debug).
295	// These are the default logging rules.
296
297	logging {
298	category default { default_syslog; default_debug; };
299	category unmatched { null; };
300
301	channel default_syslog {
302	syslog daemon; // send to syslog's daemon
303	// facility
304	severity info; // only send priority info
305	// and higher
306	};
307
308	channel default_debug {
309	file "named.run"; // write to named.run in
310	// the working directory
311	// Note: stderr is used instead
312	// of "named.run"
313	// if the server is started
314	// with the '-f' option.
315	severity dynamic; // log at the server's
316	// current debug level
317	};
318
319	channel default_stderr {
320	stderr; // writes to stderr
321	severity info; // only send priority info
322	// and higher
323	};
324
325	channel null {
326	null; // toss anything sent to
327	// this channel
328	};
329	};</literal>
330	EOF</userinput></screen>
331
332	<para>Create a zone file with the following contents:</para>
333
334	<screen role="root"><userinput>cat > /srv/named/etc/namedb/pz/127.0.0 << "EOF"
335	<literal>$TTL 3D
336	@ IN SOA ns.local.domain. hostmaster.local.domain. (
337	1 ; Serial
338	8H ; Refresh
339	2H ; Retry
340	4W ; Expire
341	1D) ; Minimum TTL
342	NS ns.local.domain.
343	1 PTR localhost.</literal>
344	EOF</userinput></screen>
345
346	<para>Create the <filename>root.hints</filename> file with the following
347	commands:</para>
348
349	<note>
350	<para>Caution must be used to ensure there are no leading spaces in
351	this file.</para>
352	</note>
353
354	<screen role="root"><userinput>cat > /srv/named/etc/namedb/root.hints << "EOF"
355	<literal>. 6D IN NS A.ROOT-SERVERS.NET.
356	. 6D IN NS B.ROOT-SERVERS.NET.
357	. 6D IN NS C.ROOT-SERVERS.NET.
358	. 6D IN NS D.ROOT-SERVERS.NET.
359	. 6D IN NS E.ROOT-SERVERS.NET.
360	. 6D IN NS F.ROOT-SERVERS.NET.
361	. 6D IN NS G.ROOT-SERVERS.NET.
362	. 6D IN NS H.ROOT-SERVERS.NET.
363	. 6D IN NS I.ROOT-SERVERS.NET.
364	. 6D IN NS J.ROOT-SERVERS.NET.
365	. 6D IN NS K.ROOT-SERVERS.NET.
366	. 6D IN NS L.ROOT-SERVERS.NET.
367	. 6D IN NS M.ROOT-SERVERS.NET.
368	A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
369	B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
370	C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
371	D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13
372	E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
373	F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
374	G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
375	H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
376	I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
377	J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
378	K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
379	L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
380	M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33</literal>
381	EOF</userinput></screen>
382
383	<para>The <filename>root.hints</filename> file is a list of root
384	name servers. This file must be updated periodically with the
385	<command>dig</command> utility. A current copy of root.hints can be
386	obtained from <ulink url="ftp://rs.internic.net/domain/named.root" />.
387	Consult the <ulink url="http://www.bind9.net/Bv9ARM.html">BIND 9
388	Administrator Reference Manual</ulink> for details.</para>
389
390	<para>Create or modify <filename>resolv.conf</filename> to use the new
391	name server with the following commands:</para>
392
393	<note>
394	<para>Replace <replaceable><yourdomain.com></replaceable> with
395	your own valid domain name.</para>
396	</note>
397
398	<screen role="root"><userinput>cp /etc/resolv.conf /etc/resolv.conf.bak &&
399	cat > /etc/resolv.conf << "EOF"
400	<literal>search <replaceable><yourdomain.com></replaceable>
401	nameserver 127.0.0.1</literal>
402	EOF</userinput></screen>
403
404	<para>Set permissions on the <command>chroot</command> jail with the
405	following command:</para>
406
407	<screen role="root"><userinput>chown -R named:named /srv/named</userinput></screen>
408
409	</sect3>
410
411	<sect3 id="bind-init">
412	<title>Systemd Units</title>
413
414	<para>
415	To start the <command>named</command> daemon at boot,
416	install the systemd unit from the <xref linkend="bootscripts"/>
417	package by running the following command as the
418	<systemitem class="username">root</systemitem> user:
419	</para>
420
421	<indexterm zone="bind bind-init">
422	<primary sortas="f-bind">bind</primary>
423	</indexterm>
424
425	<screen role="root"><userinput>make install-named</userinput></screen>
426
427	<para>Now start <application>BIND</application> using
428	the <command>systemctl</command> utility:</para>
429
430	<screen role="root"><userinput>systemctl start named</userinput></screen>
431
432	</sect3>
433
434	<sect3>
435	<title>Testing BIND</title>
436
437	<para>Test out the new <application>BIND</application> 9 installation.
438	First query the local host address with <command>dig</command>:</para>
439
440	<screen><userinput>dig -x 127.0.0.1</userinput></screen>
441
442	<para>Now try an external name lookup, taking note of the speed
443	difference in repeated lookups due to the caching. Run the
444	<command>dig</command> command twice on the same address:</para>
445
446	<screen><userinput>dig www.&lfs-domainname; &&
447	dig www.&lfs-domainname;</userinput></screen>
448
449	<para>You can see almost instantaneous results with the named caching
450	lookups. Consult the <application>BIND</application> Administrator
451	Reference Manual located at <filename>doc/arm/Bv9ARM.html</filename>
452	in the package source tree, for further configuration options.</para>
453
454	</sect3>
455
456	</sect2>
457
458	<sect2 role="content">
459	<title>Contents</title>
460
461	<segmentedlist>
462	<segtitle>Installed Programs</segtitle>
463	<segtitle>Installed Libraries</segtitle>
464	<segtitle>Installed Directories</segtitle>
465
466	<seglistitem>
467
468	<seg>arpaname, bind9-config hardlinked to isc-config.sh, ddns-confgen,
469	delv, dig, dnssec-checkds, dnssec-coverage, dnssec-dsfromkey,
470	dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, dnssec-revoke,
471	dnssec-settime, dnssec-signzone, dnssec-verify, genrandom, host,
472	isc-hmac-fixup, lwresd hardlinked to named, named-checkconf,
473	named-checkzone, named-compilezone (symlink), named-journalprint,
474	named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, rndc-confgen,
475	and tsig-keygen (symlink)</seg>
476
477	<seg>libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so,
478	libisccfg.so, and liblwres.so</seg>
479
480	<seg>/srv/named, /usr/include/bind9, /usr/include/dns,
481	/usr/include/dst, /usr/include/irs, /usr/include/isc,
482	/usr/include/isccc, /usr/include/isccfg, /usr/include/lwres,
483	/usr/include/pk11, /usr/include/pkcs11, and
484	/usr/share/doc/bind-&bind-version;</seg>
485	</seglistitem>
486	</segmentedlist>
487
488	<variablelist>
489	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
490	<?dbfo list-presentation="list"?>
491	<?dbhtml list-presentation="table"?>
492
493	<varlistentry id="dig">
494	<term><command>dig</command></term>
495	<listitem>
496	<para>interrogates DNS servers.</para>
497	<indexterm zone="bind dig">
498	<primary sortas="b-dig">dig</primary>
499	</indexterm>
500	</listitem>
501	</varlistentry>
502
503	<varlistentry id="dnssec-keygen">
504	<term><command>dnssec-keygen</command></term>
505	<listitem>
506	<para>is a key generator for secure DNS.</para>
507	<indexterm zone="bind dnssec-keygen">
508	<primary sortas="b-dnssec-keygen">dnssec-keygen</primary>
509	</indexterm>
510	</listitem>
511	</varlistentry>
512
513	<varlistentry id="dnssec-signzone">
514	<term><command>dnssec-signzone</command></term>
515	<listitem>
516	<para>generates signed versions of zone files.</para>
517	<indexterm zone="bind dnssec-signzone">
518	<primary sortas="b-dnssec-signzone">dnssec-signzone</primary>
519	</indexterm>
520	</listitem>
521	</varlistentry>
522
523	<varlistentry id="host">
524	<term><command>host</command></term>
525	<listitem>
526	<para>is a utility for DNS lookups.</para>
527	<indexterm zone="bind host">
528	<primary sortas="b-host">host</primary>
529	</indexterm>
530	</listitem>
531	</varlistentry>
532
533	<varlistentry id="lwresd">
534	<term><command>lwresd</command></term>
535	<listitem>
536	<para>is a caching-only name server for local process use.</para>
537	<indexterm zone="bind lwresd">
538	<primary sortas="b-lwresd">lwresd</primary>
539	</indexterm>
540	</listitem>
541	</varlistentry>
542
543	<varlistentry id="named">
544	<term><command>named</command></term>
545	<listitem>
546	<para>is the name server daemon.</para>
547	<indexterm zone="bind named">
548	<primary sortas="b-named">named</primary>
549	</indexterm>
550	</listitem>
551	</varlistentry>
552
553	<varlistentry id="named-checkconf">
554	<term><command>named-checkconf</command></term>
555	<listitem>
556	<para>checks the syntax of <filename>named.conf</filename>
557	files.</para>
558	<indexterm zone="bind named-checkconf">
559	<primary sortas="b-named-checkconf">named-checkconf</primary>
560	</indexterm>
561	</listitem>
562	</varlistentry>
563
564	<varlistentry id="named-checkzone">
565	<term><command>named-checkzone</command></term>
566	<listitem>
567	<para>checks zone file validity.</para>
568	<indexterm zone="bind named-checkzone">
569	<primary sortas="b-named-checkzone">named-checkzone</primary>
570	</indexterm>
571	</listitem>
572	</varlistentry>
573
574	<varlistentry id="nslookup">
575	<term><command>nslookup</command></term>
576	<listitem>
577	<para>is a program used to query Internet domain nameservers.</para>
578	<indexterm zone="bind nslookup">
579	<primary sortas="b-nslookup">nslookup</primary>
580	</indexterm>
581	</listitem>
582	</varlistentry>
583
584	<varlistentry id="nsupdate">
585	<term><command>nsupdate</command></term>
586	<listitem>
587	<para>is used to submit DNS update requests.</para>
588	<indexterm zone="bind nsupdate">
589	<primary sortas="b-nsupdate">nsupdate</primary>
590	</indexterm>
591	</listitem>
592	</varlistentry>
593
594	<varlistentry id="rndc">
595	<term><command>rndc</command></term>
596	<listitem>
597	<para>controls the operation of <application>BIND</application>.</para>
598	<indexterm zone="bind rndc">
599	<primary sortas="b-rndc">rndc</primary>
600	</indexterm>
601	</listitem>
602	</varlistentry>
603
604	<varlistentry id="rndc-confgen">
605	<term><command>rndc-confgen</command></term>
606	<listitem>
607	<para>generates <filename>rndc.conf</filename> files.</para>
608	<indexterm zone="bind rndc-confgen">
609	<primary sortas="b-rndc-confgen">rndc-confgen</primary>
610	</indexterm>
611	</listitem>
612	</varlistentry>
613
614	</variablelist>
615
616	</sect2>
617
618	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: server/major/bind-systemd.xml@ 6e8b058

Download in other formats: