%general-entities; ]> $LastChangedBy$ $Date$ BIND The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the . &lfs75_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &bind-md5sum; Download size: &bind-size; Estimated disk space required: &bind-buildsize; Estimated build time: &bind-time; Additional Downloads Optional patch (if net-tools is not installed): BIND Dependencies Optional , , , and Optional database backends , or MySQL, , , and Optional (to run the test suite) and (you may omit net-tools by using the optional patch to utilize iproute2, but the IPv6 tests will fail) Optional (to rebuild the documentation) , , and User Notes: If you have chosen not to install net-tools, apply the iproute2 patch with the following command: patch -Np1 -i ../bind-&bind-version;-use_iproute2-1.patch Install BIND by running the following commands: sed -e 's/resolver //' \ -e 's/rpz //' \ -e 's/statistics //' \ -e 's/xfer //' \ -i bin/tests/system/conf.sh.in && ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --mandir=/usr/share/man \ --enable-threads \ --with-libtool \ --disable-static \ --with-randomdev=/dev/urandom && make Issue the following commands to run the complete suite of tests. First, as the root user, set up some test interfaces: bin/tests/system/ifconfig.sh up Now run the test suite as an unprivileged user: make check 2>&1 | tee check.log Again as root, clean up the test interfaces: bin/tests/system/ifconfig.sh down Issue the following command to check tests that ran successfully: grep "R:PASS" check.log | wc -l and the following command check tests that failed: grep -A1 "R:FAIL" check.log Finally, install the package as the root user: make install && chmod -v 0755 /usr/lib/lib{bind9,dns,isc{,cc,cfg},lwres}.so && install -v -m755 -d /usr/share/doc/bind-&bind-version;/{arm,misc} && install -v -m644 doc/arm/*.html \ /usr/share/doc/bind-&bind-version;/arm && install -v -m644 \ doc/misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \ /usr/share/doc/bind-&bind-version;/misc sed ... bin/tests/system/conf.sh.in: This command removes tests that fail (some for unknown reasons). --sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc. --enable-threads: This parameter enables multi-threading capability. --with-libtool: This parameter forces the building of dynamic libraries and links the installed binaries to these libraries. --with-randomdev=/dev/urandom: This parameter specifes a non-blocking random device for use with digital signatures. chmod 0755 /usr/lib/{lib{bind9,dns,isc{,cc,cfg},lwres}.so: Enable the execute bit to prevent a warning when using ldd to check library dependencies. cd doc; install ...: These commands install additional package documentation. Omit any or all of these commands if desired. named.conf, root.hints, 127.0.0, rndc.conf and resolv.conf /etc/named.conf /etc/rndc.conf /etc/resolv.conf /etc/namedb/root.hints /etc/namedb/pz/127.0.0.0 BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory. Create the unprivileged user and group named: groupadd -g 20 named && useradd -c "BIND Owner" -g named -s /bin/false -u 20 named && install -d -m770 -o named -g named /srv/named Set up some files, directories and devices needed by BIND: cd /srv/named && mkdir -p dev etc/namedb/{slave,pz} usr/lib/engines var/run/named && mknod /srv/named/dev/null c 1 3 && mknod /srv/named/dev/urandom c 1 9 && chmod 666 /srv/named/dev/{null,urandom} && cp /etc/localtime etc && touch /srv/named/managed-keys.bind && cp /usr/lib/engines/libgost.so usr/lib/engines && [ $(uname -m) = x86_64 ] && ln -sv lib usr/lib64 The rndc.conf file contains information for controlling named operations with the rndc utility. Generate a key for use in the named.conf and rdnc.conf with the rndc-confgen command: rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf && sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf Complete the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys: cat >> /srv/named/etc/named.conf << "EOF" options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; // Bind 9 now logs by default through syslog (except debug). // These are the default logging rules. logging { category default { default_syslog; default_debug; }; category unmatched { null; }; channel default_syslog { syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info // and higher }; channel default_debug { file "named.run"; // write to named.run in // the working directory // Note: stderr is used instead // of "named.run" // if the server is started // with the '-f' option. severity dynamic; // log at the server's // current debug level }; channel default_stderr { stderr; // writes to stderr severity info; // only send priority info // and higher }; channel null { null; // toss anything sent to // this channel }; }; EOF Create a zone file with the following contents: cat > /srv/named/etc/namedb/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF Create the root.hints file with the following commands: Caution must be used to ensure there are no leading spaces in this file. cat > /srv/named/etc/namedb/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201 C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13 E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 EOF The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from . Consult the BIND 9 Administrator Reference Manual for details. Create or modify resolv.conf to use the new name server with the following commands: Replace <yourdomain.com> with your own valid domain name. cp /etc/resolv.conf /etc/resolv.conf.bak && cat > /etc/resolv.conf << "EOF" search <yourdomain.com> nameserver 127.0.0.1 EOF Set permissions on the chroot jail with the following command: chown -R named:named /srv/named To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script included in the package. bind make install-bind Now start BIND with the new boot script: /etc/rc.d/init.d/bind start Test out the new BIND 9 installation. First query the local host address with dig: dig -x 127.0.0.1 Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address: dig www.&lfs-domainname; && dig www.&lfs-domainname; You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual located at doc/arm/Bv9ARM.html in the package source tree, for further configuration options. Installed Programs Installed Libraries Installed Directories arpaname, bind9-config hardlinked to isc-config.sh, ddns-confgen, delv, dig, dnssec-checkds, dnssec-coverage, dnssec-dsfromkey, dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, dnssec-revoke, dnssec-settime, dnssec-signzone, dnssec-verify, genrandom, host, isc-hmac-fixup, lwresd hardlinked to named, named-checkconf, named-checkzone, named-compilezone (symlink), named-journalprint, named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, rndc-confgen, and tsig-keygen (symlink) libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so, libisccfg.so, and liblwres.so /srv/named, /usr/include/bind9, /usr/include/dns, /usr/include/dst, /usr/include/irs, /usr/include/isc, /usr/include/isccc, /usr/include/isccfg, /usr/include/lwres, /usr/include/pk11, /usr/include/pkcs11, and /usr/share/doc/bind-&bind-version; Short Descriptions dig interrogates DNS servers. dig dnssec-keygen is a key generator for secure DNS. dnssec-keygen dnssec-signzone generates signed versions of zone files. dnssec-signzone host is a utility for DNS lookups. host lwresd is a caching-only name server for local process use. lwresd named is the name server daemon. named named-checkconf checks the syntax of named.conf files. named-checkconf named-checkzone checks zone file validity. named-checkzone nslookup is a program used to query Internet domain nameservers. nslookup nsupdate is used to submit DNS update requests. nsupdate rndc controls the operation of BIND. rndc rndc-confgen generates rndc.conf files. rndc-confgen