source: server/other/bind.xml@ 0b5a693

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

<!ENTITY bind-download-http "http://gd.tuwien.ac.at/infosys/servers/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
<!ENTITY bind-download-ftp "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
<!ENTITY bind-size "4.6 MB">
<!ENTITY bind-buildsize "87 MB">
<!ENTITY bind-time "1.87 SBU (additional 4.14 SBU to run the complete test suite)">
]>

<sect1 id="bind" xreflabel="BIND-&bind-version;">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="bind.html"?>
<title><acronym>BIND</acronym>-&bind-version;</title>

<sect2>
<title>Introduction to 
<application><acronym>BIND</acronym></application></title>

<para>The <application><acronym>BIND</acronym></application> package
provides a <acronym>DNS</acronym> server and client utilities. If you
are only interested in the utilities, refer to the 
<xref linkend="bind-utils"/>.</para>

<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): 
<ulink url="&bind-download-http;"/></para></listitem>
<listitem><para>Download (FTP): 
<ulink url="&bind-download-ftp;"/></para></listitem>
<listitem><para>Download size: 
&bind-size;</para></listitem>
<listitem><para>Estimated disk space required: 
&bind-buildsize;</para></listitem>
<listitem><para>Estimated build time: 
&bind-time;</para></listitem></itemizedlist>
</sect3>

<sect3><title><application><acronym>BIND</acronym></application> 
dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="openssl"/></para>
</sect4>

<sect4><title>Optional (to run the full test suite)</title>
<para><xref linkend="net-tools"/> (for <command>ifconfig</command>) and 
<xref linkend="perl-modules"/>: Net-DNS</para>
</sect4>

<sect4><title>Optional (to [re]build documentation)</title>
<para><xref linkend="openjade"/>, 
<xref linkend="jadetex"/>, 
<xref linkend="docbook-dsssl"/></para>
</sect4>
</sect3>

</sect2>

<sect2>
<title>Installation of 
<application><acronym>BIND</acronym></application></title>

<para>Install <application><acronym>BIND</acronym></application> by
running the following commands:</para>

<screen><userinput><command>sed -i -e "s/dsssl-stylesheets/&amp;-1.78/g" configure &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc \
    --enable-threads --with-libtool &amp;&amp;
make &amp;&amp;
make install &amp;&amp;
chmod 755 \
    /usr/lib/{lib{bind9,isc{,cc,cfg},lwres}.so.?.?.?,libdns.so.20.0.0} &amp;&amp;
mv /usr/share/man/man8/named.conf.5 /usr/share/man/man5 &amp;&amp;
cd doc &amp;&amp;
install -d -m755 /usr/share/doc/bind-9.3.0/{arm,draft,misc,rfc} &amp;&amp;
install -m644 arm/*.html \
    /usr/share/doc/bind-9.3.0/arm &amp;&amp;
install -m644 draft/*.txt \
    /usr/share/doc/bind-9.3.0/draft &amp;&amp;
install -m644 rfc/* \
    /usr/share/doc/bind-9.3.0/rfc &amp;&amp;
install -m644 \
    misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \
    /usr/share/doc/bind-9.3.0/misc</command></userinput></screen>

<para>In order to run the complete test suite before installing the 
package, you need to set up some dummy interfaces (requires 
<command>ifconfig</command>). Issue the following commands to run the 
complete suite of tests:</para>

<screen><userinput><command>bin/tests/system/ifconfig.sh up &amp;&amp;
make check &gt;check.log 2&gt;&amp;1 &amp;&amp;
bin/tests/system/ifconfig.sh down</command></userinput></screen>

<para>If desired, issue the following command to ensure all 145 tests ran 
successfully:</para>

<screen><userinput><command>grep "R:PASS" check.log | wc -l</command></userinput></screen>

</sect2>

<sect2>
<title>Command explanations</title>

<para><command>sed -i -e ... configure</command>: This command forces 
<command>configure</command> to look for the <acronym>DSSSL</acronym> 
stylesheets in the standard <acronym>BLFS</acronym> location.</para>

<para><parameter>--sysconfdir=/etc</parameter>: This parameter forces 
<application><acronym>BIND</acronym></application> to look for configuration 
files in <filename class='directory'>/etc</filename> instead of 
<filename class='directory'>/usr/etc</filename>.</para>

<para><parameter>--enable-threads</parameter>: This parameter enables 
multi-threading capability.</para>

<para><parameter>--with-libtool</parameter>: This parameter forces the 
building of dynamic libraries and links the installed binaries to these 
libraries.</para>

<para><command>cd doc; install ...</command>: These commands install the 
additional package documentation. Optionally, omit any or all of these 
commands.</para>

</sect2>

<sect2>
<title>Configuring
<application><acronym>BIND</acronym></application></title>

<sect3><title>Config files</title>
<para><filename>named.conf</filename>, <filename>root.hints</filename>, 
<filename>127.0.0</filename>, <filename>rndc.conf</filename></para>
</sect3>

<sect3><title>Configuration Information</title>

<para><application><acronym>BIND</acronym></application> will be configured 
to run in a <command>chroot</command> jail as an unprivileged user (named). 
This configuration is more secure in that a <acronym>DNS</acronym> compromise 
can only affect a few files in the named user's <envar>HOME</envar> 
directory.</para> 

<para>Create the unprivileged user and group named:</para>

<screen><userinput><command>groupadd named &amp;&amp;
useradd -m -c "BIND Owner" -g named -s /bin/false named</command></userinput></screen>

<para>Set up some files, directories and devices needed by 
<application><acronym>BIND</acronym></application>:</para>

<screen><userinput><command>cd /home/named &amp;&amp;
mkdir -p dev etc/namedb/slave var/run &amp;&amp;
mknod /home/named/dev/null c 1 3 &amp;&amp;
mknod /home/named/dev/random c 1 8 &amp;&amp;
chmod 666 /home/named/dev/{null,random} &amp;&amp;
mkdir /home/named/etc/namedb/pz &amp;&amp;
cp /etc/localtime /home/named/etc</command></userinput></screen>

<para>Then, generate a key for use in the <filename>named.conf</filename> 
and <filename>rdnc.conf</filename> files using the 
<command>rndc-confgen</command> command:</para>

<screen><userinput><command>rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2</command></userinput></screen>

<para>Create the <filename>named.conf</filename> file from which named 
will read the location of zone files, root name servers and secure 
<acronym>DNS</acronym> keys:</para>

<screen><userinput><command>cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF"</command>
 options {
     directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";
       
 };
 controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 key "rndc_key" {
     algorithm hmac-md5;
     secret "<replaceable>[Insert secret from rndc-confgen's output here]</replaceable>";
 };
 zone "." {
     type hint;
     file "root.hints";
 };
 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
     category default { default_syslog; default_debug; };
     category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
     null;                                // toss anything sent to
                                          // this channel
  };
};



<command>EOF</command></userinput></screen>

<para>Create the <filename>rndc.conf</filename> file with the following 
commands:</para>

<screen><userinput><command>cat &gt; /etc/rndc.conf &lt;&lt; "EOF"</command>
key rndc_key {
algorithm "hmac-md5";
    secret
    "<replaceable>[Insert secret from rndc-confgen's output here]</replaceable>";
    };
options {
    default-server localhost;
    default-key    rndc_key;
};
<command>EOF</command></userinput></screen>

<para>The <filename>rndc.conf</filename> file contains information for 
controlling named operations with the <command>rndc</command> 
utility.</para>

<para>Create a zone file with the following contents:</para>

<screen><userinput><command>cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"</command>
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
<command>EOF</command></userinput></screen>

<para>Create the <filename>root.hints</filename> file with the following
commands:</para>

<note><para>Caution must be used to ensure there are no leading spaces in this 
file.</para></note>

<screen><userinput><command>cat &gt; /home/named/etc/namedb/root.hints &lt;&lt; "EOF"</command>
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
<command>EOF</command></userinput></screen>

<para>The <filename>root.hints</filename> file is a list of root name servers. 
This file must be updated periodically with the <command>dig</command> 
utility.  A current copy of root.hints can be obtained from 
<ulink url="ftp://rs.internic.net/domain/named.root" />. Consult the 
<ulink url="http://www.bind9.net/Bv9ARM.html"><application>
<acronym>BIND</acronym></application> 9 Administrator Reference Manual</ulink> 
for details.</para>

<para>Create or modify <filename>resolv.conf</filename> to use the new 
name server with the following commands:</para>

<note><para>Replace <replaceable>[yourdomain.com]</replaceable> with your own 
valid domain name.</para></note>

<screen><userinput><command>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
cat &gt; /etc/resolv.conf &lt;&lt; "EOF"</command>
search <replaceable>[yourdomain.com]</replaceable>
nameserver 127.0.0.1
<command>EOF</command></userinput></screen>

<para>Set permissions on the <command>chroot</command> jail with the 
following command:</para>

<screen><userinput><command>chown -R named.named /home/named</command></userinput></screen>

<para>To start the <acronym>DNS</acronym> server at boot, install the 
<filename>/etc/rc.d/init.d/bind</filename> init script included in the 
<xref linkend="intro-important-bootscripts"/> package.</para>

<screen><userinput><command>make install-bind</command></userinput></screen>

<para>Now start <application><acronym>BIND</acronym></application> with
the new boot script:</para>

<screen><userinput><command>/etc/rc.d/init.d/bind start</command></userinput></screen>

</sect3>

<sect3><title>Testing <application><acronym>BIND</acronym></application></title>

<para>Test out the new
<application><acronym>BIND</acronym></application> 9 installation. First
query the local host address with <command>dig</command>:</para>

<screen><userinput><command>dig -x 127.0.0.1</command></userinput></screen>

<para>Now try an external name lookup, taking note of the speed
difference in repeated lookups due to the caching. Run the 
<command>dig</command> command twice on the same address:</para>

<screen><userinput><command>dig www.linuxfromscratch.org &amp;&amp;
dig www.linuxfromscratch.org</command></userinput></screen>

<para>You can see almost instantaneous results with the named caching lookups. 
Consult the <application><acronym>BIND</acronym></application> Administrator 
Reference Manual located at 
<filename>doc/arm/Bv9ARM.html</filename> in the package source tree, for 
further configuration options.</para>
</sect3>

</sect2>

<sect2>
<title>Contents</title>

<para>The <application><acronym>BIND</acronym></application> package contains 
<command>dig</command>, 
<command>dnssec-keygen</command>, 
<command>dnssec-signzone</command>, 
<command>host</command>, 
<command>isc-config.sh</command>, 
<command>lwresd</command>, 
<command>named</command>, 
<command>named-checkconf</command>, 
<command>named-checkzone</command>, 
<command>nslookup</command>, 
<command>nsupdate</command>, 
<command>rndc</command>, 
<command>rndc-confgen</command>, 
<filename class='libraryfile'>libbind9</filename>, 
<filename class='libraryfile'>libdns</filename>, 
<filename class='libraryfile'>libisc</filename>, 
<filename class='libraryfile'>libisccc</filename>, 
<filename class='libraryfile'>libisccfg</filename> and 
<filename class='libraryfile'>liblwres</filename>.</para>
</sect2>

<sect2><title>Description</title>

<sect3><title>dig</title>
<para><command>dig</command> interrogates <acronym>DNS</acronym>
servers.</para></sect3>

<sect3><title>dnssec-keygen</title>
<para><command>dnssec-keygen</command> is a key generator for secure
<acronym>DNS</acronym>.</para></sect3>

<sect3><title>dnssec-signzone</title>
<para><command>dnssec-signzone</command> generates signed versions of
zone files.</para></sect3>

<sect3><title>host</title>
<para><command>host</command> is a utility for <acronym>DNS</acronym>
lookups.</para></sect3>

<sect3><title>lwresd</title>
<para><command>lwresd</command> is a caching-only name server for local
process use.</para></sect3>

<sect3><title>named</title>
<para><command>named</command> is the name server daemon.</para></sect3>

<sect3><title>named-checkconf</title>
<para><command>named-checkconf</command> checks the syntax of
<filename>named.conf</filename> files.</para></sect3>

<sect3><title>named-checkzone</title>
<para><command>named-checkzone</command> checks zone file
validity.</para></sect3>

<sect3><title>nslookup</title>
<para><command>nslookup</command> is a program used to query Internet
domain nameservers.</para></sect3>

<sect3><title>nsupdate</title>
<para><command>nsupdate</command> is used to submit
<acronym>DNS</acronym> update requests.</para></sect3>

<sect3><title>rndc</title>
<para><command>rndc</command> controls the operation of
<application><acronym>BIND</acronym></application>.</para></sect3>

<sect3><title>rndc-confgen</title>
<para><command>rndc-confgen</command> generates
<filename>rndc.conf</filename> files.</para></sect3>

</sect2>

</sect1>