source: server/other/bind.xml@ ff769b8c

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
   "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

<!ENTITY bind-download-http "http://gd.tuwien.ac.at/infosys/servers/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
<!ENTITY bind-download-ftp "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
<!ENTITY bind-md5sum "fdb42fff7e345372ac52a4493b77b694">
<!ENTITY bind-size "4.6 MB">
<!ENTITY bind-buildsize "87 MB">
<!ENTITY bind-time "1.87 SBU (additional 4.14 SBU to run the complete test suite)">
]>

<sect1 id="bind" xreflabel="BIND-&bind-version;p1">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="bind.html"?>
<title><acronym>BIND</acronym>-&bind-version;p1</title>
<indexterm zone="bind">
<primary sortas="a-BIND">BIND</primary>
</indexterm>

<sect2>
<title>Introduction to 
<application><acronym>BIND</acronym></application></title>

<para>The <application><acronym>BIND</acronym></application> package
provides a <acronym>DNS</acronym> server and client utilities. If you
are only interested in the utilities, refer to the 
<xref linkend="bind-utils"/>.</para>

<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): 
<ulink url="&bind-download-http;"/></para></listitem>
<listitem><para>Download (FTP): 
<ulink url="&bind-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: 
&bind-md5sum;</para></listitem>
<listitem><para>Download size: 
&bind-size;</para></listitem>
<listitem><para>Estimated disk space required: 
&bind-buildsize;</para></listitem>
<listitem><para>Estimated build time: 
&bind-time;</para></listitem></itemizedlist>
</sect3>

<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para><ulink 
url="ftp://ftp.isc.org/isc/bind9/9.3.0/&bind-version;-patch1"/></para>
</listitem>
</itemizedlist>
</sect3>

<sect3><title><application><acronym>BIND</acronym></application> 
dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="openssl"/></para>
</sect4>

<sect4><title>Optional (to run the full test suite)</title>
<para><xref linkend="net-tools"/> (for <command>ifconfig</command>) and 
<xref linkend="perl-modules"/>: Net-DNS</para>
</sect4>

<sect4><title>Optional (to [re]build documentation)</title>
<para><xref linkend="openjade"/>, 
<xref linkend="jadetex"/>, 
<xref linkend="docbook-dsssl"/></para>
</sect4>
</sect3>

</sect2>

<sect2>
<title>Installation of 
<application><acronym>BIND</acronym></application></title>

<para>Install <application><acronym>BIND</acronym></application> by
running the following commands:</para>

<screen><userinput><command>patch -Np1 -i ../&bind-version;-patch1 &amp;&amp;
sed -i -e "s/dsssl-stylesheets/&amp;-1.78/g" configure &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc \
    --enable-threads --with-libtool &amp;&amp;
make</command></userinput></screen>

<para>Now, as the root user:</para>

<screen><userinput role='root'><command>make install &amp;&amp;
chmod 755 \
    /usr/lib/{lib{bind9,isc{,cc,cfg},lwres}.so.?.?.?,libdns.so.20.0.0} &amp;&amp;
mv /usr/share/man/man8/named.conf.5 /usr/share/man/man5 &amp;&amp;
cd doc &amp;&amp;
install -d -m755 /usr/share/doc/bind-9.3.0/{arm,draft,misc,rfc} &amp;&amp;
install -m644 arm/*.html \
    /usr/share/doc/bind-9.3.0/arm &amp;&amp;
install -m644 draft/*.txt \
    /usr/share/doc/bind-9.3.0/draft &amp;&amp;
install -m644 rfc/* \
    /usr/share/doc/bind-9.3.0/rfc &amp;&amp;
install -m644 \
    misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \
    /usr/share/doc/bind-9.3.0/misc</command></userinput></screen>

<para>In order to run the complete test suite before installing the 
package, you need to set up some dummy interfaces (requires 
<command>ifconfig</command>). Issue the following commands to run the 
complete suite of tests (you will have to be the root user to issue the
<command>ifconfig</command> commands):</para>

<screen><userinput role='root'><command>bin/tests/system/ifconfig.sh up &amp;&amp;
make check &gt;check.log 2&gt;&amp;1 &amp;&amp;
bin/tests/system/ifconfig.sh down</command></userinput></screen>

<para>If desired, issue the following command to ensure all 145 tests ran 
successfully:</para>

<screen><userinput><command>grep "R:PASS" check.log | wc -l</command></userinput></screen>

</sect2>

<sect2>
<title>Command explanations</title>

<para><command>patch -Np1 -i ../&bind-version;-patch1</command>: There's a 
vulnerability in the <acronym>DNS</acronym><acronym>SEC</acronym> code. See 
<ulink url="http://www.kb.cert.org/vuls/id/938617"/>. The patch fixes the
bug.</para>

<para><command>sed -i -e ... configure</command>: This command forces 
<command>configure</command> to look for the <acronym>DSSSL</acronym> 
stylesheets in the standard <acronym>BLFS</acronym> location.</para>

<para><parameter>--sysconfdir=/etc</parameter>: This parameter forces 
<application><acronym>BIND</acronym></application> to look for configuration 
files in <filename class='directory'>/etc</filename> instead of 
<filename class='directory'>/usr/etc</filename>.</para>

<para><parameter>--enable-threads</parameter>: This parameter enables 
multi-threading capability.</para>

<para><parameter>--with-libtool</parameter>: This parameter forces the 
building of dynamic libraries and links the installed binaries to these 
libraries.</para>

<para><command>cd doc; install ...</command>: These commands install the 
additional package documentation. Optionally, omit any or all of these 
commands.</para>

</sect2>

<sect2>
<title>Configuring
<application><acronym>BIND</acronym></application></title>

<sect3 id="bind-config"><title>Config files</title>
<para><filename>named.conf</filename>, 
<filename>root.hints</filename>, 
<filename>127.0.0</filename>, 
<filename>rndc.conf</filename> and 
<filename>resolv.conf</filename></para>
<indexterm zone="bind bind-config">
<primary sortas="e-etc-named.conf">/etc/named.conf</primary></indexterm>
<indexterm zone="bind bind-config">
<primary sortas="e-etc-rndc.conf">/etc/rndc.conf</primary></indexterm>
<indexterm zone="bind bind-config">
<primary sortas="e-etc-resolv.conf">/etc/resolv.conf</primary></indexterm>
<indexterm zone="bind bind-config">
<primary sortas="e-etc-namedb-root.hints">/etc/namedb/root.hints</primary>
</indexterm>
<indexterm zone="bind bind-config">
<primary sortas="e-etc-namedb-pz-127.0.0.0">/etc/namedb/pz/127.0.0.0</primary>
</indexterm>
</sect3>

<sect3><title>Configuration Information</title>

<para><application><acronym>BIND</acronym></application> will be configured 
to run in a <command>chroot</command> jail as an unprivileged user (named). 
This configuration is more secure in that a <acronym>DNS</acronym> compromise 
can only affect a few files in the named user's <envar>HOME</envar> 
directory.</para> 

<para>Create the unprivileged user and group named:</para>

<screen><userinput role='root'><command>groupadd named &amp;&amp;
useradd -m -c "BIND Owner" -g named -s /bin/false named</command></userinput></screen>

<para>Set up some files, directories and devices needed by 
<application><acronym>BIND</acronym></application>:</para>

<screen><userinput role='root'><command>cd /home/named &amp;&amp;
mkdir -p dev etc/namedb/slave var/run &amp;&amp;
mknod /home/named/dev/null c 1 3 &amp;&amp;
mknod /home/named/dev/random c 1 8 &amp;&amp;
chmod 666 /home/named/dev/{null,random} &amp;&amp;
mkdir /home/named/etc/namedb/pz &amp;&amp;
cp /etc/localtime /home/named/etc</command></userinput></screen>

<para>Then, generate a key for use in the <filename>named.conf</filename> 
and <filename>rdnc.conf</filename> files using the 
<command>rndc-confgen</command> command:</para>

<screen><userinput role='root'><command>rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2</command></userinput></screen>

<para>Create the <filename>named.conf</filename> file from which named 
will read the location of zone files, root name servers and secure 
<acronym>DNS</acronym> keys:</para>

<screen><userinput role='root'><command>cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF"</command>
 options {
     directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";
       
 };
 controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 key "rndc_key" {
     algorithm hmac-md5;
     secret "<replaceable>[Insert secret from rndc-confgen's output here]</replaceable>";
 };
 zone "." {
     type hint;
     file "root.hints";
 };
 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
     category default { default_syslog; default_debug; };
     category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
     null;                                // toss anything sent to
                                          // this channel
  };
};



<command>EOF</command></userinput></screen>

<para>Create the <filename>rndc.conf</filename> file with the following 
commands:</para>

<screen><userinput role='root'><command>cat &gt; /etc/rndc.conf &lt;&lt; "EOF"</command>
key rndc_key {
algorithm "hmac-md5";
    secret
    "<replaceable>[Insert secret from rndc-confgen's output here]</replaceable>";
    };
options {
    default-server localhost;
    default-key    rndc_key;
};
<command>EOF</command></userinput></screen>

<para>The <filename>rndc.conf</filename> file contains information for 
controlling named operations with the <command>rndc</command> 
utility.</para>

<para>Create a zone file with the following contents:</para>

<screen><userinput role='root'><command>cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"</command>
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
<command>EOF</command></userinput></screen>

<para>Create the <filename>root.hints</filename> file with the following
commands:</para>

<note><para>Caution must be used to ensure there are no leading spaces in this 
file.</para></note>

<screen><userinput><command>cat &gt; /home/named/etc/namedb/root.hints &lt;&lt; "EOF"</command>
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
<command>EOF</command></userinput></screen>

<para>The <filename>root.hints</filename> file is a list of root name servers. 
This file must be updated periodically with the <command>dig</command> 
utility.  A current copy of root.hints can be obtained from 
<ulink url="ftp://rs.internic.net/domain/named.root" />. Consult the 
<ulink url="http://www.bind9.net/Bv9ARM.html"><application>
<acronym>BIND</acronym></application> 9 Administrator Reference Manual</ulink> 
for details.</para>

<para>Create or modify <filename>resolv.conf</filename> to use the new 
name server with the following commands:</para>

<note><para>Replace <replaceable>[yourdomain.com]</replaceable> with your own 
valid domain name.</para></note>

<screen><userinput role='root'><command>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
cat &gt; /etc/resolv.conf &lt;&lt; "EOF"</command>
search <replaceable>[yourdomain.com]</replaceable>
nameserver 127.0.0.1
<command>EOF</command></userinput></screen>

<para>Set permissions on the <command>chroot</command> jail with the 
following command:</para>

<screen><userinput role='root'><command>chown -R named.named /home/named</command></userinput></screen>

<para id="bind-init">To start the <acronym>DNS</acronym> server at boot, install the 
<filename>/etc/rc.d/init.d/bind</filename> init script included in the 
<xref linkend="intro-important-bootscripts"/> package.</para>
<indexterm zone="bind bind-init">
<primary sortas="f-bind">bind</primary></indexterm>

<screen><userinput role='root'><command>make install-bind</command></userinput></screen>

<para>Now start <application><acronym>BIND</acronym></application> with
the new boot script:</para>

<screen><userinput role='root'><command>/etc/rc.d/init.d/bind start</command></userinput></screen>

</sect3>

<sect3><title>Testing <application><acronym>BIND</acronym></application></title>

<para>Test out the new
<application><acronym>BIND</acronym></application> 9 installation. First
query the local host address with <command>dig</command>:</para>

<screen><userinput><command>dig -x 127.0.0.1</command></userinput></screen>

<para>Now try an external name lookup, taking note of the speed
difference in repeated lookups due to the caching. Run the 
<command>dig</command> command twice on the same address:</para>

<screen><userinput><command>dig www.linuxfromscratch.org &amp;&amp;
dig www.linuxfromscratch.org</command></userinput></screen>

<para>You can see almost instantaneous results with the named caching lookups. 
Consult the <application><acronym>BIND</acronym></application> Administrator 
Reference Manual located at 
<filename>doc/arm/Bv9ARM.html</filename> in the package source tree, for 
further configuration options.</para>
</sect3>

</sect2>

<sect2>
<title>Contents</title>

<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>

<seglistitem>
<seg>dig, dnssec-keygen, dnssec-signzone, host, isc-config.sh, lwresd, 
named, named-checkconf, named-checkzone, nslookup, nsupdate, rndc and 
rndc-confgen</seg>
<seg>libbind9.[so,a], libdns.[so,a], libisc.[so,a], libisccc.[so,a], 
libisccfg.[so,a] and liblwres.[so,a]</seg>
<seg>/home/named, /usr/include/bind9, /usr/include/dns, /usr/include/dst, 
/usr/include/isc, /usr/include/isccc, /usr/include/isccfg, /usr/include/lwres 
and /usr/share/doc/bind-&bind-version;</seg>
</seglistitem>
</segmentedlist>

<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>

<varlistentry id="dig">
<term><command>dig</command></term>
<listitem><para>interrogates <acronym>DNS</acronym> servers.</para>
<indexterm zone="bind dig">
<primary sortas="b-dig">dig</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="dnssec-keygen">
<term><command>dnssec-keygen</command></term>
<listitem><para>is a key generator for secure <acronym>DNS</acronym>.</para>
<indexterm zone="bind dnssec-keygen">
<primary sortas="b-dnssec-keygen">dnssec-keygen</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="dnssec-signzone">
<term><command>dnssec-signzone</command></term>
<listitem><para>generates signed versions of zone files.</para>
<indexterm zone="bind dnssec-signzone">
<primary sortas="b-dnssec-signzone">dnssec-signzone</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="host">
<term><command>host</command></term>
<listitem><para>is a utility for <acronym>DNS</acronym> lookups.</para>
<indexterm zone="bind host">
<primary sortas="b-host">host</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="lwresd">
<term><command>lwresd</command></term>
<listitem><para>is a caching-only name server for local process use.</para>
<indexterm zone="bind lwresd">
<primary sortas="b-lwresd">lwresd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="named">
<term><command>named</command></term>
<listitem><para>is the name server daemon.</para>
<indexterm zone="bind named">
<primary sortas="b-named">named</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="named-checkconf">
<term><command>named-checkconf</command></term>
<listitem><para>checks the syntax of <filename>named.conf</filename> 
files.</para>
<indexterm zone="bind named-checkconf">
<primary sortas="b-named-checkconf">named-checkconf</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="named-checkzone">
<term><command>named-checkzone</command></term>
<listitem><para>checks zone file validity.</para>
<indexterm zone="bind named-checkzone">
<primary sortas="b-named-checkzone">named-checkzone</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="nslookup">
<term><command>nslookup</command></term>
<listitem><para>is a program used to query Internet domain nameservers.</para>
<indexterm zone="bind nslookup">
<primary sortas="b-nslookup">nslookup</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="nsupdate">
<term><command>nsupdate</command></term>
<listitem><para>is used to submit <acronym>DNS</acronym> update 
requests.</para>
<indexterm zone="bind nsupdate">
<primary sortas="b-nsupdate">nsupdate</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="rndc">
<term><command>rndc</command></term>
<listitem><para>controls the operation of 
<application><acronym>BIND</acronym></application>.</para>
<indexterm zone="bind rndc">
<primary sortas="b-rndc">rndc</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="rndc-confgen">
<term><command>rndc-confgen</command></term>
<listitem><para>generates <filename>rndc.conf</filename> files.</para>
<indexterm zone="bind rndc-confgen">
<primary sortas="b-rndc-confgen">rndc-confgen</primary>
</indexterm></listitem>
</varlistentry>
</variablelist>

</sect2>

</sect1>