Changeset 0931098 for server/other/bind.xml
- Timestamp:
- 06/13/2004 05:38:30 AM (20 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 60384c68
- Parents:
- 08254fc
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
server/other/bind.xml
r08254fc r0931098 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 7 <!ENTITY bind-download-http "http://gd.tuwien.ac.at/infosys/servers/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz"> 8 <!ENTITY bind-download-ftp "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz"> 9 <!ENTITY bind-size "4.4 MB"> 10 <!ENTITY bind-buildsize "88 MB"> 11 <!ENTITY bind-time "0.89 SBU"> 12 13 ]> 14 1 15 <sect1 id="bind" xreflabel="BIND-&bind-version;"> 2 16 <?dbhtml filename="bind.html"?> 3 17 <title><acronym>BIND</acronym>-&bind-version;</title> 4 18 5 &bind-intro; 6 &bind-inst; 7 &bind-config; 8 &bind-desc; 19 <sect2> 20 <title>Introduction to <application><acronym>BIND</acronym></application></title> 21 22 <para>The <application><acronym>BIND</acronym></application> package 23 provides a <acronym>DNS</acronym> server and client utilities. If you 24 are only interested in the utilities, refer to the <xref linkend="bind-utils"/>.</para> 25 26 <sect3><title>Package information</title> 27 <itemizedlist spacing='compact'> 28 <listitem><para>Download (HTTP): <ulink url="&bind-download-http;"/></para></listitem> 29 <listitem><para>Download (FTP): <ulink url="&bind-download-ftp;"/></para></listitem> 30 <listitem><para>Download size: &bind-size;</para></listitem> 31 <listitem><para>Estimated Disk space required: &bind-buildsize;</para></listitem> 32 <listitem><para>Estimated build time: &bind-time;</para></listitem></itemizedlist> 33 </sect3> 34 35 <sect3><title><application><acronym>BIND</acronym></application> dependencies</title> 36 <sect4><title>Optional</title> 37 <para><xref linkend="openssl"/> and <xref linkend="openjade"/> 38 </para></sect4> 39 </sect3> 40 41 </sect2> 42 43 <sect2> 44 <title>Installation of <application><acronym>BIND</acronym></application></title> 45 46 <para>Install <application><acronym>BIND</acronym></application> by 47 running the following commands:</para> 48 49 <screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc && 50 make && 51 make install</command></userinput></screen> 52 53 </sect2> 54 55 <sect2> 56 <title>Configuring 57 <application><acronym>BIND</acronym></application></title> 58 59 <sect3><title>Config files</title> 60 <para><filename>named.conf</filename>, <filename>root.hints</filename>, 61 <filename>127.0.0</filename>, <filename>rndc.conf</filename></para> 62 </sect3> 63 64 <sect3><title>Configuration Information</title> 65 66 <para>We will configure 67 <application><acronym>BIND</acronym></application> to run in a chroot 68 jail as an unprivileged user (named). This configuration is more secure 69 in that a <acronym>DNS</acronym> compromise can only affect a few files 70 in the named user's <envar>HOME</envar> directory.</para> 71 72 <para>First we create the unprivileged user and group named:</para> 73 74 <screen><userinput><command>groupadd named && 75 useradd -m -g named -s /bin/false named</command></userinput></screen> 76 77 <para>Then we set up some files, directories and devices needed by 78 <application><acronym>BIND</acronym></application>:</para> 79 80 <screen><userinput><command>cd /home/named && 81 mkdir -p dev etc/namedb/slave var/run && 82 mknod /home/named/dev/null c 1 3 && 83 mknod /home/named/dev/random c 1 8 && 84 chmod 666 /home/named/dev/{null,random} && 85 mkdir /home/named/etc/namedb/pz && 86 cp /etc/localtime /home/named/etc</command></userinput></screen> 87 88 <para>Create the <filename>named.conf</filename> file from which named 89 will read the location of zone files, root name servers and secure 90 <acronym>DNS</acronym> keys:</para> 91 92 <screen><userinput><command>cat > /home/named/etc/named.conf << "EOF"</command> 93 options { 94 directory "/etc/namedb"; 95 pid-file "/var/run/named.pid"; 96 statistics-file "/var/run/named.stats"; 97 98 }; 99 controls { 100 inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; 101 }; 102 key "rndc_key" { 103 algorithm hmac-md5; 104 secret "<replaceable>[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]</replaceable>"; 105 }; 106 zone "." { 107 type hint; 108 file "root.hints"; 109 }; 110 zone "0.0.127.in-addr.arpa" { 111 type master; 112 file "pz/127.0.0"; 113 }; 114 <command>EOF</command></userinput></screen> 115 116 <para>Create a zone file with the following contents:</para> 117 118 <screen><userinput><command>cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"</command> 119 $TTL 3D 120 @ IN SOA ns.local.domain. hostmaster.local.domain. ( 121 1 ; Serial 122 8H ; Refresh 123 2H ; Retry 124 4W ; Expire 125 1D) ; Minimum TTL 126 NS ns.local.domain. 127 1 PTR localhost. 128 <command>EOF</command></userinput></screen> 129 130 <para>Create the <filename>root.hints</filename> file with the following 131 commands:</para> 132 133 <note><para>Caution must be used to ensure no leading spaces in this 134 file.</para></note> 135 136 <screen><userinput><command>cat > /home/named/etc/namedb/root.hints << "EOF"</command> 137 . 6D IN NS A.ROOT-SERVERS.NET. 138 . 6D IN NS B.ROOT-SERVERS.NET. 139 . 6D IN NS C.ROOT-SERVERS.NET. 140 . 6D IN NS D.ROOT-SERVERS.NET. 141 . 6D IN NS E.ROOT-SERVERS.NET. 142 . 6D IN NS F.ROOT-SERVERS.NET. 143 . 6D IN NS G.ROOT-SERVERS.NET. 144 . 6D IN NS H.ROOT-SERVERS.NET. 145 . 6D IN NS I.ROOT-SERVERS.NET. 146 . 6D IN NS J.ROOT-SERVERS.NET. 147 . 6D IN NS K.ROOT-SERVERS.NET. 148 . 6D IN NS L.ROOT-SERVERS.NET. 149 . 6D IN NS M.ROOT-SERVERS.NET. 150 A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 151 B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107 152 C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 153 D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90 154 E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 155 F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 156 G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 157 H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53 158 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 159 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 160 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 161 L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12 162 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 163 <command>EOF</command></userinput></screen> 164 165 <para>The <filename>root.hints</filename> file is a list of root name 166 servers. This file must be updated periodically with the 167 <command>dig</command> utility. 168 Consult the <ulink url="http://www.bind9.net/Bv9ARM.html"><application><acronym>BIND</acronym></application> 9 Administrator Reference Manual</ulink> for 169 details.</para> 170 171 <para>Create the <filename>rndc.conf</filename> with the following commands:</para> 172 173 <screen><userinput><command>cat > /etc/rndc.conf << "EOF"</command> 174 key rndc_key { 175 algorithm "hmac-md5"; 176 secret 177 "<replaceable>[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]</replaceable>"; 178 }; 179 options { 180 default-server localhost; 181 default-key rndc_key; 182 }; 183 <command>EOF</command></userinput></screen> 184 185 <para>The <filename>rndc.conf</filename> file contains information for 186 controlling named operations with the <command>rndc</command> 187 utility.</para> 188 189 <para>Create or modify <filename>resolv.conf</filename> to use the new 190 name server with the following commands:</para> 191 192 <note><para>Replace yourdomain.com with your own valid domain 193 name.</para></note> 194 195 <screen><userinput><command>cp /etc/resolv.conf /etc/resolv.conf.bak && 196 cat > /etc/resolv.conf << "EOF"</command> 197 search <replaceable>[yourdomain.com]</replaceable> 198 nameserver 127.0.0.1 199 <command>EOF</command></userinput></screen> 200 201 <para>Set permissions on the chroot jail with the following 202 command:</para> 203 204 <screen><userinput><command>chown -R named.named /home/named</command></userinput></screen> 205 206 <para>To start the DNS server at boot, install the <filename>/etc/rc.d/init.d/bind</filename> 207 init script included in the <xref linkend="intro-important-bootscripts"/> package.</para> 208 209 <screen><userinput><command>make install-bind</command></userinput></screen> 210 211 <para>Now start <application><acronym>BIND</acronym></application> with 212 the new boot script:</para> 213 214 <screen><userinput><command>/etc/rc.d/init.d/bind start</command></userinput></screen> 215 216 </sect3> 217 218 <sect3><title>Testing <application><acronym>BIND</acronym></application></title> 219 220 <para>Test out the new 221 <application><acronym>BIND</acronym></application> 9 installation. First 222 query the local host address with <command>dig</command>:</para> 223 224 <screen><userinput><command>dig -x 127.0.0.1</command></userinput></screen> 225 226 <para>Now try an external name lookup, taking note of the speed 227 difference in repeated lookups due to the caching. Run the dig command 228 twice on the same address:</para> 229 230 <para><screen><userinput><command>dig beyond.linuxfromscratch.org && 231 dig beyond.linuxfromscratch.org</command></userinput></screen> 232 You can see almost instantaneous results with the named caching lookups. 233 Consult <filename>bind-&bind-version;/doc/arm/Bv9ARM.html</filename>, 234 the <application><acronym>BIND</acronym></application> Administrator 235 Reference Manual for further configuration options.</para> 236 237 </sect3> 238 239 </sect2> 240 241 <sect2> 242 <title>Contents</title> 243 244 <para>The <application><acronym>BIND</acronym></application> package contains 245 <command>dig</command>, 246 <command>host</command>, 247 <command>isc-config.sh</command>, 248 <command>nslookup</command>, 249 <command>rndc</command>, 250 <command>rndc-confgen</command>, 251 <command>named-checkconf</command>, 252 <command>named-checkzone</command>, 253 <command>lwresd</command>, 254 <command>named</command>, 255 <command>dnssec-signzone</command>, 256 <command>dnssec-signkey</command>, 257 <command>dnssec-keygen</command>, 258 <command>dnssec-makekeyset</command> and 259 <command>nsupdate</command>.</para> 260 </sect2> 261 262 <sect2><title>Description</title> 263 264 <sect3><title>dig</title> 265 <para><command>dig</command> interrogates <acronym>DNS</acronym> 266 servers.</para></sect3> 267 268 <sect3><title>host</title> 269 <para><command>host</command> is a utility for <acronym>DNS</acronym> 270 lookups.</para></sect3> 271 272 <sect3><title>nslookup</title> 273 <para><command>nslookup</command> is a program used to query Internet 274 domain nameservers.</para></sect3> 275 276 <sect3><title>rndc</title> 277 <para><command>rndc</command> controls the operation of 278 <application><acronym>BIND</acronym></application>.</para></sect3> 279 280 <sect3><title>rndc-confgen</title> 281 <para><command>rndc-confgen</command> generates 282 <filename>rndc.conf</filename> files.</para></sect3> 283 284 <sect3><title>named-checkconf</title> 285 <para><command>named-checkconf</command> checks the syntax of 286 <filename>named.conf</filename> files.</para></sect3> 287 288 <sect3><title>named-checkzone</title> 289 <para><command>named-checkzone</command> checks zone file 290 validity.</para></sect3> 291 292 <sect3><title>lwresd</title> 293 <para><command>lwresd</command> is a caching-only name server for local 294 process use.</para></sect3> 295 296 <sect3><title>named</title> 297 <para><command>named</command> is the name server daemon.</para></sect3> 298 299 <sect3><title>dnssec-signzone</title> 300 <para><command>dnssec-signzone</command> generates signed versions of 301 zone files.</para></sect3> 302 303 <sect3><title>dnssec-signkey</title> 304 <para><command>dnssec-signkey</command> signs zone file key 305 sets.</para></sect3> 306 307 <sect3><title>dnssec-keygen</title> 308 <para><command>dnssec-keygen</command> is a key generator for secure 309 <acronym>DNS</acronym>.</para></sect3> 310 311 <sect3><title>dnssec-makekeyset</title> 312 <para><command>dnssec-makekeyset</command> generates a key set from one 313 or more keys created by dnssec-keygen.</para></sect3> 314 315 <sect3><title>nsupdate</title> 316 <para><command>nsupdate</command> is used to submit 317 <acronym>DNS</acronym> update requests.</para></sect3> 318 319 </sect2> 9 320 10 321 </sect1>
Note:
See TracChangeset
for help on using the changeset viewer.