3 | | [wiki:MajorServers Up][[br]] |
4 | | [wiki:BlfsNotes Top] |
5 | | |
6 | | For those whose system is not connected to the Internet yet,[[BR]] |
7 | | To ensure BIND will build dnssec-keymgr, install a python module as the root user: [[BR]] |
8 | | |
9 | | This command will timeout: |
10 | | |
11 | | {{{ |
12 | | pip3 install ply |
13 | | }}} |
14 | | |
15 | | Download file from another server: |
16 | | |
17 | | {{{ |
18 | | wget http://www.dabeaz.com/ply/ply-3.11.tar.gz |
19 | | }}} |
20 | | Then run the command with the file once transferred into your build: |
21 | | |
22 | | {{{ |
23 | | pip3 install ply-3.11.tar.gz |
24 | | }}} |
25 | | |
26 | | '''Processing ./ply-3.11.tar.gz |
27 | | Installing collected packages: ply |
28 | | Running setup.py install for ply ... done |
29 | | Successfully installed ply-3.11n''' |
30 | | |
31 | | Note: |
32 | | https://github.com/dabeaz/ply - Alternate source |
33 | | |
34 | | http://www.dabeaz.com/ply/ |
35 | | PLY is currently in maintenance mode only. [[BR]] |
36 | | Critical bugs (if any) will be addressed, but no new features are being added.[[BR]] |
37 | | If you are looking for a parser generator with a more modern flavor, look at the SLY Project.[[BR]] |
38 | | 02/15/2018 PLY-3.11 is last release. |
39 | | |
40 | | |
41 | | ---- |
42 | | More information on DLZ |
| 3 | == More information on DLZ == |
47 | | ---- |
48 | | Error in creating rndc.conf file: |
49 | | |
50 | | {{{ |
51 | | rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf && |
52 | | sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf |
53 | | }}} |
54 | | '''The -r option has been deprecated.''' |
55 | | |
56 | | See Ticket #12649 new defect |
57 | | BIND-9.14.5 rndc-confgen: The -r option has been deprecated. |
58 | | |
59 | | Use this instead: |
60 | | |
61 | | {{{ |
62 | | rndc-confgen -a -b 512 -t /srv/named |
63 | | }}} |
64 | | |
65 | | '''wrote key file "/etc/rndc.key"[[BR]] |
66 | | wrote key file "/srv/named/etc/rndc.key"''' |
67 | | |
68 | | If you ran the command with -r previously, clean up unnecessary files it created. |
69 | | |
70 | | {{{ |
71 | | rm /etc/rndc.conf /srv/named/etc/rndc.conf |
72 | | }}} |
73 | | |
74 | | Notes from man page: |
75 | | -a option: |
76 | | Do automatic rndc configuration. This creates a file rndc.key in /etc (or whatever sysconfdir was specified as when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named on the local host with no further configuration. |
77 | | Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in replacements for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file. |
78 | | If a more elaborate configuration than that generated by rndc-confgen -a is required, for example if rndc is to be used remotely, you should run rndc-confgen without the -a option and set up a rndc.conf and named.conf as directed. |
79 | | |
80 | | -t option: |
81 | | Used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named. |
82 | | |
83 | | ---- |
84 | | If you want the latest root.hints file, run this: |
85 | | |
86 | | {{{ |
87 | | wget ftp://rs.internic.net/domain/named.{root,root.md5} |
88 | | cp /srv/named/etc/namedb/root.hints /srv/named/etc/namedb/root.hints.old |
89 | | md5sum named.root |grep -f named.root.md5 && mv named.root /srv/named/etc/namedb/root.hints |
90 | | }}} |
91 | | If md5sum fails then the file is not updated. |
92 | | |
93 | | Only difference as of Oct. 14th, 2019 was the Root Level B |
94 | | B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201 |
95 | | |
96 | | And notice the addr-class "IN" is missing from the records? |
97 | | Not sure why that is missing there since the instructions in the book say: |
98 | | "A current copy of root.hints can be obtained from ftp://rs.internic.net/domain/named.root." |
99 | | |
100 | | You can use this command to dig the file instead: |
101 | | |
| 7 | == Updating the root.hints file with dig == |
| 8 | Instead of downloading https://www.internic.net/domain/named.root, you can run: |
123 | | |
124 | | Also, |
125 | | |
126 | | |
127 | | {{{ |
128 | | |
129 | | touch /srv/named/managed-keys.bind |
130 | | }}} |
131 | | |
132 | | |
133 | | The above command created a file that will just sit there empty, not used.[[BR]] |
134 | | -rw-r--r-- 1 named named 0 Oct 14 21:12 managed-keys.bind |
135 | | |
136 | | The file is automagically created here: /srv/named/etc/named/[[BR]] |
137 | | -rw-r--r-- 1 named named 785 Oct 16 22:24 managed-keys.bind |
138 | | |
139 | | You can safely remove the file. |
140 | | |
141 | | |
142 | | {{{ |
143 | | rm /srv/named/managed-keys.bind |
144 | | }}} |
145 | | |
146 | | |
147 | | ---- |
148 | | |
149 | | Bind 9.14.5 - 9.14.7 will report the following errors into sys.log, but still runs: [[BR]] |
150 | | |
151 | | named[459]: listening on IPv4 interface enp0s3, 192.168.56.2#53 [[BR]] |
152 | | named[459]: unable to set effective uid to 0: Operation not permitted[[BR]] |
153 | | named[459]: generating session key for dynamic DNS [[BR]] |
154 | | named[459]: unable to set effective uid to 0: Operation not permitted [[BR]] |
155 | | named[459]: sizing zone task pool based on 2 zones[[BR]] |
156 | | |
157 | | [Found this link](http://bind-users-forum.2342410.n4.nabble.com/BIND-9-14-0-unable-to-set-effective-uid-to-0-Operation-not-permitted-td6844.html) describing named wanting to revert back to UID 0, root for some reason even though it is in chroot at this time.[[BR]] |
158 | | This page also discusses the issue: https://gitlab.isc.org/isc-projects/bind9/issues/1042 [[BR]] |
159 | | |
160 | | You can disable caps --disable-linux-caps but at the cost of security, and no one knows what that cost is?!? [[BR]] |
161 | | |
162 | | |
163 | | Confirmed that building with the --disable-linux-caps removes the error condition. |
164 | | |
165 | | |
166 | | ---- |
167 | | |
168 | | Want to verify the validity of the downloaded files from isc instead of trusting the MD5 from the book?[[BR]] |
169 | | Run these commands if you have gpg installed: |
170 | | |
171 | | |
172 | | {{{ |
173 | | wget ftp://ftp.isc.org/isc/pgpkeys/codesign2019.txt |
174 | | wget ftp://ftp.isc.org/isc/bind9/cur/9.14/bind-9.14.7.tar.{gz,gz.asc} |
175 | | |
176 | | gpg --import codesign2019.txt |
177 | | gpg -d bind-9.14.7.tar.gz.asc 2>&1 |grep 'Good\|BAD' |
178 | | }}} |
179 | | |
180 | | Downloads and imports isc public key, imports to keyring, check the file. |