Changes between Version 7 and Version 8 of bind


Ignore:
Timestamp:
12/22/2023 10:12:54 AM (4 months ago)
Author:
pierre
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • bind

    v7 v8  
    11= BIND =
    22
    3 [wiki:MajorServers Up][[br]]
    4 [wiki:BlfsNotes Top]
    5 
    6 For those whose system is not connected to the Internet yet,[[BR]]
    7 To ensure BIND will build dnssec-keymgr, install a python module as the root user: [[BR]]
    8 
    9 This command will timeout:
    10 
    11 {{{
    12 pip3 install ply
    13 }}}
    14 
    15 Download file from another server:
    16 
    17 {{{
    18 wget http://www.dabeaz.com/ply/ply-3.11.tar.gz
    19 }}}
    20 Then run the command with the file once transferred into your build:
    21 
    22 {{{
    23 pip3 install ply-3.11.tar.gz
    24 }}}
    25  
    26 '''Processing ./ply-3.11.tar.gz
    27 Installing collected packages: ply
    28   Running setup.py install for ply ... done
    29 Successfully installed ply-3.11n'''
    30 
    31 Note:
    32 https://github.com/dabeaz/ply - Alternate source
    33 
    34 http://www.dabeaz.com/ply/
    35 PLY is currently in maintenance mode only. [[BR]]
    36 Critical bugs (if any) will be addressed, but no new features are being added.[[BR]]
    37 If you are looking for a parser generator with a more modern flavor, look at the SLY Project.[[BR]]
    38 02/15/2018 PLY-3.11 is last release.
    39 
    40 
    41 ----
    42 More information on DLZ
     3== More information on DLZ ==
    434To use DLZ (Dynamically Loadable Zones) in Bind[[BR]]
    44 
    455https://nlnet.nl/project/bind-dlz/200205-sane/paper.html
    466
    47 ----
    48 Error in creating rndc.conf file:
    49 
    50 {{{
    51 rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf &&
    52 sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf
    53 }}}
    54      '''The -r option has been deprecated.'''
    55 
    56 See Ticket #12649 new defect
    57 BIND-9.14.5 rndc-confgen: The -r option has been deprecated.
    58 
    59 Use this instead:
    60 
    61 {{{
    62 rndc-confgen -a -b 512 -t /srv/named
    63 }}}
    64 
    65      '''wrote key file "/etc/rndc.key"[[BR]]
    66      wrote key file "/srv/named/etc/rndc.key"'''
    67 
    68 If you ran the command with -r previously, clean up unnecessary files it created.
    69 
    70 {{{
    71 rm /etc/rndc.conf /srv/named/etc/rndc.conf
    72 }}}
    73 
    74 Notes from man page:
    75 -a option:
    76 Do automatic rndc configuration. This creates a file rndc.key in /etc (or whatever sysconfdir was specified as when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named on the local host with no further configuration.
    77 Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in replacements for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file.
    78 If a more elaborate configuration than that generated by rndc-confgen -a is required, for example if rndc is to be used remotely, you should run rndc-confgen without the -a option and set up a rndc.conf and named.conf as directed.
    79 
    80 -t option:
    81 Used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named.
    82 
    83 ----
    84 If you want the latest root.hints file, run this:
    85 
    86 {{{
    87 wget ftp://rs.internic.net/domain/named.{root,root.md5}
    88 cp /srv/named/etc/namedb/root.hints /srv/named/etc/namedb/root.hints.old
    89 md5sum named.root |grep -f named.root.md5 && mv named.root /srv/named/etc/namedb/root.hints
    90 }}}
    91 If md5sum fails then the file is not updated.
    92 
    93 Only difference as of Oct. 14th, 2019 was the Root Level B
    94 B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
    95 
    96 And notice the addr-class "IN" is missing from the records?
    97 Not sure why that is missing there since the instructions in the book say:
    98 "A current copy of root.hints can be obtained from ftp://rs.internic.net/domain/named.root."
    99 
    100 You can use this command to dig the file instead:
    101 
     7== Updating the root.hints file with dig ==
     8Instead of downloading https://www.internic.net/domain/named.root, you can run:
    1029{{{
    10310dig @a.root-servers.net  .  ns > db.cache
    104 cat db.cache |grep '^\.\|^[a-z]' >/srv/named/etc/namedb/root.hints
     11grep '^\.\|^[a-z]' db.cache | sort >/srv/named/etc/namedb/root.hints
    10512}}}
    10613
    10714That will give you a file very close to the BLFS example.
    10815Sanitized so no leading spaces are introduced.
    109 But seems a bit confusing the names change from [[BR]]
    110 named.root to db.cache to root.hints.[[BR]]
    11116
    112 Maybe someone can explain why the name is all over the place?
    113 
    114 
    115 ----
    116 You may have noticed /srv/named/etc/namedb the namedb can be changed to "named"
    117 Run these commands after you finish all of the chapter:
    118 
     17== Verifying the tarball using gpg ==
     18You may want to verify the validity of the downloaded files from
     19isc instead of trusting the MD5 from the book.[[BR]]
     20Run these commands if you have gpg installed:
    11921{{{
    120 sed -i 's/namedb/named/' named.conf
    121 mv /srv/named/etc/namedb /srv/named/etc/named
     22wget https://www.isc.org/docs/isc-keyblock.asc
     23gpg --import isc-keyblock.asc
     24wget https://downloads.isc.org/isc/bind9/<version>/bind-<version>.tar.xz{,.asc}
     25gpg --verify bind-<version>.tar.xz.asc
    12226}}}
    123 
    124 Also,
    125 
    126 
    127 {{{
    128 
    129 touch /srv/named/managed-keys.bind
    130 }}}
    131 
    132 
    133 The above command created a file that will just sit there empty, not used.[[BR]]
    134 -rw-r--r-- 1 named named 0 Oct 14 21:12 managed-keys.bind
    135 
    136 The file is automagically created here: /srv/named/etc/named/[[BR]]
    137 -rw-r--r-- 1 named named 785 Oct 16 22:24 managed-keys.bind
    138 
    139 You can safely remove the file.
    140 
    141 
    142 {{{
    143 rm /srv/named/managed-keys.bind
    144 }}}
    145 
    146 
    147 ----
    148 
    149 Bind 9.14.5 - 9.14.7 will report the following errors into sys.log, but still runs: [[BR]]
    150 
    151 named[459]: listening on IPv4 interface enp0s3, 192.168.56.2#53 [[BR]]
    152 named[459]: unable to set effective uid to 0: Operation not permitted[[BR]]
    153 named[459]: generating session key for dynamic DNS [[BR]]
    154 named[459]: unable to set effective uid to 0: Operation not permitted [[BR]]
    155 named[459]: sizing zone task pool based on 2 zones[[BR]]
    156 
    157 [Found this link](http://bind-users-forum.2342410.n4.nabble.com/BIND-9-14-0-unable-to-set-effective-uid-to-0-Operation-not-permitted-td6844.html) describing named wanting to revert back to UID 0, root for some reason even though it is in chroot at this time.[[BR]]
    158 This page also discusses the issue: https://gitlab.isc.org/isc-projects/bind9/issues/1042 [[BR]]
    159 
    160 You can disable caps --disable-linux-caps but at the cost of security, and no one knows what that cost is?!? [[BR]]
    161 
    162 
    163 Confirmed that building with the --disable-linux-caps removes the error condition.
    164 
    165 
    166 ----
    167 
    168 Want to verify the validity of the downloaded files from isc instead of trusting the MD5 from the book?[[BR]]
    169 Run these commands if you have gpg installed:
    170 
    171 
    172 {{{
    173 wget ftp://ftp.isc.org/isc/pgpkeys/codesign2019.txt
    174 wget ftp://ftp.isc.org/isc/bind9/cur/9.14/bind-9.14.7.tar.{gz,gz.asc}
    175 
    176 gpg --import codesign2019.txt
    177 gpg -d bind-9.14.7.tar.gz.asc 2>&1 |grep 'Good\|BAD'
    178 }}}
    179 
    180 Downloads and imports isc public key, imports to keyring, check the file.