= BIND = [wiki:MajorServers Up][[br]] [wiki:BlfsNotes Top] For those whose system is not connected to the Internet yet,[[BR]] To ensure BIND will build dnssec-keymgr, install a python module as the root user: [[BR]] This command will timeout: {{{ pip3 install ply }}} Download file from another server: {{{ wget http://www.dabeaz.com/ply/ply-3.11.tar.gz }}} Then run the command with the file once transferred into your build: {{{ pip3 install ply-3.11.tar.gz }}} '''Processing ./ply-3.11.tar.gz Installing collected packages: ply Running setup.py install for ply ... done Successfully installed ply-3.11n''' Note: https://github.com/dabeaz/ply - Alternate source http://www.dabeaz.com/ply/ PLY is currently in maintenance mode only. [[BR]] Critical bugs (if any) will be addressed, but no new features are being added.[[BR]] If you are looking for a parser generator with a more modern flavor, look at the SLY Project.[[BR]] 02/15/2018 PLY-3.11 is last release. ---- More information on DLZ To use DLZ (Dynamically Loadable Zones) in Bind[[BR]] https://nlnet.nl/project/bind-dlz/200205-sane/paper.html ---- Error in creating rndc.conf file: {{{ rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf && sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf }}} '''The -r option has been deprecated.''' See Ticket #12649 new defect BIND-9.14.5 rndc-confgen: The -r option has been deprecated. Use this instead: {{{ rndc-confgen -a -b 512 -t /srv/named }}} '''wrote key file "/etc/rndc.key"[[BR]] wrote key file "/srv/named/etc/rndc.key"''' If you ran the command with -r previously, clean up unnecessary files it created. {{{ rm /etc/rndc.conf /srv/named/etc/rndc.conf }}} Notes from man page: -a option: Do automatic rndc configuration. This creates a file rndc.key in /etc (or whatever sysconfdir was specified as when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named on the local host with no further configuration. Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in replacements for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file. If a more elaborate configuration than that generated by rndc-confgen -a is required, for example if rndc is to be used remotely, you should run rndc-confgen without the -a option and set up a rndc.conf and named.conf as directed. -t option: Used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named. ---- If you want the latest root.hints file, run this: {{{ wget ftp://rs.internic.net/domain/named.{root,root.md5} cp /srv/named/etc/namedb/root.hints /srv/named/etc/namedb/root.hints.old md5sum named.root |grep -f named.root.md5 && mv named.root /srv/named/etc/namedb/root.hints }}} If md5sum fails then the file is not updated. Only difference as of Oct. 14th, 2019 was the Root Level B B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201 And notice the addr-class "IN" is missing from the records? Not sure why that is missing there since the instructions in the book say: "A current copy of root.hints can be obtained from ftp://rs.internic.net/domain/named.root." You can use this command to dig the file instead: {{{ dig @a.root-servers.net . ns > db.cache cat db.cache |grep '^\.\|^[a-z]' >/srv/named/etc/namedb/root.hints }}} That will give you a file very close to the BLFS example. Sanitized so no leading spaces are introduced. But seems a bit confusing the names change from [[BR]] named.root to db.cache to root.hints.[[BR]] Maybe someone can explain why the name is all over the place? ---- You may have noticed /srv/named/etc/namedb the namedb can be changed to "named" Run these commands after you finish all of the chapter: {{{ sed -i 's/namedb/named/' named.conf mv /srv/named/etc/namedb /srv/named/etc/named }}} Also, {{{ touch /srv/named/managed-keys.bind }}} The above command created a file that will just sit there empty, not used.[[BR]] -rw-r--r-- 1 named named 0 Oct 14 21:12 managed-keys.bind The file is automagically created here: /srv/named/etc/named/[[BR]] -rw-r--r-- 1 named named 785 Oct 16 22:24 managed-keys.bind You can safely remove the file. {{{ rm /srv/named/managed-keys.bind }}} ---- Bind 9.14.5 is dropping this into sys.log, but still runs fine:[[BR]] named[459]: listening on IPv4 interface enp0s3, 192.168.56.2#53 [[BR]] named[459]: unable to set effective uid to 0: Operation not permitted[[BR]] named[459]: generating session key for dynamic DNS [[BR]] named[459]: unable to set effective uid to 0: Operation not permitted [[BR]] named[459]: sizing zone task pool based on 2 zones[[BR]] [Found this link](http://bind-users-forum.2342410.n4.nabble.com/BIND-9-14-0-unable-to-set-effective-uid-to-0-Operation-not-permitted-td6844.html) describing named wanting to revert back to UID 0, root for some reason even though it is in chroot at this time.[[BR]] You can disable caps --disable-linux-caps but at the cost of security, and no one knows what that cost is?!? [[BR]] This page also discusses the issue: https://gitlab.isc.org/isc-projects/bind9/issues/1042