wiki:bind

Version 7 (modified by Kevin, 5 years ago) ( diff )

--

BIND

Up
Top

For those whose system is not connected to the Internet yet,
To ensure BIND will build dnssec-keymgr, install a python module as the root user:

This command will timeout:

pip3 install ply

Download file from another server:

wget http://www.dabeaz.com/ply/ply-3.11.tar.gz

Then run the command with the file once transferred into your build:

pip3 install ply-3.11.tar.gz

Processing ./ply-3.11.tar.gz Installing collected packages: ply

Running setup.py install for ply ... done

Successfully installed ply-3.11n

Note: https://github.com/dabeaz/ply - Alternate source

http://www.dabeaz.com/ply/ PLY is currently in maintenance mode only.
Critical bugs (if any) will be addressed, but no new features are being added.
If you are looking for a parser generator with a more modern flavor, look at the SLY Project.
02/15/2018 PLY-3.11 is last release.


More information on DLZ To use DLZ (Dynamically Loadable Zones) in Bind

https://nlnet.nl/project/bind-dlz/200205-sane/paper.html


Error in creating rndc.conf file:

rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf &&
sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf

The -r option has been deprecated.

See Ticket #12649 new defect BIND-9.14.5 rndc-confgen: The -r option has been deprecated.

Use this instead:

rndc-confgen -a -b 512 -t /srv/named

wrote key file "/etc/rndc.key"
wrote key file "/srv/named/etc/rndc.key"

If you ran the command with -r previously, clean up unnecessary files it created.

rm /etc/rndc.conf /srv/named/etc/rndc.conf

Notes from man page: -a option: Do automatic rndc configuration. This creates a file rndc.key in /etc (or whatever sysconfdir was specified as when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named on the local host with no further configuration. Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in replacements for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file. If a more elaborate configuration than that generated by rndc-confgen -a is required, for example if rndc is to be used remotely, you should run rndc-confgen without the -a option and set up a rndc.conf and named.conf as directed.

-t option: Used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named.


If you want the latest root.hints file, run this:

wget ftp://rs.internic.net/domain/named.{root,root.md5}
cp /srv/named/etc/namedb/root.hints /srv/named/etc/namedb/root.hints.old
md5sum named.root |grep -f named.root.md5 && mv named.root /srv/named/etc/namedb/root.hints

If md5sum fails then the file is not updated.

Only difference as of Oct. 14th, 2019 was the Root Level B B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201

And notice the addr-class "IN" is missing from the records? Not sure why that is missing there since the instructions in the book say: "A current copy of root.hints can be obtained from ftp://rs.internic.net/domain/named.root."

You can use this command to dig the file instead:

dig @a.root-servers.net  .  ns > db.cache
cat db.cache |grep '^\.\|^[a-z]' >/srv/named/etc/namedb/root.hints

That will give you a file very close to the BLFS example. Sanitized so no leading spaces are introduced. But seems a bit confusing the names change from
named.root to db.cache to root.hints.

Maybe someone can explain why the name is all over the place?


You may have noticed /srv/named/etc/namedb the namedb can be changed to "named" Run these commands after you finish all of the chapter:

sed -i 's/namedb/named/' named.conf
mv /srv/named/etc/namedb /srv/named/etc/named

Also,

touch /srv/named/managed-keys.bind

The above command created a file that will just sit there empty, not used.
-rw-r--r-- 1 named named 0 Oct 14 21:12 managed-keys.bind

The file is automagically created here: /srv/named/etc/named/
-rw-r--r-- 1 named named 785 Oct 16 22:24 managed-keys.bind

You can safely remove the file.

rm /srv/named/managed-keys.bind

Bind 9.14.5 - 9.14.7 will report the following errors into sys.log, but still runs:

named[459]: listening on IPv4 interface enp0s3, 192.168.56.2#53
named[459]: unable to set effective uid to 0: Operation not permitted
named[459]: generating session key for dynamic DNS
named[459]: unable to set effective uid to 0: Operation not permitted
named[459]: sizing zone task pool based on 2 zones

[Found this link](http://bind-users-forum.2342410.n4.nabble.com/BIND-9-14-0-unable-to-set-effective-uid-to-0-Operation-not-permitted-td6844.html) describing named wanting to revert back to UID 0, root for some reason even though it is in chroot at this time.
This page also discusses the issue: https://gitlab.isc.org/isc-projects/bind9/issues/1042

You can disable caps --disable-linux-caps but at the cost of security, and no one knows what that cost is?!?

Confirmed that building with the --disable-linux-caps removes the error condition.


Want to verify the validity of the downloaded files from isc instead of trusting the MD5 from the book?
Run these commands if you have gpg installed:

wget ftp://ftp.isc.org/isc/pgpkeys/codesign2019.txt
wget ftp://ftp.isc.org/isc/bind9/cur/9.14/bind-9.14.7.tar.{gz,gz.asc}

gpg --import codesign2019.txt 
gpg -d bind-9.14.7.tar.gz.asc 2>&1 |grep 'Good\|BAD'

Downloads and imports isc public key, imports to keyring, check the file.

Note: See TracWiki for help on using the wiki.