DNSSEC: Configuring auto-signed dynamic zone HOWTO
Please comment! Eugene === HOW TO CONFIGURE AUTO-SIGNED DYNAMIC ZONES WITH BIND9 This document describes how to configure bind9 to automatically sign zones as they are being modified by dynamic update mechanism. It is assumed that you already know how to configure manually signed zones [1] and know how to configure zones for dynamic updates [2]. For the purpose of this discussion, we presume that you control the parent zone 'example.com' which does not allow dynamic updates and is manually signed. The child zone 'dyn.example.com' is set up for dynamic updates. Your 'named' is not run in chroot environment, and executes under effective uid 'bind' and gid 'bind'. Bind configuration files and manually signed zones are kept in directory /etc/bind which is readable but not writable by 'bind' uid, and dynamically updatable zones are kept in directory /var/cache/bind which is readable and writable by 'bind' uid. The following are the steps to make 'dyn.example.com' zone automatically signed: 0. Make sure that you are using bind version 9.6 or later. 1. Create a directory to contain zone keys the are "visible" to named and therefore available to auto- signing mechanism: # mkdir /etc/bind/keys # chgrp bind /etc/bind/keys # chmod 0750 /etc/bind/keys 2. Create zone-signing keys for the zone 'dyn.example.com' and make the private key readable to 'bind' uid: # cd /etc/bind/keys # dnssec-keygen -a RSASHA1 -b 1024 \ > -n ZONE dyn.example.com # chgrp bind *.private # chmod 0640 *.private 3. Include DNSKEY into 'dyn.example.com' zone and manually sign it. The file must be made writable to 'bind' uid: # cd /var/cache/bind # rndc freeze dyn.example.com edit the file 'dyn.example.com' and add this line: '$include /etc/bind/keys/Kdyn.example.com.[...].key' (substitute the actual name of the key file) # dnssec-signzone -g -d /etc/bind/keys \ > dyn.example.com \ > /etc/bind/keys/Kdyn.example.com.[...].private (substitute the actual name of the key file) This step will create the file dyn.example.com.signed, and in addition to that, the file '/etc/bind/keys/dsset-dyn.example.com.'. # chown bind:bind dyn.example.com.signed 4. Include DS records into the parent zone: # cd /etc/bind edit the file example.com and add this line: '$include keys/dsset-dyn.example.com.' (don't forget to also update the zone's serial.) Manually sign the 'example.com' zone as you usually do. 5. Update bind's configuration: In the definition of 'dyn.example' zone, change the line 'file "/var/cache/bind/dyn.example.com";' to 'file "/var/cache/bind/dyn.example.com.signed";' In the 'options' section, add this lines: 'sig-validity-interval 2400;' 'key-directory "/etc/bind/keys";' (substitute '2400' to whatever period you deem appropriate. 2400 is 40 minutes.) 6. Make named re-read the configuration and thaw the dynamic zone: # rndc reload # rndc thaw dyn.example.com 7. Check that things work as expected. References: [1] http://www.nlnetlabs.nl/publications/dnssec_howto/index.html DNSSEC HOWTO, a tutorial in disguise, by Olaf Kolkman [2] http://answers.oreilly.com/topic/192-how-to-allow-dynamic-updates-with-bind/ How to allow dynamic updates with BIND, O'Reilly Answers === signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0 is now available
On 02/18/10 16:20, ic.nssip wrote: Hi Mark, This is what I suspect too. Syslog gives me this record when I start BIND: named[14380]: [ID 873579 daemon.notice] built with '--with-openssl=yes' '--enable-largefile' '--sysconfdir=/usr/local/etc' '--localstatedir=/usr/local/var' Since no PREFIX was specified, and those two items are in /usr/local ... The safest thing to do is probably to create symlinks in /usr/local/etc to at least named.conf, and rndc.*, and make sure all the paths in named.conf are fully specified. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0 is now available
Hi Mark, This is what I suspect too. Syslog gives me this record when I start BIND: named[14380]: [ID 873579 daemon.notice] built with '--with-openssl=yes' '--enable-largefile' '--sysconfdir=/usr/local/etc' '--localstatedir=/usr/local/var' 'CC=gcc' 'CFLAGS=-O2 -L/usr/local/lib -R/usr/local/lib -L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/openwin/lib -R/usr/openwin/lib -I/usr/local/rrdtool-1.2.19/include -I/usr/local/BerkeleyDB.4.7/include' 'LDFLAGS=-L/usr/local/lib -R/usr/local/lib -R/usr/lib -L/usr/lib -R/usr/openwin/lib -L/usr/openwin/lib -L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/X11R6/lib -R/usr/X11R6/lib -L/usr/local/BerkeleyDB.4.7/lib -R/usr/local/BerkeleyDB.4.7/lib' 'CPPFLAGS=-I/usr/local/include -I/usr/local/ssl/include -I/usr/local/include/ncurses -I/usr/openwin/include -I/usr/local/rrdtool-1.2.19/include -I/usr/local/BerkeleyDB.4.7/include -I/usr/local/include/lzo' 'CXX=g++' 'CXXFLAGS=-fpermissive -felide-constructors' Thank you, Julian - Original Message - From: "Mark Andrews" To: "ic.nssip" Cc: Sent: Thursday, February 18, 2010 5:06 PM Subject: Re: ISC BIND 9.7.0 is now available In message , "ic.nssip" writes: Hello everyone, I tried to install BIND 9.7.0 from www.sunfreeware.com on a Solaris 10, x86 machine that was running before BIND 9.6.1-P1 with no problems. The new install goes to the same directories, but for some reasons when I run named-checkconf for my default /etc/named.conf file I get: # /usr/local/sbin/named-checkconf none:0: open: /usr/local/etc/named.conf: file not found Do somebody knows if this error comes from the way the package was compiled or there is a change on default location for named.conf? Thank you, Julian The defaults have not changed. I suspect someone has changed the arguements given to configure when building the package. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0 is now available
In message , "ic.nssip" writes: > Hello everyone, > > I tried to install BIND 9.7.0 from www.sunfreeware.com on a Solaris 10, x86 > machine that was running before BIND 9.6.1-P1 with no problems. > > The new install goes to the same directories, but for some reasons when I > run named-checkconf for my default /etc/named.conf file I get: > > # /usr/local/sbin/named-checkconf > none:0: open: /usr/local/etc/named.conf: file not found > > Do somebody knows if this error comes from the way the package was compiled > or there is a change on default location for named.conf? > > Thank you, > Julian The defaults have not changed. I suspect someone has changed the arguements given to configure when building the package. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0 is now available
Hello everyone, I tried to install BIND 9.7.0 from www.sunfreeware.com on a Solaris 10, x86 machine that was running before BIND 9.6.1-P1 with no problems. The new install goes to the same directories, but for some reasons when I run named-checkconf for my default /etc/named.conf file I get: # /usr/local/sbin/named-checkconf none:0: open: /usr/local/etc/named.conf: file not found Do somebody knows if this error comes from the way the package was compiled or there is a change on default location for named.conf? Thank you, Julian ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
linux chroot reqs changed?
Hi folks...after a little experimentation today I've discovered certain files are no longer used in a linux chroot. Linux kernel versions 2.6.2x. Bind versions tested were 9.6.1-P3 and 9.7.0, both compiled from src (not distro pkgs), and started with: /usr/sbin/named -t /var/named -u username Used to be you needed to have (r)syslogd add a listening socket to $CHROOT/dev, have $CHROOT/dev/null, and $CHROOT/dev/random. I removed $CHROOT/dev/null, disabled the extra syslogd socket for $CHROOT/dev/log. Using lsof, it now seems only $CHROOT/dev/random is opened by named, /dev/null is opened. named still logs to syslog, and I can't figure out how syslog is accessed, is it via /dev/log (I don't see it opened by named)? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users