Talk:BIND

From ArchWiki
Jump to navigation Jump to search

Updates to chroot instructions 2012/08

I just did the chroot and I had to add:

   cp /etc/rndc.key ${CHROOT}/etc/

I had to change the ownership/permissions on ${CHROOT}/var and ${CHROOT}/var/log to root:named 775 to get it to log. So either the user 'named' need's to be writing the logfiles or the permissions need to be changed. I'm still looking into this.

There should also be a note about updating the /etc/logrotate.d/named file the change the path to /chroot/named/var/log/named.log

I'd be happy to write this up but it's my first edit so I wouldn't mind having someone look over my shoulder.

UselessSgrant (talk)

DNSSEC - pointless link

The link in the DNSSEC section points to a very bad article, containing literally no information that couldnt be included here. There should be some sort of config help here. AFAIK you have to tweak config like this:

 options {
   ...
   dnssec-validation auto;
   dnssec-lookaside auto;
 }

As i have not mutch of a clue of bind9 (and i dont plan to use it) i would appreciate if someone capable of verifying this could include this into the article. thanks! Fordprefect (talk) 10:06, 19 April 2016 (UTC)

Guidelines No Longer Work as of July 2016

The guidelines for setting up a local DNS server, as given on this page, no longer seem to work.

Dig command stalls on both local and global address lookups once the local DNS server is supposedly meant to be running.

Seanhly (talk) 15:51, 8 July 2016 (UTC)

Store the root zone . locally

people these days do a root-zone transfer via RFC:7706 to locally serve the rootzone themselves from a local named. Good from a privacy perspective and makes DNSSEC easier. Why not add some info how to do it (essentially just suggest a proper /etc/named.conf) which is very viable for 1-user systems at home ? see e.g. https://www.heise.de/forum/p-33435899/ --UBF6 (talk) 20:02, 18 November 2018 (UTC)

And while we are at it, why not add non-ICANN root-zones like .geek , .libre etc. which are administered bei OpenNIC. Its just a few lines more... UBF6 (talk) 03:12, 19 November 2018 (UTC)
I suppose a lot has changed in recent years. Arch used to include root.hints and the local zones in the distributed package. This is apparently no longer true, using internals for these. In fact, I just not finally commented out 255.in-addr.arpa (been ignoring the entry in the journal for a year or better). I still have the other four as the files are still present (when this server was built, only empty.zone was distributed I believe - not sure, but they didn't generate an error when the package changed). This is a good thing, these should not differ across installations. However, one logical exception, as alluded above, might be the root hints. While bind does include an internal copy, it still might be best practice to periodically download the root hints from IANA as bind releases do not revolve around IANA updates. For me, I simply use a monthly systemd timer that does this for me (and have for many years). It need not be complicated, see bellow blocks (the naming was the original name back in ~2012 at best guess). I don't do this, but I suppose you could add something like 'dig . NS @75.127.96.89 >> /var/named/root.hint' (or whatever the modern equivalent is for the OpenNIC roots). UBF6, if still watching, can you comment on that? DJ L (talk) 06:35, 4 January 2020 (UTC)
#!/bin/bash

DATE=`date -u +%Y%m%d`
mv /var/named/root.hint /var/named/root.hint-${DATE}

wget https://www.internic.net/domain/named.root -O /var/named/root.hint
chown named:named /var/named/root.hint
chmod 644 /var/named/root.hint
systemctl restart named
/etc/resolv.conf
...
    zone "." IN {
        type hint;
        file "root.hint";
    };
...

"allow recursion" is in conflict with recommendations

Usually one wants allow anyone to query one's server for authoritative data, but only those hosts within the "trusted" ACL access to your cache and recursion. The given line given in the wiki does not do this. Instead we should follow https://kb.isc.org/docs/aa-00269 and use an ACL like they suggest.

talks about world-visibility, firewall and allow-recursion{}; vs. allow-query{};.

UBF6 (talk) 21:37, 18 November 2018 (UTC)