From ArchWiki
Latest comment: 29 May 2023 by Grawity in topic SOA requires 7 lines of data

Updates to chroot instructions 2012/08

I just did the chroot and I had to add:

   cp /etc/rndc.key ${CHROOT}/etc/

I had to change the ownership/permissions on ${CHROOT}/var and ${CHROOT}/var/log to root:named 775 to get it to log. So either the user 'named' need's to be writing the logfiles or the permissions need to be changed. I'm still looking into this.

There should also be a note about updating the /etc/logrotate.d/named file the change the path to /chroot/named/var/log/named.log

I'd be happy to write this up but it's my first edit so I wouldn't mind having someone look over my shoulder.

UselessSgrant (talk)

DNSSEC - pointless link

The link in the DNSSEC section points to a very bad article, containing literally no information that couldnt be included here. There should be some sort of config help here. AFAIK you have to tweak config like this:

 options {
   dnssec-validation auto;
   dnssec-lookaside auto;

As i have not mutch of a clue of bind9 (and i dont plan to use it) i would appreciate if someone capable of verifying this could include this into the article. thanks! Fordprefect (talk) 10:06, 19 April 2016 (UTC)Reply[reply]

Guidelines No Longer Work as of July 2016

The guidelines for setting up a local DNS server, as given on this page, no longer seem to work.

Dig command stalls on both local and global address lookups once the local DNS server is supposedly meant to be running.

Seanhly (talk) 15:51, 8 July 2016 (UTC)Reply[reply]

Store the root zone . locally

people these days do a root-zone transfer via RFC:7706 to locally serve the rootzone themselves from a local named. Good from a privacy perspective and makes DNSSEC easier. Why not add some info how to do it (essentially just suggest a proper /etc/named.conf) which is very viable for 1-user systems at home ? see e.g. --UBF6 (talk) 20:02, 18 November 2018 (UTC)Reply[reply]

And while we are at it, why not add non-ICANN root-zones like .geek , .libre etc. which are administered bei OpenNIC. Its just a few lines more... UBF6 (talk) 03:12, 19 November 2018 (UTC)Reply[reply]
I suppose a lot has changed in recent years. Arch used to include root.hints and the local zones in the distributed package. This is apparently no longer true, using internals for these. In fact, I just not finally commented out (been ignoring the entry in the journal for a year or better). I still have the other four as the files are still present (when this server was built, only was distributed I believe - not sure, but they didn't generate an error when the package changed). This is a good thing, these should not differ across installations. However, one logical exception, as alluded above, might be the root hints. While bind does include an internal copy, it still might be best practice to periodically download the root hints from IANA as bind releases do not revolve around IANA updates. For me, I simply use a monthly systemd timer that does this for me (and have for many years). It need not be complicated, see bellow blocks (the naming was the original name back in ~2012 at best guess). I don't do this, but I suppose you could add something like 'dig . NS @ >> /var/named/root.hint' (or whatever the modern equivalent is for the OpenNIC roots). UBF6, if still watching, can you comment on that? DJ L (talk) 06:35, 4 January 2020 (UTC)Reply[reply]
A bit has chnaged since that last comment, but most of it is still relevant (updated) DJ L (talk):

DATE=`date -u +%Y%m%d`

wget -O /var/named/ &&
mv /var/named/root.hint /var/named/root.hint-${DATE} &&
mv /var/named/ /var/named/root.hint
chown named:named /var/named/root.hint
chmod 644 /var/named/root.hint
systemctl restart named
    zone "." {
        type hint;
        file "root.hint";
Description=Update root.hint file

Description=Update /var/named/root.hint file monthly

OnCalendar=OnCalendar=*-*-01 03:00:00

# chmod 755 /root/bin/
# systemctl enable update-root-hints.timer

Also, for creating hint file from dig, use something like the following:

# dig . NS | sed -e '/^;/d' -e '/^$/d' | sort -V > root.hint

And for OpenNIC (just for giggles as I have no idea how to use them):

# dig . NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V > opennic.hint
# dig opennic.glue. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig dns.opennic.glue. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig bbs. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig chan. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig cyb. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig dyn. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig epic. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig geek. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig gopher. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig indy. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig libre. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig neo. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig null. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
#### Careful with the one below, I don't know what "" is
# dig o. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig oss. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig oz. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig parody. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >
# dig pirate. NS @ | sed -e '/^;/d' -e '/^$/d' | sort -V >

As to actually using OpenNIC, I'm unsure of the best way to do that...

—This unsigned comment is by DJ L (talk) 04:21, 29 May 2023. Please sign your posts with ~~~~!

"allow recursion" is in conflict with recommendations

Usually one wants allow anyone to query one's server for authoritative data, but only those hosts within the "trusted" ACL access to your cache and recursion. The given line given in the wiki does not do this. Instead we should follow and use an ACL like they suggest.

talks about world-visibility, firewall and allow-recursion{}; vs. allow-query{};.

UBF6 (talk) 21:37, 18 November 2018 (UTC)Reply[reply]

SOA requires 7 lines of data

Couldn't get this to work after research found SOA requires 7 lines of data typically email address as second line just my 2cents worth.

—This unsigned comment is by Graeme (talk) 00:38, 29 May 2023. Please sign your posts with ~~~~!

It requires 7 space-separated fields, and the example contains all 7. (hostmaster is the "email address" field in the example.) The number of lines is completely irrelevant. grawity (talk) 05:01, 29 May 2023 (UTC)Reply[reply]