Sunday, January 09, 2005

Setting Up BIND 9.3 on FreeBSD 5.3

Today I moved my local name resolution duties from a FreeBSD 4.x system to a FreeBSD 5.3 system. I found the FreeBSD Handbook sparse reading, but this article gave a few more pointers. Here's what I ended up doing.

The first step is to recognize that /etc/namedb is a symlink:

janney:/home/richard$ ls -al /etc/namedb
lrwxrwxrwx 1 root wheel 23 Nov 8 09:14 /etc/namedb -> ../var/named/etc/namedb

This supports the new default of running BIND in a jail.

Next I created the localhost-v6.rev and localhost.rev files in /var/named/etc/namedb/master.

janney:/home/richard$ cd /var/named/etc/namedb/
janney:/var/named/etc/namedb$ sudo sh make-localhost

I altered the serial numbers by adding '01' to the end to allow 99 edits per day. (Using the default '20050109' yields one edit per day, if you want your serial number to be related to the day you change it. This is totally optional but I find it helpful.)

janney:/var/named/etc/namedb/master$ cat localhost.rev
; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.6 2000/01/10 15:31:40 peter Exp $
;
; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;

$TTL 3600

@ IN SOA janney.taosecurity.com. root.janney.taosecurity.com. (
2005010901 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS janney.taosecurity.com.
1 IN PTR localhost.taosecurity.com.

Next I ran rndc-confgen to create a key which authorizes me to administer the BIND server. Notice that rndc replaces ndc for controlling BIND.

janney:/home/richard$ sudo rndc-confgen -a
wrote key file "/etc/namedb/rndc.key"
janney:/home/richard$ sudo cat /etc/namedb/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "OBSCURED";
};

I then added that information plus a control statement to /var/named/etc/namedb/named.conf:

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

key "rndc-key" {
algorithm hmac-md5;
secret "OBSCURED";
};

I found I had a file /etc/rndc.conf that had a matching key:

options {
default-server localhost;
default-key "rndc-key";
};

server localhost {
key "rndc-key";
};

key "rndc-key" {
algorithm hmac-md5;
secret "OBSCURED";
};

With this infrastructure in place, I essentially copied my old zone configuration files into /var/named/etc/namedb. I made sure to update all of the serial numbers on files with changes. Once done I used the new rc scripts to restart named:

janney:/etc/namedb$ sudo /etc/rc.d/named restart
Stopping named.
Starting named.

I checked to see if I could query BIND's status as a user, but then had to use sudo because they rndc.key file was not readable for users:

janney:/etc/namedb$ rndc status
rndc: error: none:0: open: /etc/namedb/rndc.key: permission denied
rndc: could not load rndc configuration
janney:/etc/namedb$ sudo rndc status
number of zones: 7
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running

Everything seems to be working. My /etc/rc.conf file has these DNS-related entries:

named_enable="YES"
named_chrootdir="/var/named"
named_chroot_autoupdate="YES"

No comments: