Date: Sat, 09 Jul 2011 09:14:21 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Gary Kline <kline@thought.org> Cc: freebsd-questions@freebsd.org Subject: Re: DNS and file system messed up... Message-ID: <4E180DDD.1020505@infracaninophile.co.uk> In-Reply-To: <20110708220452.GB26712@thought.org> References: <20110707180041.GA90387@thought.org> <20110708055837.GA21564@thought.org> <CDA23F69-BA47-4D83-856E-1DE15F135243@lafn.org> <4E16C779.6000607@infracaninophile.co.uk> <20110708220452.GB26712@thought.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB97BE1B988345B56FF64DF20
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 08/07/2011 23:04, Gary Kline wrote:
> On Fri, Jul 08, 2011 at 10:01:45AM +0100, Matthew Seaman wrote:
>> Date: Fri, 08 Jul 2011 10:01:45 +0100
>> From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
>> Subject: Re: DNS and file system messed up...
>> To: freebsd-questions@freebsd.org
>>
>> On 08/07/2011 08:25, Doug Hardie wrote:
>>> On 7 July 2011, at 22:58, Gary Kline wrote:
>>>
>>>>>>> Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf=
: file not found
>>>>>>> Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /va=
r/named/etc/namedb/named.conf
>>
>>> The first one that fails is looking for /etc/named.conf. The second
>>> one shows its in /var/named/etc/named/named.conf
>>
>>> Those are different locations. I suspect you have named_flags setup
>>> in rc.conf pointing to /etc/namedb/named.conf rather than the right
>>> location. Its also possible that its not set in rc.conf but defaults=
>>> in either the rc script or /etc/rc.d/named. On my system it appears
>>> to default in /etc/rc.d/named.
>>
>> FreeBSD defaults to running named chrooted. /etc/namedb is actually a=
>> symbolic link:
>=20
>=20
> hi matthew,
>=20
> i found an in-depth post you wrote re mtree yesterday ( 07july ),
> but i figured it was over my head in resetting anything i might need
> to reset. i was going to write you offlist. decided to ask the
> entire list.
>=20
>=20
>>
>> % ls -la /etc/namedb
>> lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ ->
>> /var/named/etc/namedb
>>
>> so the files referenced are in fact exactly the same file. However, t=
he
>> flags from the log extract don't look like the defaults to me. (I'm
>> running the dns/bind98 port, and the equivalent info from the log line=
>> is '-t /var/named -u bind')
>=20
>=20
> i was using bind98 rather than the earlier bind9 which is out of
> date. but bind98 gave me troubles with the rndc.key and other, so i
> chose to go back with what worked. --first thing is to get this
> working with the older bind9. FWIW, both bind9's given me the same=20
> error and failure. i have walked thru the named script to the point
> where it creates the symlink. regardless, i cannot understand the
> error and failure messages. i only know that my kill -9 and my=20
> initialization "by hand" work. =20
>>
>> Gary, what named related settings do you have in /etc/rc.conf? You
>> almost certainly don't need anything more than:
>>
>> named_enable=3D"YES"
>>
>> and perhaps
>>
>> syslogd_flags=3D"-ss -l /var/named/var/run/log"
>>
>> so named can log to the system syslog.
>=20
>=20
> Hmmm [&c]. as you may have seen in my post to Doug H. i only have=20
>=20
>=20
> --
>=20
> named_enable=3D"YES"
> named_program=3D"/usr/local/sbin/named"
> named_pidfile=3D"/var/run/named/pid"
OK. The good news is that the configuration that works for the system
built-in version of named will work for the dns/bind98 port with very
minor changes, if any.
First: where everything should live
/etc/namedb/named.conf --- named's config file
/etc/namedb/master --- zone files this server is master for
/etc/namedb/slave --- zone files this server slaves from
another master (rw by named)
/etc/named/working --- named's working directory (rw by named)
/etc/rndc.conf --- config file for rndc
There are various other files and directories under /etc/namedb which
you may or may not need depending on how you configure named; in any
case, just leave them in their default locations and with the
permissions the system gives them. (You can use mtree(8) to fix them up
if necessary -- but that's a whole other posting)
Now, although named defaults to running chrooted into /var/namedb, you
don't need to mention that path explicitly anywhere in the config. In
fact, you should think about the configuration as if there was no
chrooting happening at all.
Second: rc.conf settings
named_enable=3D"YES"
syslogd_flags=3D"-ss -l /var/named/var/run/log"
should be all you need to use the built-in version of named.
Third: rndc configuration
Generate a new rndc key and a config file by:
# rndc-confgen > /etc/named/rndc.conf
This should create a new file /etc/namedb/rndc.conf preconfigured to
work with the named instance on the localhost. Look at the text of
the file -- commented out there's a chunk of stuff to copy into
named.conf So let's do that.
If the file contains:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "0ABCDE123+45+67890=3D=3D";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
Then copy that without the '#' quotes into named.conf In fact, I find
it helps to add a control for access to ::1 as well. So add this text
to /etc/namedb/named.conf:
key "rndc-key" {
algorithm hmac-md5;
secret "0ABCDE123+45+67890=3D=3D";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
inet ::1 port 953
allow { ::1; } keys { "rndc-key"; };
};
Fourth: set up named.conf
As I don't no much about the config you want, I'm going to have to keep
this to generalities.
In the options section you should have some standard boiler-plate:
options {
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
memstatistics-file "/var/stats/named.memstats";
For security purposes you can turn off named's built-in version display e=
tc.
version none;
hostname none;
server-id none;
Also for security purposes, configure named to use as many UDP ports as
possible:
use-v4-udp-ports { range 1024 65535; };
use-v6-udp-ports { range 1024 65535; };
There's a bunch of other stuff I could talk about to go into options,
but that's a matter of individual choice and this message is long enough
already. One of the more important things I'm glossing over is the
'recursion' setting -- this needs to be carefully restricted to only
being available to your own network, as there are plenty of nasty
attacks that are enabled by opening recursion to the world.
When it comes to zone file statements, on slight gotcha is that you
should give /absolute/ filenames -- that's a consequence of the
'directory' setting above. Remember the bit about pretending that
chrooting isn't happening? It applies here. So, for instance,
you'ld want something like this for localhost:
zone "localhost"
{
type master;
file "/etc/namedb/master/localhost-forward";
};
zone "127.in-addr.arpa"
{
type master;
file "/etc/namedb/master/localhost-reverse";
};
// RFC 1912-style zone for IPv6 localhost address
zone "0.ip6.arpa"
{
type master;
file "/etc/namedb/master/localhost-reverse";
};
Those zone files should be present as part of the standard system.
Note: you can use ACLs and/or views to control access to these localhost
zones. It's only your local trusted clients that need any access.
For zones that you are serving to the general public -- ie. the zones
you are authoritative for, you'ld have something like this:
zone "infracaninophile.co.uk" {
type master;
file "/etc/namedb/master/infracaninophile.co.uk";
allow-query {
any;
};
allow-transfer {
secondaries;
};
};
Fifth: testing
Use named-checkconf to test that your config is going to work:
# named-checkconf /etc/namedb/named.conf && echo "Everything is OK"
If named-checkconf prints anything out, that's a problem which needs to
be fixed. named-checkconf remaining silent is a good sign.
Sixth: start named up
# /etc/rc.d/named start
Look at the logging output in /var/log/messages to check everything is
running OK, and test that rndc works by 'rndc status'
Seventh: there is no seventh.
Well, actually, changes you would need to make to use the dns/bind98
port. Very few.
Check that /usr/local/etc/rndc.conf is a symlink to /etc/named/rndc.conf
-- this should be created automatically when you install the port.
Use /usr/local/sbin/named-checkconf to verify that your named.conf is OK
with the newer named version. Unless you're using DNSSEC it almost
certainly will be.
Stop named running and add
named_program=3D"/usr/local/sbin/named"
to /etc/rc.conf Restart named. Done.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enigB97BE1B988345B56FF64DF20
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4YDeQACgkQ8Mjk52CukIxWxgCfWoMZn77MV24GSQJ7OswENzgd
VucAnAt8ZreeYmAo4D/7y5BzF80z0ww4
=JpML
-----END PGP SIGNATURE-----
--------------enigB97BE1B988345B56FF64DF20--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E180DDD.1020505>