5.3. Installing BIND

If you use OpenBSD 3.5, BIND 9.2.3 is included in the standard base35.tgz file, which is the best way to manage it. If you keep your system up to date with patches (as described in Chapter 4), then you can probably keep BIND 9 up to date with the rest of the operating system. The OpenBSD project staff are scrupulous about screening the software they bundle and are aggressive about updating software like BIND when vulnerabilities are announced. If you stay up to date, you will be in good shape. A reasonable version of BIND 9 is included with the base OpenBSD operating system, and it is configured well, so we will not discuss how to install a separate version from scratch on OpenBSD. There are few, if any good reasons to do that, and many good reasons to stay with the version that is provided by the installation.

Both FreeBSD 4.x-RELEASE and FreeBSD 5.x-RELEASE ship with BIND 8.3.4 by default. Though it is the opinion of the authors, rather than an objective fact, we believe BIND 9 is the better foundation for building your DNS infrastructure than BIND 8. The probability of new vulnerabilities being found in BIND 8 is considerably higher than in BIND 9. The discussion in this chapter, therefore, focuses on how to install, configure, and maintain BIND 9.

5.3.1. FreeBSD

With FreeBSD, you want to overwrite the default version of BIND by installing ports/dns/bind9 from the ports tree. If you do not overwrite the original version, you will have duplicate copies of critical BIND components. You could inadvertently invoke the wrong one, or a script whose PATH was incorrectly set could invoke the wrong one. The command-line syntax of both named and nsupdate have changed significantly between Versions 8 and 9.

The FreeBSD ports system makes it easy to overwrite the installed version of BIND. There are two steps:

1. Insert NO_BIND=TRUE in /etc/make.conf. This ensures that BIND 8 is not built and installed when you are upgrading your system using the buildworld/installworld paradigm as described in the FreeBSD Handbook and in Chapter 4 of this book.

   If you choose to use the PORT_REPLACES_BASE_BIND9 option (described next), you will clobber your BIND 9 installation by running make installworld unless you use NO_BIND=TRUE.

2. Insert PORT_REPLACES_BASE_BIND9=TRUE in /etc/make.conf. This causes the port version to overwrite /usr/sbin/named and /etc/named and other files in the base installation. This means that when you put named_enable="YES" in /etc/rc.conf, it will launch BIND 9 that you compiled in ports.

If you accidentally overwrite a BIND 9 installation with BIND 8, you may have difficulty diagnosing it. BIND 8 will often accept much of the same syntax in the named.conf and zone files. It will gripe about what it does not understand, but it will probably run. In terms of serving zone information, it will probably run correctly. Your biggest clues will be functionality (like cryptography and dynamic updates) that suddenly stops working.

Note that the version tracked in ports/dns/bind9 is not always the absolutely latest version. It is occasionally behind by a few minor revisions, unless there is a major security concern. Most sites can usually get along safely without being on the bleeding edge. DNS is such a critical function that the FreeBSD port maintainers are a little conservative about updating it.