Running BIND 9


Some differences exist when running BIND 9.

named

You can use your existing BIND 8 named.conf file. Providing your BIND 9 was compiled with the same --prefix option as your BIND 8, it will be found and loaded without problems. Read your log file carefully, noting warnings and error messages. The unimplemented options in BIND 9 will result in warnings in the log. If you have read the migration guide in doc/misc/ migration, you will probably get no surprises. To control BIND 9, you use rndc (remote name demon control), not ndc as you're used to from BIND 4 and 8.

Note that named has a new command-line syntax:

 named [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus]              [-p port] [-s] [-t chrootdir] [-u username] 

rndc

rndc communicates with BIND 9 by network, not filesystem sockets or signals, as ndc in BIND 4/8 does. To make this secure, it must use crypto keys for authentication. Therefore, a configuration file is required. /etc/rndc.conf is a subset of named.conf, it is limited to the options, key, and server statements. The key statement works the same as in named.conf; the server statement can associate each server you need to control with its key. The options statement takes two options: default-server and default-key, which identify the default server and the default key, respectively. Here is an example from the ARM:

 key rndc_key {     algorithm "hmac-md5";     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; options {     default-server localhost;     default-key    rndc_key; }; 

I describe how to generate keys later in this chapter, in the section "Security Enhancements."

Correspondingly, you need to configure your named to accept the given key by defining the same key and a controls statement in named.conf:

 key rndc_key {     algorithm "hmac-md5";     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; controls {    inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; 

These keys are shared secrets, equivalent to passwords. The named.conf and rndc.conf files must not be readable for the world, so take care when read-protecting them.

When running rndc, the default server is contacted unless you specify a different server with the -s option. You also can specify a different key with the -y option, but using the server statement is probably better for that.

The command line of rndc is as follows:

 rndc [-c config] [-s server] [-p port] [-y key] command [command …] 

lwresd

The lwresd is used by lwresd-enabled resolving libraries. That means your OS resolver will not use lwresd, unless you replace it with one that does. Software linked with the BIND 9 resolver, on the other hand, will. lwresd is required to pursue the kinds of resolution complexities that DNAME and A6 records cause. The stub OS resolver is too simple, and using the site-wide caching server has the potential of site-wide denial of service (DoS) attacks. Both A6 and DNAME require a recursive resolution process that can be far more complex, and exponential, than the process used earlier.

lwresd acts as a caching-only resolver for the localhost. It takes its configuration from /etc/resolv.conf, using the servers named there as forwarders. Because lwresd must be capable of being trusted by the localhost, it runs on a sub-1024 port, and because of that, it must be run by root at bootup. But it, like named, can be run chrooted and as nobody, dropping the root privileges when they are not needed anymore. All that is described in Chapters 8, "Security Concerns," and 15, "Compiling and Maintaining BIND."

lwresd is a bit of a misnomer. It is not lightweight, but it enables the OS stub resolver to remain lightweight. As of 9.0.0rc1, lwresd is in fact identical to named, and it can't in any way be considered lightweight. If it ever becomes autonomous, it is likely to borrow most of the code in named.



The Concise Guide to DNS and BIND
The Concise Guide to DNS and BIND
ISBN: 0789722739
EAN: 2147483647
Year: 1999
Pages: 183

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net