Started Aug. 28, 2003

(Huge parts stolen from http://www.unixwiz.net/techtips/bind9-chroot.html
and customized)


(On RedHat)
rpm -e bind bind-utils bind-devel bindconf caching-nameserver redhat-config-bind


wget ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.3.tar.gz
tar -xzvf bind-9.2.3.tar.gz
cd bind-9.2.3
./configure --prefix=/dns --with-openssl[=/prefix] --disable-ipv6

(If this fails with a "can't find openssl" error, download and compile the
latest openssl from openssl.org This would have
--with-openssl=/usr/local/openssl)

make
make install
cd /dns
mkdir -p /dns/etc /dns/dev \
	/dns/scripts \
	/dns/etc/secondaries \
	/dns/logs /dns/var/run \
	/dns/zones/external/arpa/in-addr \
	/dns/zones/external/com \
	/dns/zones/external/net \
	/dns/zones/external/org \
	/dns/zones/internal/arpa/in-addr \
	/dns/zones/internal/com \
	/dns/zones/internal/net \
	/dns/zones/internal/org

cd /dns
mknod dev/null c 1 3
mknod dev/zero c 1 5
mknod dev/random c 1 8

For convenience, add /dns/bin, /dns/sbin, and /dns/scripts to the PATH in
/etc/profile or root's .bash_profile .

Add the following statement to /etc/man.config to get the man pages
working:
MANPATH /dns/man


ensure that user 'named' and group 'named' exist - create them if
necessary:
groupadd named
useradd -g named -d /dns -s /sbin/nologin named
passwd -l named


NOTE - Be sure that all DNS servers in the setup have the "named" user and 
group, and also ensure they have the same userid and groupid. This will 
make things a lot simpler!


cp /etc/localtime /dns/etc


create /dns/etc/named.conf:
--------------------------------------------------------------------
options {
	directory	"/zones";
	pid-file	"/var/run/named.pid";
	statistics-file	"/var/run/named.stats";
	dump-file	"/var/run/named.db";

	# hide our "real" version number
	version		"[secured]";
};

# The root nameservers
zone "." {
	type	hint;
	file	"root.hints";
};

# localhost - forward zone
zone	"localhost" {
	type	master;
	file	"localhost.db";
	notify	no;
};

# localhost - inverse zone
zone	"0.0.127.in-addr.arpa" {
	type	master;
	file	"0.0.127.in-addr.arpa.db";
	notify	no;
};

# put your reverse zone for your IP here
zone	"25.16.172.in-addr.arpa" {
	type	master;
	file	"external/arpa/in-addr/25.16.172.in-addr.arpa.db";
};

--------------------------------------------------------------------



create root.hints:
/dns/bin/dig > /dns/zones/root.hints


create /dns/zones/localhost.db:
--------------------------------------------------------------------
;
; localhost.db
;
$TTL	86400

@	IN SOA	@ root (
			2		; serial
			3H		; refresh
			15M		; retry
			1W		; expiry
			1D )		; minimum
	IN NS	@
	IN A	127.0.0.1
--------------------------------------------------------------------


create /dns/zones/0.0.127.in-addr.arpa.db:
--------------------------------------------------------------------
;
; 0.0.127.in-addr.arpa.db
;
$TTL	86400
@	IN	SOA	localhost. root.localhost.  (
			1		; Serial
			28800		; Refresh
			14400		; Retry
			3600000		; Expire
			86400 )		; Minimum
        
	IN	NS	localhost.
1	IN	PTR	localhost.
--------------------------------------------------------------------



create /dns/zones/external/arpa/in-addr/25.16.172.in-addr.arpa.db:
--------------------------------------------------------------------
;
; 25.16.172.in-addr.arpa.db
;
$TTL    86400
@	IN	SOA	localhost. root.localhost.  (
			1		; Serial
			28800		; Refresh
			14400		; Retry
			3600000		; Expire
			86400 )		; Minimum

@		IN	NS	localhost.
100		IN	PTR	ns1.server.net.
101		IN	PTR	ns2.server.net.
--------------------------------------------------------------------



enforce permissions with the following script:
--------------------------------------------------------------------
#
# set-named-perms.sh
#
#   Set the ownership and permissions on the named directory
#

cd /dns


# By default, root owns everything and only root can write, but dirs
# have to be executable too. Note that some platforms use a colon
# instead of a dot between user/group in the chown parameters}

chown -R root.named .

# regular files
find . -type f -print | grep -v bin | grep -v scripts | xargs chmod 644  

# directories
find . -type d -print | xargs chmod 755

# the named.conf and rndc.conf must protect their keys
chmod o= etc/*.conf

# the "secondaries" directory is where we park files from
# master nameservers, and named needs to be able to update
# these files and create new ones.

touch etc/secondaries/.empty  # placeholder
find etc/secondaries/ -type f -print | xargs chown named.named
find etc/secondaries/ -type f -print | xargs chmod ug=r,o=

chown root.named etc/secondaries/
chmod 770  etc/secondaries/

# the var/run business is for the PID file
chown root.root  var/
chmod 711 var/

chown root.named  var/run/
chmod 775 var/run/

# named has to be able to create logfiles
chown root.named  logs/
chmod 775 logs/
--------------------------------------------------------------------



start named (caching mode only for now) :
/dns/sbin/named -t /dns -u named -c /etc/named.conf



Alternatively, you can create a /dns/scripts/named.start script:
--------------------------------------------------------------------
#
# named.start
#
#       Note: the path given to the "-c" parameter is relative
#       to the jail's root, not the system root.
#
#       Add "-n2" if you have multiple CPUs
#
# usage: named [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus]
#              [-p port] [-s] [-t chrootdir] [-u username]


# make sure the debugging-output file is writable by named
touch /dns/var/run/named.run
chown named:named /dns/var/run/named.run
chmod 664 /dns/var/run/named.run

/dns/sbin/named -t /dns -u named -c /etc/named.conf
--------------------------------------------------------------------



modify resolv.conf to have 'nameserver 127.0.0.1'


generate key:
cd /dns/etc
dnssec-keygen -a HMAC-MD5 -b 256 -n HOST rndc

insert generated key from the "Krndc.+157+14259.private" file into rndc.conf file in "secret" section


create /dns/etc/rndc.conf:
--------------------------------------------------------------------
#
# /chroot/named/etc/rndc.conf
#

options {
	default-server	127.0.0.1;
	default-key	"rndckey";
};

server 127.0.0.1 {
	key	"rndckey";
};

key "rndckey" {
	algorithm	"hmac-md5";
	secret		"insert local secret key here";
};

#
# This section below is only for "master" DNS server,
# to control a remote dns server with rndc.
#
#server ns1.server.net {
#	key	"ns1key"
#};
#
#server 123.45.67.89 {		# In case ns1.server.net doesn't resolve...
#	key	"ns1key"
#};
#
#key "ns1key" {
#	algorithm	"hmac-md5";
#	secret		"insert ns1's secret key here";
#};
#
--------------------------------------------------------------------

[optional]  delete the Krndc.+157+14259.* files



create /dns/etc/controls.conf:
--------------------------------------------------------------------
controls {
	# to allow rndc from localhost
	inet 127.0.0.1 allow { 127.0.0.1; } keys { rndckey; };

	# to allow rndc from ethernet
	inet 172.16.25.100 allow {	127.0.0.1;	# localhost
					172.16.202.100;	# itchy
					172.16.202.101;	# scratchy, just in case
				} keys { rndckey; };
};

key "rndckey" {
	algorithm	"hmac-md5";
	secret		"XoKGiXwAUk9yEmZNmCIxQ1Ts+C6alUEVgptGVOiSAqw=";
};
--------------------------------------------------------------------



add this line to the top of /dns/etc/named.conf:
--------------------------------------------------------------------
include "/etc/controls.conf";
--------------------------------------------------------------------


killall -HUP named
Server is now configured to listen on port 953 for rndc
/dns/sbin/rndc status  # should show "server is up and running"



create init script in /etc/init.d/named:
--------------------------------------------------------------------
#!/bin/sh
#
# named
#

case "$1" in
  start)
	# Start daemons.
	echo -n "Starting named: "
	/dns/scripts/named.start
	echo
	;;
  stop)
	# Stop daemons.
	echo -n "Shutting down named: "
	/dns/sbin/rndc stop
	echo "done"
	;;
esac

exit 0
--------------------------------------------------------------------
