- 追加された行はこの色です。
- 削除された行はこの色です。
[[BIND9 20121215]]
----
#contents
----
*OS同梱のbindをportsのものに入れ替える [#a598d102]
2013-03-14 08:19:57
http://www.yomaigoto.jp/archives/437
root@ns1:/root # named -v
BIND 9.8.3-P4
ports から最新のBIND をインストールする。このとき、make のオプションに "WITH_REPLACE_BASE=yes" を加えると、BASE の BIND を ports のものと完全に置き換えることが出来るが、これはお勧めしない。~
なぜなら、freebsd-update を実行する度に BASE の BIND に戻そうとするから。BASE と ports と両方インストールしておき、rc.conf で named のパスを指定することで使い分ける方法を採る。
root@ns1:/root # portinstall dns/bind99
オプションはデフォルトのまま
#ref(bind99_option.png)
*************************************************************************
* _ _____ _____ _____ _ _ _____ ___ ___ _ _ *
* / \|_ _|_ _| ____| \ | |_ _|_ _/ _ \| \ | | *
* / _ \ | | | | | _| | \| | | | | | | | | \| | *
* / ___ \| | | | | |___| |\ | | | | | |_| | |\ | *
* /_/ \_\_| |_| |_____|_| \_| |_| |___\___/|_| \_| *
* *
* If you are running BIND 9 in a chroot environment, make *
* sure that there is a /dev/random device in the chroot. *
* *
* BIND 9 also requires configuration of rndc, including a *
* "secret" key. The easiest, and most secure way to configure *
* rndc is to run 'rndc-confgen -a' to generate the proper conf *
* file, with a new random key, and appropriate file permissions. *
* *
* The /etc/rc.d/named script in the base will do both for you. *
* *
*************************************************************************
===> Compressing manual pages for bind99-9.9.2.1
===> Registering installation for bind99-9.9.2.1
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/named-journalprint
/usr/local/sbin/named
/usr/local/sbin/rndc-confgen
/usr/local/sbin/dnssec-verify
/usr/local/sbin/ddns-confgen
/usr/local/sbin/dnssec-dsfromkey
/usr/local/bin/host
/usr/local/sbin/nsec3hash
/usr/local/sbin/dnssec-signzone
/usr/local/bin/nsupdate
/usr/local/sbin/rndc
/usr/local/sbin/lwresd
/usr/local/bin/dig
/usr/local/sbin/dnssec-revoke
/usr/local/sbin/dnssec-keygen
/usr/local/sbin/named-checkzone
/usr/local/sbin/dnssec-keyfromlabel
/usr/local/sbin/named-checkconf
/usr/local/bin/nslookup
/usr/local/sbin/dnssec-settime
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
https://www.isc.org/software/bind
===> Cleaning for bind99-9.9.2.1
rndc.key を再生成する。
http://linux.kororo.jp/cont/server/bind_src.php
# /usr/local/sbin/rndc-confgen -a -b 512 -k rndckey
上記コマンドを実行したら、/etc/namedb/rndc.key というファイルが作成(上書き)されている.
続いて、/etc/rc.conf に以下の一文を追加。
[/etc/rc.conf]
named_program="/usr/local/sbin/named"
# /usr/local/sbin/named -t /var/named -u bind
# ps ax | grep named
877 ?? Ss 0:02.38 /usr/sbin/syslogd -l /var/run/log -l /var/named/var/run/log -
98235 ?? Ss 0:10.87 /usr/local/sbin/named -t /var/named -u bind
6680 0 S+ 0:00.00 grep named
*the working directory is not writable [#a4178455]
Mar 14 10:44:06 ns1 named[825]: starting BIND 9.9.2-P1 -t /var/named -u bind
Mar 14 10:44:06 ns1 named[825]: ----------------------------------------------------
Mar 14 10:44:06 ns1 named[825]: BIND 9 is maintained by Internet Systems Consortium,
Mar 14 10:44:06 ns1 named[825]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Mar 14 10:44:06 ns1 named[825]: corporation. Support and training for BIND 9 are
Mar 14 10:44:06 ns1 named[825]: available at https://www.isc.org/support
Mar 14 10:44:06 ns1 named[825]: ----------------------------------------------------
Mar 14 10:44:07 ns1 named[825]: command channel listening on 127.0.0.1#953
Mar 14 10:44:07 ns1 named[825]: the working directory is not writable
Mar 14 10:46:36 ns1 named[825]: the working directory is not writable
Mar 14 10:46:36 ns1 named[825]: all zones loaded
Mar 14 10:46:36 ns1 named[825]: running
Mar 14 11:00:48 ns1 named[825]: the working directory is not writable
Mar 14 11:00:49 ns1 named[825]: all zones loaded
Mar 14 11:00:49 ns1 named[825]: running
http://d.hatena.ne.jp/tama0905/20110729/1311934233
/etc/mtree/BIND.chroot.distの「/set type=dir uname=root gname=wheel mode=0755」をuname=bindへ修正すると、エラーが出なくなりましたし、ディレクトリ所有者もbindになりました。
http://www.geocities.jp/yasasikukaitou/rndc2.html
***バージョンを見る [#ya82173d]
root@ns1:/root # named -v
BIND 9.8.3-P4
と、OSバンドルバージョンが表示される。
root@ns1:/root # rndc status
だと、portsで入れたバージョンが表示される。
WARNING: key file (/etc/namedb/rndc.key) exists, but using default configuration file (/etc/namedb/rndc.conf)
version: 9.9.2-P1
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 39
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
*rndc reload するとWARNING! [#e68f1ff2]
https://lists.isc.org/pipermail/bind-users/2010-October/081444.html
root@ns1:/root # rndc reload
WARNING: key file (/etc/namedb/rndc.key) exists, but using default configuration file (/etc/namedb/rndc.conf)
server reload successful
というWARNINGをいただきますた。
mv /var/named/etc/namedb/rndc.conf /var/named/etc/namedb/rndc.conf_stop
で、消えました。