ACC SHELL
BIND package configuration
--------------------------
Documentation and packaging structure
-------------------------------------
The BIND documentation is in the sub package bind-doc. All shared libraries
are in the bind-libs package. As 'named' and lwresd are by default configured
to run in a chroot jail bind-chrootenv is required by both packages bind and
bind-lwresd. All DNS utilities are in the bind-utils package. Static
libraries and header files are in bind-devel.
createNamedConfInclude
----------------------
Each configuration file snippet enumerated in NAMED_CONF_INCLUDE_FILES of
/etc/sysconfig/named is added by this script as a single include line
statement in the file /etc/named.conf.include, if it passes a test made with
named-checkconf and isn't already included direct in /etc/named.conf. This
meta file is included at the end of the main configuration file,
/etc/named.conf.
To include files in this way might be usefull if you set
MODIFY_NAMED_CONF_DYNAMICALLY to "yes" in /etc/sysconfig/network/config.
The directory config/ includes some example files to illustrate this
mechanism.
/etc/named.d/ is thought as location for additional 'named' configuration
snippets. If you place a file here you could omit the leading '/etc/named.d/'
part of the filename while adding to NAMED_CONF_INCLUDE_FILES of
/etc/sysconfig/named.
To disable this mechanism, remove createNamedConfInclude from
NAMED_INITIALIZE_SCRIPTS in /etc/sysconfig/named and remove or disable the
include statement of the meta file at the end of the main configuration file.
Sysconfig settings are modified by the YaST sysconfig or any other editor.
The BIND init script
--------------------
The init script, /etc/init.d/named or rcnamed, checks if all configurations
files are available. On absence of /etc/rndc.key or /etc/named.conf.include,
they are are created. If one of the files from NAMED_CONF_INCLUDE_FILES is
missing, the script createNamedConfInclude is called to create a new
/etc/named.conf.include file without the missing configuration snippet.
The init script also ensures to copy all configuration files to the chroot
jail, /var/lib/named/, while called with start, reload, restart, and
try-restart.
rndc access
-----------
As an additional configuration file /etc/named.d/rndc-access.conf is added to
limit rndc access to and from localhost only. See this file even for a less
restricted example.
You have to activate this by adding rndc-access.conf to
NAMED_CONF_INCLUDE_FILES of /etc/sysconfig/named with the YaST sysconfig or
any other editor.
File permissions
----------------
The BIND daemon process 'named' runs by default in a chroot jail,
/var/lib/named/ and as user 'named'. You could disable the chroot behaviour by
setting NAMED_RUN_CHROOTED with the YaST sysconfig or any editor in
/etc/sysconfig/named to "no".
The BIND package uses by default /var/lib/named/ to store its zone files.
For security reasons 'named' runs as user 'named' and the name server
directory is owned by user and group root. Therefore slave zone files can only
be stored at /var/lib/named/slave/, because this directory is owned by user
'named'.
The same applies to dynamically updated zones. Here the zone and the journal
files must be owned by 'named' to allow the 'named' process to write these
files. From time to time as an intermediate step 'named' dumps the current
content of the journal to a new created temporary file.
If you use dynamic updated zones, you must change the file definition of the
concerned zone to use the subdirectory /var/lib/named/dyn/ like in the
following example.
zone "example.net" IN {
type master;
file "dyn/example.net.zone";
#[ other unlisted options ]
};
The owner of /etc/named.conf is set to root:named and to permissions 0640 by
default. By this only root can change the file, user named and the 'named'
process can read, but others can't access the file. This is indispensable if
the configuration file contains shared secrets for zone updates. Ensure that
all 'named' configuration files are readable either by the user or group
'named'.
ACC SHELL 2018