Date: Mon, 16 Apr 2001 11:42:35 -0400 From: Pio Prado <pio.prado@starmedia.net> To: "'questions@freebsd.org'" <questions@freebsd.org> Subject: Bind-9.1.1 help Message-ID: <945A5180E4D0D311BF620008C7A457B90B716FAA@nyexch01.starmedia.net>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C0C68B.DBBB68A0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0C68B.DBBB68A0"
------_=_NextPart_001_01C0C68B.DBBB68A0
Content-Type: text/plain;
charset="iso-8859-1"
Hi,
I installed a copy Bind-9.1.1 from Port Collection on FreeBSD 4.3.rc3 (both
installations are new). I am followingTrevin Chow's (see attachment)
installation instructions for Bind. I have come accross these 2 errors and
am unable to finish.
1- While booting and starting final network daemosI get these errors:
/usr/local/sbin/named[171]: coudn't open pid file '/var/run/named.pid':
Permission denied
/usr/local/sbin/named[171]: exiting (due to early fatal error)
2- After booting and logged in I try to generate (step 3 on Trevin's
instructions) a dns key I get this error:
dnssec-keygen: failed to generate key rndc./57: out of entropy
<<configuring BIND 9.txt>>
Thx for the help
Pio
------_=_NextPart_001_01C0C68B.DBBB68A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>Bind-9.1.1 help</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Arial">Hi,</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">I installed a copy Bind-9.1.1 from =
Port Collection on FreeBSD 4.3.rc3 (both installations are new). =
I am followingTrevin Chow's (see attachment) installation instructions =
for Bind. I have come accross these 2 errors and am unable to =
finish.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">1- While booting and starting final =
network daemosI get these errors:</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"> =
/usr/local/sbin/named[171]: coudn't open pid file '/var/run/named.pid': =
Permission denied</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"> =
/usr/local/sbin/named[171]: exiting (due to early fatal error)</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">2- After booting and logged in I try =
to generate (step 3 on Trevin's instructions) a dns key I get this =
error:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <FONT SIZE=3D2 =
FACE=3D"Courier New">dnssec-keygen: failed to generate key rndc./57: =
out of entropy</FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Arial"> <FONT FACE=3D"Arial" =
SIZE=3D2 COLOR=3D"#000000"> <<configuring BIND 9.txt>> =
</FONT></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Thx for the help</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Pio</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0C68B.DBBB68A0--
------_=_NextPart_000_01C0C68B.DBBB68A0
Content-Type: text/plain;
name="configuring BIND 9.txt"
Content-Disposition: attachment;
filename="configuring BIND 9.txt"
Configuring and getting BIND 9 to work:
=======================================
Tested with: FreeBSD 4.3 RC
Last tested: April 5th, 2001
Assumptions:
-user "bind" and group "bind" have been created with NO login privileges
-your named configuration files are in directory /etc/namedb
-your named zone files are in a sandbox in directory /etc/namedb/s and it's owner is bind
1. Do an 'ndc stop' and deinstall/Remove previous installations of BIND as
necessary. Often, BIND8 binary is installed as /sbin/named. In this case,
you don't really need to remove it for simplicity since the BIND9 port
will install to /usr/local/sbin.
2. Compile and install the BIND 9 port in /usr/ports/net/BIND9
# make
# make install
3. Edit /etc/rc.conf to contain (or modify)
named_enable="YES"
named_program="/usr/local/sbin/named"
named_flags="-c /etc/namedb/named.conf -u bind"
note: If you were running BIND 8 previously, the second line above likely
would have been:
named_program="/sbin/named"
In this case, just change it to be "/usr/local/sbin/named". This will
be the binary for BIND 9.
4. Create a secure DNS key with dnssec-keygen:
# dnssec-keygen -a hmac-md5 -b 128 -n user rndc
This will create 2 files in current directory: with extensions .private
and .key.
Cat one of these files and you will see a KEY string. Make note of it.
5. Create /usr/local/etc/rndc.conf with contents:
(Note: we use the KEY generated from step 4 here)
key "rndc_key" {
algorithm "hmac-md5";
secret "<KEY FROM STEP #4 goes here>";
};
options {
default-server localhost;
default-key "rndc_key";
};
6. Edit named.conf, which should be /etc/namedb/named.conf.
Top of the file should read:
options {
directory "/etc/namedb";
pid-file "/etc/namedb/s/named.pid"; // use sandbox
auth-nxdomain no; // default is 'no', but just put to avoid warning msgs
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
/*
* If running in a sandbox, you may have to specify a different
* location for the dumpfile.
*/
dump-file "s/named_dump.db";
};
Add these lines before the section for 'zone "."':
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc_key"; };
};
key "rndc_key" {
algorithm "hmac-md5";
secret "<KEY FROM STEP #4 goes here>";
};
7. BIND 9 is more strict than BIND 8 and requires the following lines at the
top of each of your zone files:
$ORIGIN foo.com.
$TTL 86400
where foo.com. should be the domain that this zone file is for.
8. Reboot, or start BIND9 with:
# /usr/local/sbin/named -c /etc/namedb/named.conf -u bind
note: BIND 8 used to accept the option "-g" for which group BIND should
run as. This option has been eliminated.
9. You should now be able to issue commands such as "rndc reload" to reload.
"ndc" is depracated in BIND 9. For good measure, make the old BIND8
binary non-executable and move them to diff't names.
# chmod 444 /usr/sbin/ndc
# chmod 444 /usr/sbin/named
# mv /usr/sbin/ndc /usr/sbin/ndc.old
# mv /usr/sbin/named /usr/sbin/named.old
------_=_NextPart_000_01C0C68B.DBBB68A0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?945A5180E4D0D311BF620008C7A457B90B716FAA>