From owner-svn-doc-all@FreeBSD.ORG Fri May 23 14:56:38 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C2F7C43; Fri, 23 May 2014 14:56:38 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7E3DE254F; Fri, 23 May 2014 14:56:38 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s4NEucFA084541; Fri, 23 May 2014 14:56:38 GMT (envelope-from brd@svn.freebsd.org) Received: (from brd@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s4NEucn1084540; Fri, 23 May 2014 14:56:38 GMT (envelope-from brd@svn.freebsd.org) Message-Id: <201405231456.s4NEucn1084540@svn.freebsd.org> From: Brad Davis Date: Fri, 23 May 2014 14:56:38 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44916 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2014 14:56:38 -0000 Author: brd Date: Fri May 23 14:56:38 2014 New Revision: 44916 URL: http://svnweb.freebsd.org/changeset/doc/44916 Log: - Add a section about configuring Unbound in FreeBSD 10. Note that this commit avoids changing all the whitespace in favor of waiting for an automated tool to do that for us. Reviewed by: dru@, Ken Reed Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri May 23 14:25:48 2014 (r44915) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri May 23 14:56:38 2014 (r44916) @@ -3048,7 +3048,82 @@ dhcpd_ifaces="dc0" - How It Works + <acronym>DNS</acronym> Server Configuration in &os; 10.0 + and Later + + In &os; 10.0, BIND has been + replaced with Unbound. + Unbound is a validating caching + resolver only. If an authoritative server is needed, many are + available from the Ports Collection. + + Unbound is provided in the &os; + base system. By default, it will provide + DNS resolution to the local machine only. + While the base system package can be configured to provide + resolution services beyond the local machine, it is + recommended that such requirements be addressed by installing + Unbound from the &os; Ports + Collection. + + To enable Unbound, add the + following to /etc/rc.conf: + + local_unbound_enable="YES" + + Any existing nameservers in + /etc/resolv.conf will be configured as + forwarders in the new Unbound + configuration. + + + If any of the listed nameservers do not support + DNSSEC, local DNS + resolution will fail. Be sure to test each nameserver and + remove any that fail the test. The following command will + show the trust tree or a failure for a nameserver running on + 192.168.1.1: + + + &prompt.user; drill -S FreeBSD.org @192.168.1.1 + + Once each nameserver is confirmed to support + DNSSEC, start + Unbound: + + &prompt.root; service local_unbound onestart + + This will take care of updating + /etc/resolv.conf so that queries for + DNSSEC secured domains will now work. For + example, run the following to validate the FreeBSD.org + DNSSEC trust tree: + + &prompt.user; drill -S FreeBSD.org +;; Number of trusted keys: 1 +;; Chasing: freebsd.org. A + +DNSSEC Trust tree: +freebsd.org. (A) +|---freebsd.org. (DNSKEY keytag: 36786 alg: 8 flags: 256) + |---freebsd.org. (DNSKEY keytag: 32659 alg: 8 flags: 257) + |---freebsd.org. (DS keytag: 32659 digest type: 2) + |---org. (DNSKEY keytag: 49587 alg: 7 flags: 256) + |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) + |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) + |---org. (DS keytag: 21366 digest type: 1) + | |---. (DNSKEY keytag: 40926 alg: 8 flags: 256) + | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) + |---org. (DS keytag: 21366 digest type: 2) + |---. (DNSKEY keytag: 40926 alg: 8 flags: 256) + |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) +;; Chase successful + + + + DNS Server Configuration in &os; + 9.<replaceable>X</replaceable> and Earlier In &os;, the BIND daemon is called named. @@ -3096,9 +3171,8 @@ dhcpd_ifaces="dc0" directory. These files contain the DNS information that will be given out by the name server in response to queries. - - + Starting BIND @@ -3133,9 +3207,9 @@ dhcpd_ifaces="dc0" &man.rc.conf.5;. The section is also a good read. - + - + Configuration Files @@ -3150,7 +3224,7 @@ dhcpd_ifaces="dc0" needed is a simple resolver. This is where most of the configuration will be performed. - + <filename>/etc/namedb/named.conf</filename> // $FreeBSD$ @@ -3497,9 +3571,9 @@ zone "1.168.192.in-addr.arpa" { dies or is unreachable, the slave name server will have the transferred zone information and will be able to serve it. - + - + Zone Files @@ -3744,10 +3818,10 @@ mail IN A 192.168. It is worth noting that all names on the right side of a PTR record need to be fully qualified (i.e., end in a .). - - + + - + Caching Name Server @@ -3758,9 +3832,9 @@ mail IN A 192.168. A caching name server is a name server whose primary role is to resolve recursive queries. It simply asks queries of its own, and remembers the answers for later use. - + - + <acronym role="Domain Name Security Extensions">DNSSEC</acronym> @@ -3810,7 +3884,7 @@ mail IN A 192.168. to date. Where configurations differ between 9.6.2 and 9.7 and later, differences will be pointed out. - + Recursive <acronym>DNS</acronym> Server Configuration @@ -3954,9 +4028,9 @@ dnssec-validation yes; The resolver is now capable of authenticating DNS queries. - + - + Authoritative <acronym>DNS</acronym> Server Configuration @@ -4085,9 +4159,9 @@ $include Kexample.com.+005+nnnnn.ZSK.key xlink:href="http://www.ietf.org/rfc/rfc4641.txt">RFC 4641: DNSSEC Operational practices. - + - + Automation Using <acronym>BIND</acronym> 9.7 or Later @@ -4127,10 +4201,10 @@ $include Kexample.com.+005+nnnnn.ZSK.key re-signing the zone with the new data added. For further details, see and the BIND documentation. - - + + - + Security Although BIND is the most common implementation of @@ -4155,9 +4229,9 @@ $include Kexample.com.+005+nnnnn.ZSK.key having a fresh build of named may help. - + - + Further Reading BIND/named manual pages: @@ -4245,6 +4319,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key Trust Anchors +