bind9 - Domain Name System server, resolver library, and related tools
ChangeLog
| Web site: | https://isc.org/bind/ |
| Repository: | https://gitlab.isc.org/isc-projects/bind9 |
| Wikipedia: | https://en.wikipedia.org/wiki/BIND |
HOWTO
# ISC BIND
# ========
# Slackware 14.0: bind 9.9.1-P3
# Slackware 14.1: bind 9.9.3-P2
# Slackware 14.2: bind 9.10.4-P1
# Slackware 15.0: bind 9.16.25
# Check /pub/slackware/*/patches for updates
# Prerequisites:
# pkg-config
# libtool
# ctags
# Perl
# Python (optional; --with-python for some scripts)
# pip or setuptools' easy_install
# The Python PLY module (Python Lex-Yacc)
# OpenSSL >= 0.9.6e (for DNSSEC; --with-openssl)
# For the statistics channel, either:
# libxml2 (optional; --with-libxml2)
# or
# json-c (optional; --with-libjson)
# LaTeX/tex
# w3m
# libxslt
# doxygen
# curl
# LMDB (optional)
# (optional; --with-geoip)
# dnstap (optional; --enable-dnstap):
# fstrm
# protobuf-c
# Rational Purify (optional; memory debugger)
# gperftools (--with-gperftools-profiler)
# readline
# idnkit (--with-idn --with-idnlib)
# libidn2 (--with-libidn2)
# libiconv (--with-libiconv --with-iconv)
# DLZ (dynamic loadable zone) drivers:
# PostgreSQL (--with-dlz-postgres)
# MySQL or MariaDB (--with-dlz-mysql)
# Berkeley DB (--with-dlz-bdb)
# OpenLDAP (--with-dlz-ldap)
# ODBC (--with-dlz-odbc)
# Various BIND resources, all of which, and then some, are available via the
# ISC web site linked to above:
# BIND Administrator Reference Manual (ARM)
# ISC knowledge base -> BIND9
# ISC mailing lists - including bind-announce, bind-users
# DNS-related RFCs
# ISC web site -> Community -> Tools and Resources
# In each source distrubution: README, FAQ, HISTORY, CHANGES
# O'Reilly: DNS and BIND, 5th Edition
# Keep in mind that even though I cover multiple versions here (if I do this
# time), and I may be using the older ones in a place or two too, I will
# mainly be using the current release.
# For LDAP sdb support, see the bind9-ldap HOWTO (outdated)
# OpenSSL < 1.1.0 uses /usr/local/ssl for the default prefix. >= 1.1.0 uses
# /usr/local. If yours is under the former, pass
# --with-openssl=/usr/local/ssl to configure. Otherwise, --with-openssl
# with will probably be good enough.
# If you want to be able to run 'make test', read through
# bin/tests/system/README
# ISC BIND 9.18.21 (Current-Stable; ESV extended support version)
# ================
# Prerequisites (beyond those listed above), if you have and want to use
# pandoc
# OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0
# Python >= 2.7 or >= 3.2
# libuv >= 1.0.0
# nghttp2
# jemalloc (optional)
# OpenSSL >= 0.9.7l or >= 0.9.8d are the minimum safe versions for this
# release
# BIND 9.18.x EOL date is Q1 2026
# Release Notes for BIND Version 9.18.21
# BIND 9 Administrator Reference Manual
# Also available under the source tree in ./doc/arm/
# Get the source
cd
test -f installed/bind-9.18.21.tar.xz &&
mv installed/bind-9.18.21.tar.xz .
test ! -f bind-9.18.21.tar.xz &&
wget https://downloads.isc.org/isc/bind9/9.18.21/bind-9.18.21.tar.xz
# Verify tarball w/ sha256sum:
# (this came from my gpg-verified tarball;
# this works too: openssl sha256 bind-9.18.21.tar.xz)
echo "a556be22505d9ea4f9c6717aee9c549739c68498aff3ca69035787ecc648fe\
c5 bind-9.18.21.tar.xz" | sha256sum -c
# Verify tarball w/ gpg:
# (there are sha256 and sha512 signatures too)
# (PGP keys are here: https://www.isc.org/pgpkey/)
wget -nc https://www.isc.org/docs/isc-keyblock.asc -O - 2> /dev/null |
gpg --import &&
wget -nc https://downloads.isc.org/isc/bind9/9.18.21/\
bind-9.18.21.tar.xz.asc &&
gpg --verify bind-9.18.21.tar.xz.asc &&
rm bind-9.18.21.tar.xz.asc
# Extract the source, clean up old versions' source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "bind-*" -exec rm -r {} \;
tar xJvf ~/bind-9.18.21.tar.xz
cd bind-9.18.21
test $UID = 0 && chown -R root:root .
# If you have Python, install/update the PLY module with pip:
su -c "python3 -m pip install --upgrade pip ply"
# or use easy_install:
#su -c "easy_install --upgrade ply"
# See './configure --help' for all of the options
## If you use a 64-bit OpenSSL installed fully under /usr/local/ssl, which
## was the default prefix until 1.1.0, put this at the beginning of the
## configure line:
#
LDFLAGS=-L/usr/local/ssl/lib64## and replace the --with-openssl below with:
#
--with-openssl=/usr/local/ssl##
## You should not need to specify any path in --with-openssl if yours is
## installed under prefix /usr or /usr/local If you are 64-bit with
## libraries in /usr/local/lib64, make sure that is in /etc/ld.so.conf
## (and run ldconfig)
# --enable-rrl is no longer required, it's built in to >= 9.10.x
# --enable-fetchlimit is no longer required, it's built in to >= 9.11.x
# --enable-threads is not there any more
# --disable-ipv6 is not there any more
# Configure it 64-bit:
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \
--localstatedir=/var --mandir=/usr/man --with-openssl --with-libidn2 \
--with-libxml2 --enable-dnstap --enable-full-report
# Configure it, anything else:
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/man --with-openssl --with-libidn2 --with-libxml2 \
--enable-dnstap --enable-full-report
# Build it
make
# Test the build - may need to be done as root
# See info in README.md and bin/tests/system/ifconfig.sh and
# bin/tests/system/README
make check
# Become root to install it
su
# If you have a /var/named, back it up
# If you can, shut down named to avoid partially written files in there
test -d /var/named &&
( cd /var/named
mkdir -p -m 0700 ~/backup/bind
tar cJvf ~/backup/bind/var-named-$(date +%Y%m%d).tar.xz .
chmod 600 ~/backup/bind/var-named-$(date +%Y%m%d).tar.xz )
# If you have a /etc/rndc.conf, back it up. If you run named in a chroot
# jail, this may be in the real /etc because you can run 'rndc' as root
# or within the chroot by running it with the 'chroot' command. See
# 'man rndc.conf' for more information about the configuration file.
test -f /etc/rndc.conf &&
( mkdir -p -m 0700 ~/backup/bind
cp -a /etc/rndc.conf ~/backup/bind/rndc.conf-$(date +%Y%m%d)
chmod 600 ~/backup/bind/rndc.conf-$(date +%Y%m%d) )
# Remove the Slackware package, if there is one
# If you do this, it should not remove your /etc/rc.d/rc.bind or
# /etc/named.conf, they are named with .new in the package file,
# but it will remove /etc/bind.keys
# If you need a replacement bind.keys, see the bottom for info
test -x /sbin/removepkg && /sbin/removepkg bind
# If upgrading, clean up includes from previous releases so you don't end up
# with no longer used .h files.
for incdir in bind9 dns irs isc isccc isccfg lwres pk11 pkcs11;
do test -d /usr/include/${incdir} && rm -r /usr/include/${incdir}
done
# If upgrading, clean up libraries from previous releases
# This may break anything other than BIND that is using them (or a running
# named). Just in case, you may want to compare file dates before doing
# this. (or just don't do it)
for pfx in /usr/local /usr; do
for lib in bind9 dns irs isc isccc isccfg lwres; do
find ${pfx}/lib64 ${pfx}/lib -maxdepth 1 -name "lib${lib}.*" \
-exec rm {} \;
done
done
# Install the new version of BIND
make install
ldconfig
## NOTE: if you run named in a chroot, you will need to copy OpenSSL
## lib|lib64 and engine files in there. Same path, but below the chroot.
# cp -a /usr/local/lib64/libcrypto.* /var/named/usr/local/lib64/
# cp -a /usr/local/lib64/libssl.* /var/named/usr/local/lib64/
# cp -a /usr/local/lib64/engines-1.1/* /var/named/usr/local/lib64/engines-1.1/
# cp -a /usr/local/lib64/engines-3/* /var/named/usr/local/lib64/engines-3/
#
# And /etc/bind.keys should go in the chroot also
test -s /etc/bind.keys && cp -a /etc/bind.keys /var/named/etc/
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# Look in /usr/lib*/ for old versions of shared library files, maybe check
# with 'lsof' first, then zap (or don't)
# Become yourself again
exit
# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/bind-*.tar.*
mv bind-9.18.21.tar.xz installed/
# Skip down to the bottom for a few miscellaneous notes about running named
# ISC BIND 9.16.44 (Current-Stable, ESV)
# ================
# Prerequisites (beyond those listed above), if you have and want to use
# pandoc
# OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0
# Python >= 2.7 or >= 3.2
# libuv >= 1.0.0
# OpenSSL >= 0.9.7l or >= 0.9.8d are the minimum safe versions for this
# release
# BIND 9.16.x EOL date is Q1 2024
# Release Notes for BIND Version 9.16.44
# BIND 9 Administrator Reference Manual
# Also available under the source tree in ./doc/arm/
# Changes to be aware of when moving from BIND 9.11 to 9.16
# Get the source
cd
test -f installed/bind-9.16.44.tar.xz &&
mv installed/bind-9.16.44.tar.xz .
test ! -f bind-9.16.44.tar.xz &&
wget https://downloads.isc.org/isc/bind9/9.16.44/bind-9.16.44.tar.xz
# Verify tarball w/ sha256sum:
# (this came from my gpg-verified tarball;
# this works too: openssl sha256 bind-9.16.44.tar.xz)
echo "cfaa953c36d5ca42d9584fcf9653d07c85527b59687e7c4d4cb8071272db67\
54 bind-9.16.44.tar.xz" | sha256sum -c
# Verify tarball w/ gpg:
# (there are sha256 and sha512 signatures too)
# (PGP keys are here: https://www.isc.org/pgpkey/)
wget https://www.isc.org/docs/isc-keyblock.asc -O - 2> /dev/null |
gpg --import &&
wget -nc https://downloads.isc.org/isc/bind9/9.16.44/\
bind-9.16.44.tar.xz.asc &&
gpg --verify bind-9.16.44.tar.xz.asc &&
rm bind-9.16.44.tar.xz.asc
# Extract the source, clean up old versions' source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "bind-*" -exec rm -r {} \;
tar xJvf ~/bind-9.16.44.tar.xz
cd bind-9.16.44
test $UID = 0 && chown -R root:root .
# If you have Python, install/update the PLY module with pip:
su -c "python3 -m pip install --upgrade pip ply"
# or use easy_install:
#su -c "easy_install --upgrade ply"
# See './configure --help' for all of the options
## If you use a 64-bit OpenSSL installed fully under /usr/local/ssl, which
## was the default prefix until 1.1.0, put this at the beginning of the
## configure line:
#
LDFLAGS=-L/usr/local/ssl/lib64## and replace the --with-openssl below with:
#
--with-openssl=/usr/local/ssl##
## You should not need to specify any path in --with-openssl if yours is
## installed under prefix /usr or /usr/local If you are 64-bit with
## libraries in /usr/local/lib64, make sure that is in /etc/ld.so.conf
## (and run ldconfig)
# --enable-rrl is no longer required, it's built in to >= 9.10.x
# --enable-fetchlimit is no longer required, it's built in to >= 9.11.x
# --enable-threads is not there any more
# --disable-ipv6 is not there any more
# Configure it 64-bit:
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \
--localstatedir=/var --mandir=/usr/man --with-python \
--with-openssl --with-libidn2 --with-libxml2 --with-libtool \
--enable-dnstap --enable-full-report
# Configure it, anything else:
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/man --with-python --with-openssl \
--with-libidn2 --with-libxml2 --with-libtool --enable-dnstap \
--enable-full-report
# Build it
make
# Become root to install it
su
# If you have a /var/named, back it up
# If you can, shut down named to avoid partially written files in there
test -d /var/named &&
( cd /var/named
mkdir -p -m 0700 ~/backup/bind
tar cJvf ~/backup/bind/var-named-$(date +%Y%m%d).tar.xz .
chmod 600 ~/backup/bind/var-named-$(date +%Y%m%d).tar.xz )
# If you have a /etc/rndc.conf, back it up. If you run named in a chroot
# jail, this may be in the real /etc because you can run 'rndc' as root
# or within the chroot by running it with the 'chroot' command. See
# 'man rndc.conf' for more information about the configuration file.
test -f /etc/rndc.conf &&
( mkdir -p -m 0700 ~/backup/bind
cp -a /etc/rndc.conf ~/backup/bind/rndc.conf-$(date +%Y%m%d)
chmod 600 ~/backup/bind/rndc.conf-$(date +%Y%m%d) )
# Remove the Slackware package, if there is one
# If you do this, it should not remove your /etc/rc.d/rc.bind or
# /etc/named.conf, they are named with .new in the package file,
# but it will remove /etc/bind.keys
# If you need a replacement bind.keys, see the bottom for info
test -x /sbin/removepkg && /sbin/removepkg bind
# If upgrading, clean up includes from previous releases so you don't end up
# with no longer used .h files.
for incdir in bind9 dns irs isc isccc isccfg lwres pk11 pkcs11;
do test -d /usr/include/${incdir} && rm -r /usr/include/${incdir}
done
# If upgrading, clean up libraries from previous releases
# This may break anything other than BIND that is using them (or a running
# named). Just in case, you may want to compare file dates before doing
# this.
for pfx in /usr/local /usr; do
for lib in bind9 dns irs isc isccc isccfg lwres; do
find ${pfx}/lib64 ${pfx}/lib -maxdepth 1 -name "lib${lib}.*" \
-exec rm {} \;
done
done
# Install the new version of BIND
make install
ldconfig
## NOTE: if you run named in a chroot, you will need to copy OpenSSL
## lib|lib64 and engine files in there. Same path, but below the chroot.
# cp -a /usr/local/lib64/libcrypto.* /var/named/usr/local/lib64/
# cp -a /usr/local/lib64/libssl.* /var/named/usr/local/lib64/
# cp -a /usr/local/lib64/engines-1.1/* /var/named/usr/local/lib64/engines-1.1/
#
# And /etc/bind.keys should go in the chroot also
test -s /etc/bind.keys && cp -a /etc/bind.keys /var/named/etc/
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# Look in /usr/lib*/ for old versions of shared library files, maybe check
# with 'lsof' first, then zap
# Become yourself again
exit
# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/bind-*.tar.*
mv bind-9.16.44.tar.xz installed/
# Skip down to the bottom for a few miscellaneous notes about running named
### Miscellaneous notes about running BIND named
# Anything done below assumes that you are root
## If you run the named daemon, add these to your named.conf to disable
## Verisign's evil Sitefinder service for people that use your nameserver.
## If you use views, add them to the view that handles recursive lookups.
# zone "com" { type delegation-only; };
# zone "net" { type delegation-only; };
## Here's is a more severe alternative that will enforce delegation-only for
## any TLD that is _not_ listed (you'd use this instead of "type
## delegation-only"):
# root-delegation-only exclude {
# "ad"; "ar"; "biz"; "cr"; "cu"; "de"; "dm"; "id"; "lu"; "lv"; "md"; "ms";
# "museum"; "name"; "no"; "pa"; "pf"; "sr"; "to"; "tw"; "us"; "uy";
# };
# Also if you run the named daemon, I highly suggest running named in a
# chroot-jail as a non-root user. I put everything under /var/named and run
# it like this: "/usr/sbin/named -u named -t /var/named"
# I've never read it, but this howto may help you if you plan to do this:
# https://tldp.org/HOWTO/Chroot-BIND-HOWTO.html
# For DNSSEC validation, you can use the compiled-in defaults, or you can
# load the Root & DLV keys from the bind.keys file. See config options
# dnssec-validation and dnssec-lookaside. If they are set, named will get
# the key out of bind.keys the first time it executes. If you you use
# /var/named as a chroot, put it in /var/named/etc, otherwise in /etc If
# you run named as user 'named' who is a member of group 'named', then
# root:named and 640 should work for you. For more info about this with
# BIND 8.x and 9.x, read about it here:
# https://isc.org/bind-keys/
# https://isc.org/dnssec/
# https://bind9.readthedocs.io/en/latest/dnssec-guide.html
# https://ftp.isc.org/isc/bind9/9.18.21/doc/arm/html/chapter5.html
# (also available in ./doc/arm/ under the source)
# ...and configuration file info about bindkeys-file, dnssec-lookaside &
# dnssec-validation:
# https://ftp.isc.org/isc/bind9/9.18.21/doc/arm/html/chapter5.html#dnssec-validation
# (also available in ./doc/arm/ under the source)
#
# The bind.keys file is usually available in the top level directory of the source
#
# Get the latest online:
test -d /var/named/etc && cd /var/named/etc
test ! -d /var/named/etc && cd /etc
wget -nc https://downloads.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
#
# Verify it w/ gpg:
( gpg --list-keys 5CF02E57 > /dev/null 2>&1 || gpg --recv-keys 5CF02E57 ) &&
wget -nc https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11.asc &&
gpg --verify bind.keys.v9_11.asc && rm bind.keys.v9_11.asc
#
# If it verified OK, put it in place
test -L bind.keys &&
( cp -L bind.keys bind.keys.old ; rm bind.keys )
test -f bind.keys && mv -f bind.keys bind.keys.old
mv -f bind.keys.v9_11 bind.keys
chown root:named bind.keys
chmod 640 bind.keys
# For info about the rate limiting feature (--enable-rrl with < 9.10.x):
# https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html
# ...and configuration file info about rate-limit:
# https://ftp.isc.org/isc/bind9/9.18.21/doc/arm/html/reference.html?highlight=rate+limit
# (also available in ./doc/arm/ under the source)
# For info about fetch limits (--enable-fetchlimit before 9.11.x):
# ISC KB AA-01304
# Configuration file info about fetches-per-server and fetches-per-zone:
# https://ftp.isc.org/isc/bind9/9.18.21/doc/arm/html/reference.html?highlight=fetch+limits
# You can use the compiled-in defaults, which would never change if you
# never upgrade BIND, but if you have named configured to use an external
# root hints file (named 'root-hints' here), update it
dig ns . @a.root-servers.net > /var/named/root-hints.new
test -s /var/named/root-hints.new &&
( mkdir -p -m 0700 ~/backup/bind
test -e /var/named/root-hints &&
mv -f /var/named/root-hints ~/backup/bind/root-hints-$(date +%Y%m%d)
mv -f /var/named/root-hints.new /var/named/root-hints
chown root:named /var/named/root-hints
chmod 640 /var/named/root-hints
chown root:root ~/backup/bind/root-hints-*
chmod 600 ~/backup/bind/root-hints-* )
# You you don't have a rc.bind init-script, you can find the latest
# Slackware rc.bind init script here:
# (they are probably the same for Slackware or Slackware-64)
# ftp://ftp.slackware.com/pub/slackware/slackware-current/source/n/bind/rc.bind
# ftp://ftp.slackware.com/pub/slackware/slackware64-current/source/n/bind/rc.bind
# If you have a /etc/rc.d/rc.bind that sources /etc/default/named,
# you may want something like this for no IPv6, chroot in /var/named,
# run as user 'named':
test ! -f /etc/default/named &&
( echo "NAMED_OPTIONS=\"-4 -u named -t /var/named\"" > /etc/default/named
chmod 600 /etc/default/named )
# If you have named configured and you will be running the daemon, make sure
# your rc.bind script is executable:
test -e /etc/rc.d/rc.bind && chmod 700 /etc/rc.d/rc.bind
# If you ever want to uninstall BIND, this should do it:
cd
su
test -d src/bind-* && ( cd src/bind-* ; make uninstall )
( cd /etc ; rm -f bind.keys named.conf named.conf.dist rndc.conf )
( cd /usr/bin
rm -f arpaname bind9-config delv dig host isc-config.sh mdig \
named-rrchecker nslookup nsupdate )
( cd /usr/include
for dir in bind9 dns dnst irs isc isccc isccfg lwres pk11 pkcs11; do
test -d ./${dir} && rm -r ./${dir}
done )
for libdir in /usr/lib /usr/lib64; do
test ! -d $libdir && continue
for libfile in bind9 dns irs isc isccc isccfg lwres; do
rm -f ${libdir}/lib${libfile}.*
done
done
( cd /usr/man/man1
rm -f arpaname.1 bind9-config.1 delv.1 dig.1 host.1 isc-config.sh.1 \
mdig.1 named-rrchecker.1 nslookup.1 )
rm -f /usr/man/man3/lwres_*.3
( cd /usr/man/man5 ; rm -f named.conf.5 rndc.conf.5 )
( cd /usr/man/man8
rm -f ddns-confgen.8 dnssec-*.8 genrandom.8 isc-hmac-fixup.8 \
lwresd.8 named.8 named-*.8 nsec3hash.8 rndc.8 rndc-confgen.8 \
tsig-keygen.8 )
( cd /usr/sbin
rm -f ddns-confgen dnssec-* genrandom isc-hmac-fixup named-* \
nsec3hash rndc-confgen tsig-keygen )
ldconfig
exit
find ~/src -maxdepth 1 -type d -name "bind-*" -exec rm -r {} \;
rm -f ~/installed/bind-*.tar.*
List of HOWTOs
Web page itself last updated: 2023-12-20 8:06pm (EDT -0400)
HOWTO last updated: 2024-02-11 4:23pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
HOWTO last updated: 2024-02-11 4:23pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
![[HTML5]](HTML5_Logo_64-black.png){kind=logo}
