bind9 - Domain Name System server, resolver library, and related tools
ChangeLog
| Web site: | https://isc.org/bind/ |
| Repository: | https://gitlab.isc.org/isc-projects/bind9 |
| Wikipedia: | https://en.wikipedia.org/wiki/BIND |
HOWTO
# ISC BIND
# ========
# Slackware 14.0: bind 9.9.1-P3
# Slackware 14.1: bind 9.9.3-P2
# Slackware 14.2: bind 9.10.4-P1
# Slackware 15.0: bind 9.16.25
# Check /pub/slackware/*/patches for updates
# As this is written...
# 9.18.x = Older Stable, ESV - EoL Q2 2026
# 9.20.x = Current Stable, ESV - EoL Q2 2028
# 9.21.x = Development - EoL Q2 2028
# Prerequisites:
# pkg-config
# libtool
# ctags
# Perl
# Python (optional; --with-python for some scripts)
# pip or setuptools' easy_install
# The Python PLY module (Python Lex-Yacc)
# OpenSSL >= 0.9.6e (for DNSSEC; --with-openssl)
# For the statistics channel, either:
# libxml2 (optional; --with-libxml2)
# or
# json-c (optional; --with-libjson)
# LaTeX/tex
# w3m
# libxslt
# doxygen
# curl
# LMDB (optional)
# (optional; --with-geoip)
# dnstap (optional; --enable-dnstap):
# fstrm
# protobuf-c
# Rational Purify (optional; memory debugger)
# gperftools (--with-gperftools-profiler)
# readline
# idnkit (--with-idn --with-idnlib; Slackware 15.0 no longer includes this)
# libidn2 (--with-libidn2)
# glibc's iconv or libiconv (--with-libiconv --with-iconv)
# DLZ (dynamic loadable zone) drivers:
# PostgreSQL (--with-dlz-postgres)
# MySQL or MariaDB (--with-dlz-mysql)
# Berkeley DB (--with-dlz-bdb)
# OpenLDAP (--with-dlz-ldap)
# ODBC (--with-dlz-odbc)
# pandoc
# jemalloc (optional)
# Various BIND resources, all of which, and then some, are available via the
# ISC web site linked to above:
# BIND Administrator Reference Manual (ARM)
# ISC knowledge base -> BIND 9 Significant Features Matrix
# ISC mailing lists - including bind-announce, bind-users
# DNS-related RFCs
# DNS Tools
# In each source distrubution: README, FAQ, HISTORY, CHANGES
# O'Reilly: DNS and BIND, 5th Edition
# Specific configurations:
# DNS over HTTPS with BIND 9.17
# BIND Implements DoH
# DNSSEC Key and Signing Policy
# Bind 9 configuration reference: dnssec-policy
# See notes below about rate limiting, fetch limits, DNSSEC.
# Keep in mind that even though I cover multiple versions here (if I do this
# time), and I may be using the older ones in a place or two too, I will
# mainly be using the current release.
# For LDAP sdb support, see the bind9-ldap HOWTO (outdated)
# OpenSSL < 1.1.0 uses /usr/local/ssl for the default prefix. >= 1.1.0 uses
# /usr/local. If yours is under the former, pass
# --with-openssl=/usr/local/ssl to configure. Otherwise, --with-openssl
# with will probably be good enough.
# If you want to be able to run 'make test', read through
# bin/tests/system/README
# ISC BIND 9.20.12 (2025-08-20, EoL Q2 2028)
# ================
# 9.20.x = Current Stable, ESV
# Prerequisites (beyond those listed above), if you have and want to use
# OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0
# Python >= 2.7 or >= 3.2
# libuv >= 1.0.0
# nghttp2
# cmocka >= 1.1.3 (unit testing)
# liburcu
# OpenSSL >= 0.9.7l or >= 0.9.8d are the minimum safe versions for this
# release. Support for OpenSSL 3.0.0 was added to BIND 9.18
# New BIND releases are available: 9.18.39, 9.20.12, 9.21.11
# Release Notes for BIND Version 9.20.12
# Changes to be aware of when moving from BIND 9.16 to 9.18
# BIND Wiki: Known Issues in BIND 9.20
# CHANGES (from Git repo)
# BIND 9 Administrator Reference Manual
# - Also available as a PDF
# - Also available under the source tree in ./doc/arm/
# Get the source tarball
cd
test -f installed/bind-9.20.12.tar.xz &&
mv installed/bind-9.20.12.tar.xz .
test ! -f bind-9.20.12.tar.xz &&
wget https://downloads.isc.org/isc/bind9/9.20.12/bind-9.20.12.tar.xz
# Verify tarball w/ sha256sum:
# (this came from my gpg-verified tarball)
# [ OpenSSL works too: openssl sha256 bind-9.20.12.tar.xz
# coreutils 'cksum' works too: cksum -a sha256 bind-9.20.12.tar.xz
# Perl's 'shasum' works too: shasum -a 256 bind-9.20.12.tar.xz ]
echo "dd32d6eb67504e8a430aaf70b4ef894f3d0226b44c7e02370c9b0d377f1c79\
99 bind-9.20.12.tar.xz" | sha256sum -c
# If you do not already have the required key and the the below gpg
# verification can't get a key from a keyserver, download
# and import isc-keyblock.asc from https://www.isc.org/pgpkey/
wget https://www.isc.org/docs/isc-keyblock.asc -O - 2> /dev/null |
gpg --import
# Verify tarball w/ gpg:
# (there are sha256 and sha512 signatures too)
# (PGP keys are here: https://www.isc.org/pgpkey/)
(gpg --list-keys 182E23579462EFAA > /dev/null 2>&1 ||
gpg --recv-keys 182E23579462EFAA ) &&
wget -nc https://downloads.isc.org/isc/bind9/9.20.12/\
bind-9.20.12.tar.xz.asc &&
gpg --verify bind-9.20.12.tar.xz.asc && rm bind-9.20.12.tar.xz.asc
# Extract the source, clean up old versions' source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "bind-*" -exec rm -r {} \;
tar xJvf ~/bind-9.20.12.tar.xz
cd bind-9.20.12
test $UID = 0 && chown -R root:root .
## If you have Python, install/update the PLY module with pip:
# https://pip.pypa.io/warnings/venv
su -c "python3 -m pip install --upgrade pip ply"
# or use easy_install:
#su -c "easy_install --upgrade ply"
# See './configure --help' for all of the options
## If you use a 64-bit OpenSSL installed fully under /usr/local/ssl, which
## was the default prefix until 1.1.0, put this at the beginning of the
## configure line:
#
LDFLAGS=-L/usr/local/ssl/lib64## and replace the --with-openssl below with:
#
--with-openssl=/usr/local/ssl##
## You should not need to specify any path in --with-openssl if yours is
## installed under prefix /usr or /usr/local If you are 64-bit with
## libraries in /usr/local/lib64, make sure that is in /etc/ld.so.conf
## (and run ldconfig)
# --enable-rrl is no longer required, it's built in to >= 9.10.x
# --enable-fetchlimit is no longer required, it's built in to >= 9.11.x
# --enable-threads is not there any more
# --disable-ipv6 is not there any more
# Configure it 64-bit:
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \
--localstatedir=/var --mandir=/usr/man --with-openssl --with-libidn2 \
--with-libxml2 --enable-dnstap --enable-full-report
# Configure it, anything else:
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/man --with-openssl --with-libidn2 --with-libxml2 \
--enable-dnstap --enable-full-report
# Build it
make
# Test the build - some parts need to be done as root
# See info in README.md and bin/tests/system/ifconfig.sh and
# bin/tests/system/README.md
# Become root to install it
su
# If you have a /var/named, back it up
# If you can, shut down named to avoid partially written files in there
test -d /var/named &&
( cd /var/named
mkdir -p -m 0700 ~/backup/bind
tar cJvf ~/backup/bind/var-named-$(date +%Y%m%d).tar.xz \
--exclude='proc' .
chmod 600 ~/backup/bind/var-named-$(date +%Y%m%d).tar.xz )
# If you have a /etc/rndc.conf, back it up. If you run named in a chroot
# jail, this may be in the real /etc because you can run 'rndc' as root
# or within the chroot by running it with the 'chroot' command. See
# 'man rndc.conf' for more information about the configuration file.
test -f /etc/rndc.conf &&
( mkdir -p -m 0700 ~/backup/bind
cp -a /etc/rndc.conf ~/backup/bind/rndc.conf-$(date +%Y%m%d)
chmod 600 ~/backup/bind/rndc.conf-$(date +%Y%m%d) )
# If you do not have a /etc/rndc.conf, 'rndc-confgen' will output one for
# you. If you run named with a chroot, either copy the .key file in there,
# or use 'secret' to store it in rndc.conf
# See 'man rndc-confgen' and 'man rndc.conf' for more information.
# (or the online documentation https://bind9.readthedocs.io/en/v9.20.12/manpages.html)
# Remove the Slackware package, if there is one
# If you do this, it should not remove your /etc/rc.d/rc.bind or
# /etc/named.conf, they are named with .new in the package file,
# but it will remove /etc/bind.keys
# If you need a replacement bind.keys, see the bottom for info
# [ probably not needed, it is a compiled-in default now ]
test -x /sbin/removepkg && /sbin/removepkg bind
# If upgrading, remove these if you have an old version that put them in
# /usr/sbin, they will go in /usr/bin now
find /usr/sbin/ -type f -name "dnssec-*" -exec rm {} \;
rm -f /usr/sbin/dnssec-*
# If upgrading, clean up includes from previous releases so you don't end up
# with no longer used .h files.
for incdir in bind9 dns dst irs isc isccc isccfg lwres ns pk11 pkcs11;
do ( cd /usr/include
test -d ./${incdir} && rm -r ./${incdir} )
done
# If upgrading, you could clean up libraries from previous releases...
# ...but you don't normally need to unless you are very low on disk space.
# If you can, shut down named first, because it is linked with the most
# recent ones. For example, after you run 'make install', you will have
# /usr/lib*/lib*-9.20.12.so
# ***
# Removing them may also break anything other than BIND that is using them.
# ***
# Just in case, you may want to compare file dates before doing this.
# Maybe run find but leave off the -exec part, remove them manually...
# Or, just don't do it. It's not going to give you a signifcant amount of
# reclaimed disk space.
for pfx in /usr/local /usr; do
for lib in bind9 dns irs isc isccc isccfg lwres; do
find ${pfx}/lib64 ${pfx}/lib -maxdepth 1 -name "lib${lib}-*.so" \
-exec rm {} \;
done
done
# If you have an old named-checkconf that used to go in /usr/sbin
rm -f /usr/sbin/named-checkconf /usr/man/man8/named-checkconf.8
# Install the new version of BIND
make install
ldconfig
## NOTE: if you run named in a chroot, you will need to copy OpenSSL
## lib|lib64 and engine files in there. Same path, but below the chroot.
# cp -a /usr/local/lib64/libcrypto.* /var/named/usr/local/lib64/
# cp -a /usr/local/lib64/libssl.* /var/named/usr/local/lib64/
# cp -a /usr/local/lib64/engines-1.1/* /var/named/usr/local/lib64/engines-1.1/
# cp -a /usr/local/lib64/engines-3/* /var/named/usr/local/lib64/engines-3/
# https://www.isc.org/bind-keys/
# It is a compiled in default now, but if you do have a bind.keys file,
# it should go in the chroot also
test -s /etc/bind.keys && cp -a /etc/bind.keys /var/named/etc/
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# Look in /usr/lib*/ for old versions of shared library files, maybe check
# with 'lsof' first, then zap (or don't)
# If you have a configured named under the /var/named chroot, check
# configuration
/usr/bin/named-checkconf -t /var/named
# Become yourself again
exit
# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/bind-*.tar.*
mv bind-9.20.12.tar.xz installed/
# Skip down to the bottom for a few miscellaneous notes about running named
# ISC BIND 9.18.39 (2025-08-20, EoL Q2 2026)
# ================
# 9.18.x = Older Stable, ESV extended support version
# Prerequisites (beyond those listed above), if you have and want to use
# OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0
# Python >= 2.7 or >= 3.2
# libuv >= 1.0.0
# nghttp2
# cmocka >= 1.1.3 (unit testing)
# OpenSSL >= 0.9.7l or >= 0.9.8d are the minimum safe versions for this
# release. Support for OpenSSL 3.0.0 was added to BIND 9.18
# New BIND releases are available: 9.18.39, 9.20.12, 9.21.11
# Release Notes for BIND Version 9.18.39
# Changes to be aware of when moving from BIND 9.16 to 9.18
# BIND Wiki: Known Issues in BIND 9.18
# CHANGES (from Git repo)
# BIND 9 Administrator Reference Manual
# - Also available as a PDF
# - Also available under the source tree in ./doc/arm/
# Get the source tarball
cd
test -f installed/bind-9.18.39.tar.xz &&
mv installed/bind-9.18.39.tar.xz .
test ! -f bind-9.18.39.tar.xz &&
wget https://downloads.isc.org/isc/bind9/9.18.39/bind-9.18.39.tar.xz
# Verify tarball w/ sha256sum:
# (this came from my gpg-verified tarball)
# [ OpenSSL works too: openssl sha256 bind-9.18.39.tar.xz
# coreutils 'cksum' works too: cksum -a sha256 bind-9.18.39.tar.xz
# Perl's 'shasum' works too: shasum -a 256 bind-9.18.39.tar.xz ]
echo "725755232186f3be4a07d7e40978a3389434bef7c0cdc262cc641a36407297\
6d bind-9.18.39.tar.xz" | sha256sum -c
# If you do not already have the required key and the the below gpg
# verification can't get a key from a keyserver, download
# and import isc-keyblock.asc from https://www.isc.org/pgpkey/
wget https://www.isc.org/docs/isc-keyblock.asc -O - 2> /dev/null |
gpg --import
# Verify tarball w/ gpg:
# (there are sha256 and sha512 signatures too)
# (PGP keys are here: https://www.isc.org/pgpkey/)
(gpg --list-keys 182E23579462EFAA > /dev/null 2>&1 ||
gpg --recv-keys 182E23579462EFAA ) &&
wget -nc https://downloads.isc.org/isc/bind9/9.18.39/\
bind-9.18.39.tar.xz.asc &&
gpg --verify bind-9.18.39.tar.xz.asc && rm bind-9.18.39.tar.xz.asc
# Extract the source, clean up old versions' source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "bind-*" -exec rm -r {} \;
tar xJvf ~/bind-9.18.39.tar.xz
cd bind-9.18.39
test $UID = 0 && chown -R root:root .
## If you have Python, install/update the PLY module with pip:
# https://pip.pypa.io/warnings/venv
su -c "python3 -m pip install --upgrade pip ply"
# or use easy_install:
#su -c "easy_install --upgrade ply"
# See './configure --help' for all of the options
## If you use a 64-bit OpenSSL installed fully under /usr/local/ssl, which
## was the default prefix until 1.1.0, put this at the beginning of the
## configure line:
#
LDFLAGS=-L/usr/local/ssl/lib64## and replace the --with-openssl below with:
#
--with-openssl=/usr/local/ssl##
## You should not need to specify any path in --with-openssl if yours is
## installed under prefix /usr or /usr/local If you are 64-bit with
## libraries in /usr/local/lib64, make sure that is in /etc/ld.so.conf
## (and run ldconfig)
# --enable-rrl is no longer required, it's built in to >= 9.10.x
# --enable-fetchlimit is no longer required, it's built in to >= 9.11.x
# --enable-threads is not there any more
# --disable-ipv6 is not there any more
# Configure it 64-bit:
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \
--localstatedir=/var --mandir=/usr/man --with-openssl --with-libidn2 \
--with-libxml2 --enable-dnstap --enable-full-report
# Configure it, anything else:
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--mandir=/usr/man --with-openssl --with-libidn2 --with-libxml2 \
--enable-dnstap --enable-full-report
# Build it
make
# Test the build - may need to be done as root
# See info in README.md and bin/tests/system/ifconfig.sh and
# bin/tests/system/README
make check
# Become root to install it
su
# If you have a /var/named, back it up
# If you can, shut down named to avoid partially written files in there
test -d /var/named &&
( cd /var/named
mkdir -p -m 0700 ~/backup/bind
tar cJvf ~/backup/bind/var-named-$(date +%Y%m%d).tar.xz .
chmod 600 ~/backup/bind/var-named-$(date +%Y%m%d).tar.xz )
# If you have a /etc/rndc.conf, back it up. If you run named in a chroot
# jail, this may be in the real /etc because you can run 'rndc' as root
# or within the chroot by running it with the 'chroot' command. See
# 'man rndc.conf' for more information about the configuration file.
test -f /etc/rndc.conf &&
( mkdir -p -m 0700 ~/backup/bind
cp -a /etc/rndc.conf ~/backup/bind/rndc.conf-$(date +%Y%m%d)
chmod 600 ~/backup/bind/rndc.conf-$(date +%Y%m%d) )
# If you do not have a /etc/rndc.conf, 'rndc-confgen' will output one for
# you. If you run named with a chroot, either copy the .key file in there,
# or use 'secret' to store it in rndc.conf
# See 'man rndc-confgen' and 'man rndc.conf' for more information.
# (or the online documentation https://bind9.readthedocs.io/en/v9.18.39/manpages.html)
# Remove the Slackware package, if there is one
# If you do this, it should not remove your /etc/rc.d/rc.bind or
# /etc/named.conf, they are named with .new in the package file,
# but it will remove /etc/bind.keys
# If you need a replacement bind.keys, see the bottom for info
# [ probably not needed, it is a compiled-in default now ]
test -x /sbin/removepkg && /sbin/removepkg bind
# If upgrading, clean up includes from previous releases so you don't end up
# with no longer used .h files.
for incdir in bind9 dns dst irs isc isccc isccfg lwres ns pk11 pkcs11;
do test -d /usr/include/${incdir} && rm -r /usr/include/${incdir}
done
# If upgrading, you could clean up libraries from previous releases...
# ...but you don't normally need to unless you are very low on disk space.
# If you can, shut down named first, because it is linked with the most
# recent ones. For example, after you run 'make install', you will have
# /usr/lib*/lib*-9.18.39.so
# ***
# Removing them may also break anything other than BIND that is using them.
# ***
# Just in case, you may want to compare file dates before doing this.
# Maybe run find but leave off the -exec part, remove them manually...
# Or, just don't do it. It's not going to give you a signifcant amount of
# reclaimed disk space.
for pfx in /usr/local /usr; do
for lib in bind9 dns irs isc isccc isccfg lwres; do
find ${pfx}/lib64 ${pfx}/lib -maxdepth 1 -name "lib${lib}-*.so" \
-exec rm {} \;
done
done
# If you have an old named-checkconf that used to go in /usr/sbin
rm -f /usr/sbin/named-checkconf /usr/man/man8/named-checkconf.8
# Install the new version of BIND
make install
ldconfig
## NOTE: if you run named in a chroot, you will need to copy OpenSSL
## lib|lib64 and engine files in there. Same path, but below the chroot.
# cp -a /usr/local/lib64/libcrypto.* /var/named/usr/local/lib64/
# cp -a /usr/local/lib64/libssl.* /var/named/usr/local/lib64/
# cp -a /usr/local/lib64/engines-1.1/* /var/named/usr/local/lib64/engines-1.1/
# cp -a /usr/local/lib64/engines-3/* /var/named/usr/local/lib64/engines-3/
# https://www.isc.org/bind-keys/
# It is a compiled in default now, but if you do have a bind.keys file,
# it should go in the chroot also
test -s /etc/bind.keys && cp -a /etc/bind.keys /var/named/etc/
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# Look in /usr/lib*/ for old versions of shared library files, maybe check
# with 'lsof' first, then zap (or don't)
# Become yourself again
exit
# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/bind-*.tar.*
mv bind-9.18.39.tar.xz installed/
# Skip down to the bottom for a few miscellaneous notes about running named
### [ the bottom ]
### Miscellaneous notes about running BIND named
# Anything done below assumes that you are root
### delegation-only is deprecated for 9.18.x and will be removed in 9.19.x
#
## If you run the named daemon, add these to your named.conf to disable
## Verisign's evil Sitefinder service for people that use your nameserver.
## If you use views, add them to the view that handles recursive lookups.
# zone "com" { type delegation-only; };
# zone "net" { type delegation-only; };
#
## Here's is a more severe alternative that will enforce delegation-only for
## any TLD that is _not_ listed (you'd use this instead of "type
## delegation-only"):
# root-delegation-only exclude {
# "ad"; "ar"; "biz"; "cr"; "cu"; "de"; "dm"; "id"; "lu"; "lv"; "md"; "ms";
# "museum"; "name"; "no"; "pa"; "pf"; "sr"; "to"; "tw"; "us"; "uy";
# };
## chroot jail
# It may no longer be as strongly suggested these days, but another thing
# you can do to limit things going badly is run named in a chroot jail
#
# For example, you could put everything under /var/named and run it like
# this:
# /usr/sbin/named -u named -t /var/named
# These may or may not help you if you plan to do this:
# https://bind9.readthedocs.io/en/v9.20.12/chapter7.html#chroot-and-setuid
# https://tldp.org/HOWTO/Chroot-BIND-HOWTO.html
#
# With a chroot /var/named you would run 'named-checkconf -t /var/named'
# to make sure your configuration is OK, checking the actual file
# /var/named/etc/named.conf
#
# Everything would need to be under there, including SSL/TLS certs
# for 'key-file' and 'cert-file', the 'directory' option would be
# set to '.' in order to use files that are actually in /var/named.
# 'file' could use relative directories for zone files. File
# /var/named/primary/internal/192.168.1 would be:
# file "primary/internal/192.168.1";
#
# You may need to copy real OpenSSL library files and engine files under
# there (/var/named/usr/lib64 or /var/named/usr/local/lib64), time zone
# configuration files (/var/named/etc/localtime), mount another copy of /proc
# under there (/var/named/proc), ...
# For DNSSEC validation, you can use the compiled-in defaults, or you can
# load the Root & DLV keys from the bind.keys file. These days it's a
# pre-compiled default and you don't need to use a separate bind.keys
# file. If you want to anyway for whatever reason...
#
# See config options dnssec-validation and dnssec-lookaside. If they are
# set, named will get the key out of bind.keys the first time it executes.
# If you you use /var/named as a chroot, put it in /var/named/etc, otherwise
# in /etc If you run named as user 'named' who is a member of group 'named',
# then root:named and 640 should work for you. For more info about this with
# BIND 8.x and 9.x, read about it here:
# https://isc.org/bind-keys/
# https://isc.org/dnssec/
# https://bind9.readthedocs.io/en/latest/dnssec-guide.html
# https://ftp.isc.org/isc/bind9/9.20.12/doc/arm/html/chapter5.html
# (also available in ./doc/arm/ under the source)
# ...and configuration file info about bindkeys-file, dnssec-lookaside &
# dnssec-validation:
# https://ftp.isc.org/isc/bind9/9.20.12/doc/arm/html/chapter5.html#dnssec-validation
# (also available in ./doc/arm/ under the source)
#
# The bind.keys file is usually available in the top level directory of the source
#
# Get the latest online:
test -d /var/named/etc && cd /var/named/etc
test ! -d /var/named/etc && cd /etc
wget -nc https://downloads.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
#
# Verify it w/ gpg:
( gpg --list-keys 5CF02E57 > /dev/null 2>&1 || gpg --recv-keys 5CF02E57 ) &&
wget -nc https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11.asc &&
gpg --verify bind.keys.v9_11.asc && rm bind.keys.v9_11.asc
#
# If it verified OK, put it in place
test -L bind.keys &&
( cp -L bind.keys bind.keys.old ; rm bind.keys )
test -f bind.keys && mv -f bind.keys bind.keys.old
mv -f bind.keys.v9_11 bind.keys
chown root:named bind.keys
chmod 640 bind.keys
## Response Rate Limiting
# Q Quick Introduction to Response Rate Limiting
# Using the Response Rate Limiting Feature
# https://kb.isc.org/docs/bind-best-practices-authoritative
# For info about the rate limiting feature (--enable-rrl with < 9.10.x):
# https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html
# ...and configuration file info about rate-limit:
# https://ftp.isc.org/isc/bind9/9.20.12/doc/arm/html/reference.html?highlight=rate+limit
# (also available in ./doc/arm/ under the source)
# For info about fetch limits (--enable-fetchlimit before 9.11.x):
# ISC KB AA-01304
# Configuration file info about fetches-per-server and fetches-per-zone:
# https://ftp.isc.org/isc/bind9/9.20.12/doc/arm/html/reference.html?highlight=fetch+limits
# You can use the compiled-in defaults, which would never change if you
# never upgrade BIND, but if you have named configured to use an external
# root hints file (named 'root-hints' here), update it
dig ns . @a.root-servers.net > /var/named/root-hints.new
test -s /var/named/root-hints.new &&
( mkdir -p -m 0700 ~/backup/bind
test -e /var/named/root-hints &&
mv -f /var/named/root-hints ~/backup/bind/root-hints-$(date +%Y%m%d)
mv -f /var/named/root-hints.new /var/named/root-hints
chown root:named /var/named/root-hints
chmod 640 /var/named/root-hints
chown root:root ~/backup/bind/root-hints-*
chmod 600 ~/backup/bind/root-hints-* )
# You you don't have a rc.bind init-script, you can find the latest
# Slackware rc.bind init script here:
# (they are probably the same for Slackware or Slackware-64)
# http://ftp.slackware.com/pub/slackware/slackware-current/source/n/bind/rc.bind
# http://ftp.slackware.com/pub/slackware/slackware64-current/source/n/bind/rc.bind
# If you have a /etc/rc.d/rc.bind that sources /etc/default/named,
# you may want something like this for no IPv6, chroot in /var/named,
# run as user 'named':
test ! -f /etc/default/named &&
( echo "NAMED_OPTIONS=\"-4 -u named -t /var/named\"" > /etc/default/named
chmod 600 /etc/default/named )
# If you have named configured and you will be running the daemon, make sure
# your rc.bind script is executable:
test -e /etc/rc.d/rc.bind && chmod 700 /etc/rc.d/rc.bind
# If you ever want to uninstall BIND, this should do it:
cd
su
test -d src/bind-* && ( cd src/bind-* ; make uninstall )
( cd /etc ; rm -f bind.keys named.conf named.conf.dist rndc.conf )
( cd /usr/bin
rm -f arpaname bind9-config delv dig host isc-config.sh mdig \
named-rrchecker nslookup nsupdate )
( cd /usr/include
for dir in bind9 dns dnst irs isc isccc isccfg lwres pk11 pkcs11; do
test -d ./${dir} && rm -r ./${dir}
done )
for libdir in /usr/lib /usr/lib64; do
test ! -d $libdir && continue
for libfile in bind9 dns irs isc isccc isccfg lwres; do
rm -f ${libdir}/lib${libfile}.*
done
done
( cd /usr/man/man1
rm -f arpaname.1 bind9-config.1 delv.1 dig.1 host.1 isc-config.sh.1 \
mdig.1 named-rrchecker.1 nslookup.1 )
rm -f /usr/man/man3/lwres_*.3
( cd /usr/man/man5 ; rm -f named.conf.5 rndc.conf.5 )
( cd /usr/man/man8
rm -f ddns-confgen.8 dnssec-*.8 genrandom.8 isc-hmac-fixup.8 \
lwresd.8 named.8 named-*.8 nsec3hash.8 rndc.8 rndc-confgen.8 \
tsig-keygen.8 )
( cd /usr/sbin
rm -f ddns-confgen dnssec-* genrandom isc-hmac-fixup named-* \
nsec3hash rndc-confgen tsig-keygen )
ldconfig
exit
find ~/src -maxdepth 1 -type d -name "bind-*" -exec rm -r {} \;
rm -f ~/installed/bind-*.tar.*
List of HOWTOs
Web page itself last updated: 2025-07-04 6:23pm (EST -0500)
HOWTO last updated: 2025-08-25 12:29am
Copyright © 2001-2025 Jason Englander. All Rights reserved.
HOWTO last updated: 2025-08-25 12:29am
Copyright © 2001-2025 Jason Englander. All Rights reserved.
![[HTML5]](HTML5_Logo_64-black.png){kind=logo}
