diff --git a/bind.spec b/bind.spec index ad28439..be264de 100644 --- a/bind.spec +++ b/bind.spec @@ -18,7 +18,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.6.0 -Release: 0.4.%{PREVER}%{?dist} +Release: 0.4.1.%{PREVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -600,6 +600,9 @@ rm -rf ${RPM_BUILD_ROOT} %ghost %{chroot_prefix}/etc/localtime %changelog +* Mon Dec 01 2008 Adam Tkac 32:9.6.0-0.4.1.b1 +- improved sample config file (#473586) + * Wed Nov 26 2008 Adam Tkac 32:9.6.0-0.4.b1 - reverted previous change, koji doesn't like it diff --git a/named.conf.sample b/named.conf.sample index c3d1acf..d02efc4 100644 --- a/named.conf.sample +++ b/named.conf.sample @@ -1,21 +1,64 @@ -// -// Sample named.conf BIND DNS server 'named' configuration file -// for the Red Hat BIND distribution. -// -// See the BIND Administrator's Reference Manual (ARM) for details, in: -// file:///usr/share/doc/bind-*/arm/Bv9ARM.html -// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and -// its manual. -// +/* + Sample named.conf BIND DNS server 'named' configuration file + for the Red Hat BIND distribution. + + See the BIND Administrator's Reference Manual (ARM) for details, in: + file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html + Also see the BIND Configuration GUI : /usr/bin/system-config-bind and + its manual. +*/ + options { // Put files that named is allowed to write in the data/ directory: - directory "/var/named"; // the default + directory "/var/named"; // "Working" directory dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; + + /* + Specify listenning interfaces. You can use list of addresses (';' is + delimiter) or keywords "any"/"none" + */ + //listen-on port 53 { any; }; + listen-on port 53 { 127.0.0.1; }; + + //listen-on-v6 port 53 { any; }; + listen-on-v6 port 53 { ::1; }; + + /* + Access restrictions + + There are two important options: + allow-query { argument; }; + - allow queries for authoritative data + + allow-query-cache { argument; }; + - allow queries for non-authoritative data (mostly cached data) + + You can use address, network address or keywords "any"/"localhost"/"none" as argument + Examples: + allow-query { localhost; 10.0.0.1; 192.168.1.0/8; }; + allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; }; + */ + + allow-query { localhost; }; + allow-query-cache { localhost; }; + + // Enable/disable recursion - recursion yes/no; + recursion yes; + + /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */ + + /* Enable serving of DNSSEC related data - enable on both authoritative + and recursive servers DNSSEC aware servers */ + dnssec-enable yes; + + /* Enable DNSSEC validation on recursive servers */ + dnssec-validation yes; }; + logging { /* If you want to enable debugging, eg. using the 'rndc trace' command, @@ -28,18 +71,19 @@ logging severity dynamic; }; }; -// -// All BIND 9 zones are in a "view", which allow different zones to be served -// to different types of client addresses, and for options to be set for groups -// of zones. -// -// By default, if named.conf contains no "view" clauses, all zones are in the -// "default" view, which matches all clients. -// -// If named.conf contains any "view" clause, then all zones MUST be in a view; -// so it is recommended to start off using views to avoid having to restructure -// your configuration files in the future. -// + +/* + Views let a name server answer a DNS query differently depending on who is asking. + + By default, if named.conf contains no "view" clauses, all zones are in the + "default" view, which matches all clients. + + Views are processed sequentially. The first match is used so the last view should + match "any" - it's fallback and the most restricted view. + + If named.conf contains any "view" clause, then all zones MUST be in a view. +*/ + view "localhost_resolver" { /* This view sets up named to be a localhost resolver ( caching only nameserver ). @@ -47,8 +91,12 @@ view "localhost_resolver" */ match-clients { localhost; }; recursion yes; + # all views must contain the root hints zone: - include "/etc/named.root.hints"; + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; /* these are zones that contain definitions for all the localhost * names and addresses, as recommended in RFC1912 - these names should @@ -63,9 +111,11 @@ view "internal" */ match-clients { localnets; }; recursion yes; - // all views must contain the root hints zone: - include "named.ca"; + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; /* these are zones that contain definitions for all the localhost * names and addresses, as recommended in RFC1912 - these names should @@ -76,6 +126,19 @@ view "internal" // These are your "authoritative" internal zones, and would probably // also be included in the "localhost_resolver" view above : + /* + NOTE for dynamic DNS zones and secondary zones: + + DO NOT USE SAME FILES IN MULTIPLE VIEWS! + + If you are using views and DDNS/secondary zones it is strongly + recommended to read FAQ on ISC site (www.isc.org), section + "Configuration and Setup Questions", questions + "How do I share a dynamic zone between multiple views?" and + "How can I make a server a slave for both an internal and an external + view at the same time?" + */ + zone "my.internal.zone" { type master; file "my.internal.zone.db"; @@ -89,29 +152,33 @@ view "internal" zone "my.ddns.internal.zone" { type master; allow-update { key ddns_key; }; - file "slaves/my.ddns.internal.zone.db"; + file "dynamic/my.ddns.internal.zone.db"; // put dynamically updateable zones in the slaves/ directory so named can update them }; }; + key ddns_key { algorithm hmac-md5; secret "use /usr/sbin/dnssec-keygen to generate TSIG keys"; }; -view "external" + +view "external" { /* This view will contain zones you want to serve only to "external" clients * that have addresses that are not match any above view: */ match-clients { any; }; + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + recursion no; // you'd probably want to deny recursion to external clients, so you don't // end up providing free DNS service to all takers - // all views must contain the root hints zone: - include "named.ca"; - // These are your "authoritative" external zones, and would probably // contain entries for just your web and mail servers: @@ -120,3 +187,43 @@ view "external" file "my.external.zone.db"; }; }; + +/* Trusted keys + + This statement contains DNSSEC keys. If you want DNSSEC aware resolver you + have to configure at least one trusted key. + + Note that no key written below is valid. Especially root key because root zone + is not signed yet. +*/ +/* +trusted-keys { +// Root Key +"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/ + E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3 + zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz + MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M + /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M + iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI + Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3"; + +// Key for forward zone +example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe + 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb + OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC + lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt + 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b + iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn + SCThlHf3xiYleDbt/o1OTQ09A0="; + +// Key for reverse zone. +2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA + VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0 + tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0 + yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ + 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06 + zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL + 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD + 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib"; +}; +*/