summaryrefslogtreecommitdiffstats
path: root/win32utils/readme1st.txt
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--win32utils/readme1st.txt165
1 files changed, 165 insertions, 0 deletions
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
new file mode 100644
index 0000000..786202c
--- /dev/null
+++ b/win32utils/readme1st.txt
@@ -0,0 +1,165 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+NOTES ON BIND 9.10 FOR WINDOWS:
+
+BIND 9.10 is known to run on Windows XP, Vista, Windows 7,
+and Windows Server 2003 and higher.
+
+KIT INSTALLATION:
+
+Unpack the kit into any convenient directory and run the BINDInstall
+program. This will install the named and associated programs into
+the correct directories and set up the required registry keys.
+
+Usually BINDInstall must be run by/as Administrator or it can fail
+to operate on the filesystem or the registery or even return messages
+like 'A referral was returned from the server". The best way to
+avoid this kind of problems on Windows 7 or newer is:
+ - open a "file explorer" aka finder windows
+ - goes where the distribution was expanded
+ - click right on the BINDInstall application
+ - open "Properties" (last) menu
+ - open "Compatibility" (second) tab
+ - check on the (last) "Run this program as an administrator"
+Unfortunately this is not saved by zip (or any archiver?) as
+it is a property saved in the Registry.
+
+BINDInstall requires that you install it under an account with
+restricted privileges. The installer will prompt you for an account
+name (the default is "named") and a password for that account. It
+will also check for the existence of that account. If it does not
+exist is will create it with only the privileges required to run
+BIND. If the account does exist it will check that it has only the
+one privilege required: "Log on as a service". If it has too many
+privileges it will prompt you if you want to continue.
+
+With BIND running under an account name, it is necessary for all
+files and directories that BIND uses to have permissions set up for
+the named account if the files are on an NTFS disk. BIND requires
+that the account have read and write access to the directory for
+the pid file, any files that are maintained either for slave zones
+or for master zones supporting dynamic updates. The account will
+also need read access to the named.conf and any other file that it
+needs to read.
+
+"NT AUTHORITY\LocalService" is also an acceptable account
+(and the only acceptable on some recent versions of Windows).
+This account is built into Windows and no password is required.
+Appropriate file permissions will also need to be set for "NT
+AUTHORITY\LocalService" similar to those that would have been
+required for the "named" account.
+
+It is important that on Windows the directory directive is used in
+the options section to tell BIND where to find the files used in
+named.conf (default "%ProgramFiles%\ISC BIND 9\etc\named.conf"). For
+example:
+
+ options {
+ directory "C:\Program Files (x86)\ISC BIND 9\etc";
+ };
+
+for a 32 bit BIND on a 64 bit US Domestic Windows system.
+Messages are logged to the Application log in the EventViewer.
+
+CONTROLLING BIND:
+
+Windows uses the same rndc program as is used on Unix systems. The
+rndc.conf file must be configured for your system in order to work.
+You will need to generate a key for this. To do this use the
+rndc-confgen program. The program will be installed in the same
+directory as named: "%ProgramFiles%\ISC BIND 9\bin". From the DOS
+prompt, use the command this way:
+
+rndc-confgen -a
+
+which will create a rndc.key file in the "%ProgramFiles%\ISC BIND 9\etc"
+directory. This will allow you to run rndc without an explicit
+rndc.conf file or key and control entry in named.conf file. See
+section 3.4.1.2 of the ARM for details of this. An rndc.conf can
+also be generated by running:
+
+rndc-confgen > rndc.conf
+
+which will create the rndc.conf file in the current directory, but
+not copy it to the "%ProgramFiles%\ISC BIND 9\etc" directory where
+it needs to reside. If you create rndc.conf this way you will need
+to copy the same key statement into named.conf.
+
+The additions look like the following:
+
+key "rndc-key" { algorithm hmac-sha256; secret "xxxxxxxxx=="; };
+
+controls {
+ inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };
+};
+
+Note that the value of the secret must come from the key generated
+above for rndc and must be the same key value for both. Details of
+this may be found in section 3.4.1.2 of the ARM. If you have rndc
+on a Unix box you can use it to control BIND on the Windows box as
+well as using the Windows version of rndc to control a BIND 9 daemon
+on a Unix box. However you must have key statements valid for the
+servers you wish to control, specifically the IP address and key
+in both named.conf and rndc.conf. Again see section 3.4.1.2 of the
+ARM for details.
+
+In order to run rndc from a different system it is important to
+ensure that the clocks are synchronized. The clocks must be kept
+within 5 minutes of each other or the rndc commands will fail
+authentication. Use NTP or other time synchronization software to
+keep your clocks accurate. NTP can be found at http://www.ntp.org/.
+
+In addition BIND is installed as a win32 system service, can be
+started and stopped in the same way as any other service and
+automatically starts whenever the system is booted. Signals are not
+supported and are in fact ignored.
+
+Note: Unlike most Windows applications, named does not, change its
+working directory when started as a service. If you wish to use
+relative files in named.conf you will need to specify a working
+directory using the directory directive options.
+
+DOCUMENTATION:
+
+This kit includes Documentation in HTML format. The documentation
+is not copied during the installation process so you should move
+it to any convenient location for later reference. Of particular
+importance is the BIND 9 Administrator's Reference Manual (Bv9ARM*.html)
+which provides detailed information on BIND 9. In addition, there
+are HTML pages for each of the BIND 9 applications.
+
+INCLUDED TOOLS:
+
+The following tools have been built for Windows: dig, nslookup,
+host, nsupdate, ddns-confgen, rndc, rndc-confgen, delv, mdig,
+named-checkconf, named-checkzone, named-compilezone, named-journalprint,
+named-rrchecker, dnssec-importkey, dnssec-keygen, dnssec-signzone,
+dnssec-dsfromkey, dnssec-keyfromlabel, dnssec-revoke, dnssec-settime
+and dnssec-verify. The latter tools are for use with DNSSEC. All tools
+are installed in the "%ProgramFiles%\ISC BIND 9\bin" directory.
+
+IMPORTANT NOTE ON USING THE TOOLS:
+
+It is no longer necessary to create a resolv.conf file on Windows
+as the tools will look in the registry for the required name server
+information. However, if you do create a resolv.conf file as follows,
+the tools will use it in preference to the registry name server
+entries.
+
+Place resolv.conf the "%ProgramFiles%\ISC BIND 9\etc" directory.
+It must contain a list of recursive server addresses. The format
+of this file is:
+
+nameserver 1.2.3.4
+nameserver 5.6.7.8
+
+Replace the above IP addresses with the real name server addresses.
+127.0.0.1 is a valid address if you are running a recursive name
+server on the localhost.
+
+PROBLEMS:
+
+Please report bugs at https://gitlab.isc.org/isc-projects/bind9.
+Other questions can go to the bind-users@isc.org mailing list.