summaryrefslogtreecommitdiffstats
path: root/win32utils/readme1st.txt
diff options
context:
space:
mode:
Diffstat (limited to 'win32utils/readme1st.txt')
-rw-r--r--win32utils/readme1st.txt158
1 files changed, 158 insertions, 0 deletions
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
new file mode 100644
index 0000000..58cc36c
--- /dev/null
+++ b/win32utils/readme1st.txt
@@ -0,0 +1,158 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+KIT INSTALLATION:
+
+Unpack the kit into any convenient directory and run the BINDInstall
+program. This will install the named and associated programs into
+the correct directories and set up the required registry keys.
+
+Usually BINDInstall must be run by/as Administrator or it can fail
+to operate on the filesystem or the registry or even return messages
+like "A referral was returned from the server". The best way to
+avoid this kind of problems on Windows 7 or newer is:
+ - open a "Windows Explorer" window
+ - go where the distribution was extracted
+ - click right on the BINDInstall application
+ - open "Properties" (last) menu
+ - open "Compatibility" (second) tab
+ - check the (last) "Run this program as an administrator" box
+Unfortunately this is not saved by zip (or any archiver?) as
+it is a property saved in the Registry.
+
+BINDInstall requires that you install it under an account with
+restricted privileges. The installer will prompt you for an account
+name (the default is "named") and a password for that account. It
+will also check for the existence of that account. If it does not
+exist is will create it with only the privileges required to run
+BIND 9. If the account does exist it will check that it has only the
+one privilege required: "Log on as a service". If it has too many
+privileges it will prompt you if you want to continue.
+
+With BIND 9 running under an account name, it is necessary for all
+files and directories that BIND 9 uses to have permissions set up for
+the named account if the files are on an NTFS disk. BIND 9 requires
+that the account have read and write access to the directory for
+the pid file, any files that are maintained either for slave zones
+or for master zones supporting dynamic updates. The account will
+also need read access to the named.conf and any other file that it
+needs to read.
+
+"NT AUTHORITY\LocalService" is also an acceptable account
+(and the only acceptable on some recent versions of Windows).
+This account is built into Windows and no password is required.
+Appropriate file permissions will also need to be set for "NT
+AUTHORITY\LocalService" similar to those that would have been
+required for the "named" account.
+
+It is important that on Windows the directory directive is used in
+the options section to tell BIND 9 where to find the files used in
+named.conf (default "%ProgramFiles%\ISC BIND 9\etc\named.conf"). For
+example:
+
+ options {
+ directory "C:\Program Files (x86)\ISC BIND 9\etc";
+ };
+
+for a 32 bit BIND 9 on a 64 bit US Domestic Windows system.
+Messages are logged to the Application log in the EventViewer.
+
+CONTROLLING BIND 9:
+
+Windows uses the same rndc program as is used on Unix systems. The
+rndc.conf file must be configured for your system in order to work.
+You will need to generate a key for this. To do this use the
+rndc-confgen program. The program will be installed in the same
+directory as named: "%ProgramFiles%\ISC BIND 9\bin". From the DOS
+prompt, use the command this way:
+
+rndc-confgen -a
+
+which will create a rndc.key file in the "%ProgramFiles%\ISC BIND 9\etc"
+directory. This will allow you to run rndc without an explicit
+rndc.conf file or key and control entry in named.conf file. See
+the ARM for details of this. An rndc.conf can also be generated by
+running:
+
+rndc-confgen > rndc.conf
+
+which will create the rndc.conf file in the current directory, but
+not copy it to the "%ProgramFiles%\ISC BIND 9\etc" directory where
+it needs to reside. If you create rndc.conf this way you will need
+to copy the same key statement into named.conf.
+
+The additions look like the following:
+
+key "rndc-key" { algorithm hmac-sha256; secret "xxxxxxxxx=="; };
+
+controls {
+ inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };
+};
+
+Note that the value of the secret must come from the key generated
+above for rndc and must be the same key value for both. Details of
+this may be found in the ARM. If you have rndc on a Unix box you can
+use it to control BIND 9 on the Windows box as well as using the Windows
+version of rndc to control a BIND 9 daemon on a Unix box. However you
+must have key statements valid for the servers you wish to control,
+specifically the IP address and key in both named.conf and rndc.conf.
+Again see the ARM for details.
+
+In order to run rndc from a different system it is important to
+ensure that the clocks are synchronized. The clocks must be kept
+within 5 minutes of each other or the rndc commands will fail
+authentication. Use NTP or other time synchronization software to
+keep your clocks accurate. NTP can be found at http://www.ntp.org/.
+
+In addition BIND 9 is installed as a win32 system service, can be
+started and stopped in the same way as any other service and
+automatically starts whenever the system is booted. Signals are not
+supported and are in fact ignored.
+
+Note: Unlike most Windows applications, named does not change its
+working directory when started as a service. If you wish to use
+relative files in named.conf you will need to specify a working
+directory using the directory directive options.
+
+DOCUMENTATION:
+
+This kit includes Documentation in HTML format. The documentation
+is not copied during the installation process so you should move
+it to any convenient location for later reference. Of particular
+importance is the BIND 9 Administrator's Reference Manual (Bv9ARM*.html)
+which provides detailed information on BIND 9. In addition, there
+are HTML pages for each of the BIND 9 applications.
+
+IMPORTANT NOTE ON USING BIND 9 TOOLS:
+
+It is no longer necessary to create a resolv.conf file on Windows
+as BIND 9 tools will look in the registry for the required name server
+information. However, if you do create a resolv.conf file as follows,
+the tools will use it in preference to the registry name server
+entries.
+
+Place resolv.conf the "%ProgramFiles%\ISC BIND 9\etc" directory.
+It must contain a list of recursive server addresses. The format
+of this file is:
+
+nameserver 1.2.3.4
+nameserver 5.6.7.8
+
+Replace the above IP addresses with the real name server addresses.
+127.0.0.1 is a valid address if you are running a recursive name
+server on the localhost.
+
+PROBLEMS:
+
+Please report bugs at https://gitlab.isc.org/isc-projects/bind9.
+Other questions can go to the bind-users@isc.org mailing list.