1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
DNSSEC validation turned on by default as of BIND 9.8.1
-------------------------------------------------------
As of version 9.8.1.dfsg-1, BIND ships with DNSSEC validation turned on
by default. As the keys get changed over time, this means that a fresh
install of BIND will require that the admin manually upgrade bind.keys
to account for the change, before BIND will be able to resolve hosts in
DNSSEC validated zones.
Configuration Schema:
--------------------
The Debian BIND package ships with a config that will work for the majority
of leaf servers with no user input required.
The named configuration file named.conf is located in /etc/bind, so that all
static configuration files relating to bind are in one place. If you really
don't want named.conf in /etc/bind, then the best way to handle it is probably
to replace /etc/bind/named.conf with a symlink to the location you want to use.
You could also use an option to named in the init.d script, but that only works
for named, not for things like ndc.
Zone data files for the root servers, and the forward and reverse localhost
zones are also provided in /etc/bind.
The working directory for named is now /var/cache/bind. Thus, any transient
files generated by named, such as database files for zones the daemon is
secondary for, will be written to the /var filesystem, where they belong.
To make this work, the named.conf provided uses explicitly fully-qualified
pathnames to reference the files in /etc/bind.
Unlike previous BIND packages for Debian, the named.conf and provided db.*
files are tagged as conffiles. Thus, if you just want a "caching mostly"
server configuration for a server that does not need to be authoritative for
anything else, you can run the provided configuration as-is. If you want to
hack on named.conf, or even the init.d fragment, you can feel free to. Future
package upgrades will treat your configuration changes sanely, as all Debian
packages should.
While you are free to craft whatever structure you wish for servers which need
to be authoritative for additional zones, what we suggest is that you put the
db files for any zones you are master for in /etc/bind (perhaps even in a
subdirectory structure depending on complexity), using full pathnames in the
named.conf file. Any zones you are secondary for should be configured in
named.conf with simple filenames (relative to /var/cache/bind), so the data
files will be stored in BIND's working directory (defaults to /var/cache/bind).
Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be
stored in /var/lib/bind, and specified with full pathnames.
Apparmor Profile
----------------
If your system uses apparmor, please note that the shipped enforcing profile
works with the default installation, and changes in your configuration may
require changes to the installed apparmor profile. Please see
https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
software.
-- Ondřej Surý <ondrej@debian.org>, Thu, 18 Jan 2018 14:02:44 +0000
|