summaryrefslogtreecommitdiffstats
path: root/debian/README.Debian
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/README.Debian60
1 files changed, 60 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..e6159d7
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,60 @@
+DNSSEC validation turned on by default as of BIND 9.8.1
+-------------------------------------------------------
+As of version 9.8.1.dfsg-1, BIND ships with DNSSEC validation turned on
+by default. As the keys get changed over time, this means that a fresh
+install of BIND will require that the admin manually upgrade bind.keys
+to account for the change, before BIND will be able to resolve hosts in
+DNSSEC validated zones.
+
+
+Configuration Schema:
+--------------------
+
+The Debian BIND package ships with a config that will work for the majority
+of leaf servers with no user input required.
+
+The named configuration file named.conf is located in /etc/bind, so that all
+static configuration files relating to bind are in one place. If you really
+don't want named.conf in /etc/bind, then the best way to handle it is probably
+to replace /etc/bind/named.conf with a symlink to the location you want to use.
+You could also use an option to named in the init.d script, but that only works
+for named, not for things like ndc.
+
+Zone data files for the root servers, and the forward and reverse localhost
+zones are also provided in /etc/bind.
+
+The working directory for named is now /var/cache/bind. Thus, any transient
+files generated by named, such as database files for zones the daemon is
+secondary for, will be written to the /var filesystem, where they belong.
+
+To make this work, the named.conf provided uses explicitly fully-qualified
+pathnames to reference the files in /etc/bind.
+
+Unlike previous BIND packages for Debian, the named.conf and provided db.*
+files are tagged as conffiles. Thus, if you just want a "caching mostly"
+server configuration for a server that does not need to be authoritative for
+anything else, you can run the provided configuration as-is. If you want to
+hack on named.conf, or even the init.d fragment, you can feel free to. Future
+package upgrades will treat your configuration changes sanely, as all Debian
+packages should.
+
+While you are free to craft whatever structure you wish for servers which need
+to be authoritative for additional zones, what we suggest is that you put the
+db files for any zones you are master for in /etc/bind (perhaps even in a
+subdirectory structure depending on complexity), using full pathnames in the
+named.conf file. Any zones you are secondary for should be configured in
+named.conf with simple filenames (relative to /var/cache/bind), so the data
+files will be stored in BIND's working directory (defaults to /var/cache/bind).
+Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be
+stored in /var/lib/bind, and specified with full pathnames.
+
+
+Apparmor Profile
+----------------
+If your system uses apparmor, please note that the shipped enforcing profile
+works with the default installation, and changes in your configuration may
+require changes to the installed apparmor profile. Please see
+https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
+software.
+
+ -- Ondřej Surý <ondrej@debian.org>, Thu, 18 Jan 2018 14:02:44 +0000