diff options
Diffstat (limited to '')
-rw-r--r-- | debian/README.Debian | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..e6159d7 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,60 @@ +DNSSEC validation turned on by default as of BIND 9.8.1 +------------------------------------------------------- +As of version 9.8.1.dfsg-1, BIND ships with DNSSEC validation turned on +by default. As the keys get changed over time, this means that a fresh +install of BIND will require that the admin manually upgrade bind.keys +to account for the change, before BIND will be able to resolve hosts in +DNSSEC validated zones. + + +Configuration Schema: +-------------------- + +The Debian BIND package ships with a config that will work for the majority +of leaf servers with no user input required. + +The named configuration file named.conf is located in /etc/bind, so that all +static configuration files relating to bind are in one place. If you really +don't want named.conf in /etc/bind, then the best way to handle it is probably +to replace /etc/bind/named.conf with a symlink to the location you want to use. +You could also use an option to named in the init.d script, but that only works +for named, not for things like ndc. + +Zone data files for the root servers, and the forward and reverse localhost +zones are also provided in /etc/bind. + +The working directory for named is now /var/cache/bind. Thus, any transient +files generated by named, such as database files for zones the daemon is +secondary for, will be written to the /var filesystem, where they belong. + +To make this work, the named.conf provided uses explicitly fully-qualified +pathnames to reference the files in /etc/bind. + +Unlike previous BIND packages for Debian, the named.conf and provided db.* +files are tagged as conffiles. Thus, if you just want a "caching mostly" +server configuration for a server that does not need to be authoritative for +anything else, you can run the provided configuration as-is. If you want to +hack on named.conf, or even the init.d fragment, you can feel free to. Future +package upgrades will treat your configuration changes sanely, as all Debian +packages should. + +While you are free to craft whatever structure you wish for servers which need +to be authoritative for additional zones, what we suggest is that you put the +db files for any zones you are master for in /etc/bind (perhaps even in a +subdirectory structure depending on complexity), using full pathnames in the +named.conf file. Any zones you are secondary for should be configured in +named.conf with simple filenames (relative to /var/cache/bind), so the data +files will be stored in BIND's working directory (defaults to /var/cache/bind). +Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be +stored in /var/lib/bind, and specified with full pathnames. + + +Apparmor Profile +---------------- +If your system uses apparmor, please note that the shipped enforcing profile +works with the default installation, and changes in your configuration may +require changes to the installed apparmor profile. Please see +https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this +software. + + -- Ondřej Surý <ondrej@debian.org>, Thu, 18 Jan 2018 14:02:44 +0000 |