upgrade from BIND8 to BIND9 - FUD gone

Bob Vance bobvance at alumni.caltech.edu
Fri Mar 30 19:09:45 UTC 2001 

OK.
The recent thread on upgrading from BIND8 to BIND9 got me going.
The following will hopefully be an asset to others "on the fence".

I just decided to set aside a block of a half day and do the 9.1.1
release, at home.

And, yes, it was fairly trivial (now that I've done it :) on Linux RH
6.2
(haven't tried HP-UX, yet).

High points:
  . have clean, legal files as Jim said.
      (fortunately, I already had those :)
  . read the README completely (5-10 minutes)
  . follow default config instructions to install ( /usr/local/... )
  . 'ndc' is gone -- replaced by 'rndc'
  . BIND should come up and work fine, as is,
    but you can't use 'rndc' to start it
      (in fact, at this point, you can't use 'rndc' at all.
       see last item in this list.
      )
  . new dynamic "logs" are *.jnl
  . 2 trivial fixes to 'nsupdate' input data
      (no comments ; no TTL in the "delete" statement)
  . to get 'rndc' working, read the first 3 pages of the ARM doco
    (<1/2 hour) and use the sample config in section 3.4.1.2 .


Now, that was it for me, but I'm not playing within anything serious --
no views or security or anything yet.  I don't even have secondaries at
home.

At this point, I'm as operational (with better code :) at home as I was
under BIND8 and it only really took about an hour or 2 of real time
(including reading :)
   (It's taking me longer to write this summary
    than it did to do it !!!!
   )

I can now pursue the enhancements in BIND9 at my leisure, although I
have not yet done the HP-UX install at work.

However, I do not regret in the slightest waiting for the 9.1.1 release
(except for not being a good net citizen :), nor am I ready to throw it
into a "real" production environment (but that's an entirely different
discussion out of which we've already sapped the life -- I hope ;>)


DETAILS:
============
 . I took 5 minutes to read the README file from top to bottom.  Right
there, it said "'man' pages are not installed", so that removed that
non-issue :)

 . My config and data files were all OK, so, as Jim said, 'named' should
work fine immediately.

 . Simply './configure' (default), 'make', 'make install', and launching
'named' my normal way actually worked -- *immediately* (I was *not*
using 'ndc' to launch 'named', so that wasn't an issue).

 . My "stop" script also worked (again, not using 'ndc'), as well, but I
really wanted 'rndc' to work.

 . Lookups and forwarding were working fine, so I was operational while
I looked at the remaining "issues" (this was at home, so non-operation
wouldn't have been a big problem, anyway -- I had BIND8 waiting in the
wings, also :).


The (perceived) issues left (that I know of :) in my vanilla setup
   ( no  DNSSEC, TSIGing, IPv6, IXFR, or Views)
were:

    DHCP dynamic updates
    nsupdate
    rndc


DHCP dynamic updates:
----------------------
The DHCP dynamic update issue was simply a matter of the updates being
"logging" in *.jnl , so it was working fine -- a non-issue :)


nsupdate:
----------
The 'nsupdate' issues were simply a matter of not allowing ";" for
commenting out lines and the new "delete" logic not allowing a TTL in
the record.  Not a big deal, although the old one did allow it.  This
simply meant that duplicating an "add" and changing it to "delete" no
longer works, but having the TTL in the "delete" record doesn't make
much sense, so I don't have a problem with not allowing it at all.
However, I don't understand the removal of comments.


'rndc' :
---------
I read the first 3 pages of the ARM doco (<1/2 hour) and used, as is,
the sample config in section 3.4.1.2  :

 . in /etc/named.conf, at top, add:

key def-rndc_key { algorithm "hmac-md5";  secret
"c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
controls {inet 127.0.0.1 allow { localhost; } keys {def-rndc_key; };
};


 . in /etc/rndc.conf, *same* key stuff, plus an options section:

key def-rndc_key { algorithm "hmac-md5";  secret
"c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
options {
     default-server localhost;
     default-key    rndc_key;
};

and I as off and 'rndc'ing :)

I've since gone back and changed the key and added some ACLs to
/etc/named.conf.

Hope this helps someone else :)
And hopefully someone will point out any potholes that I haven't forseen
in my simple environment.


-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================

More information about the bind-users mailing list