bind8.2 security issues

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Jul 1 17:47:42 UTC 2002 

Steve Foster <fosters at uk.psi.com> wrote:

> At 12:55 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>>
>>I found a solaris-8/sparc package from steve at smc.vnet.net , i have a copy 
>>on ftp://ftp.manet.nu/pub/bind/bind-9.2.1-sol8-sparc-local.gz ( yes
>>you _should_ build your own, but to get running asap installing a package
>>could be ok)

> Hi,

> i decided to build from scratch, and it seems to have gone okay. I have

Good.

> started named with a modified version of the named.conf i used to use for
> our 8.2.3 installations, certain things had to be removed for it to start,
> such as the following:

> named-xfer "/usr/local/sbin/named-xfer" ;

>         topology {
>                 localhost;
>                 localnets;
>                 { 154.32/16; };
>         };

> Are these not used anymore, and is there an equivalent of named-xfer, this
> is not something i need now, but will be when/if i build my secondary and
> primary servers???

You might want to install /etc/rndc.conf and add a key to that and 
/etc/named.conf. It's pretty well described in the arp-book, section
3.4.1.2 Administrative tools ( at the end) has an example.
( http://www.ipsec.nu/dns/bind9/Bv9ARM.ch03.html#AEN371 )


> the startup shows the following:

> Jul  1 15:41:30 testmonitor.europe.psi.com named[25973]: starting BIND
> 9.2.1 -u nobody -c /usr/local/etc/named.conf
> Jul  1 15:41:30 hostname named[25973]: using 1 CPU
> Jul  1 15:41:30 hostname named[25973]: loading configuration from
> '/usr/local/etc/named.conf'
> Jul  1 15:41:30 hostname named[25973]: no IPv6 interfaces found
> Jul  1 15:41:30 hostname named[25973]: listening on IPv4 interface lo0,
> 127.0.0.1#53
> Jul  1 15:41:30 hostname named[25973]: listening on IPv4 interface hme0,
> 154.8.2.126#53
> Jul  1 15:41:30 hostname named[25973]: none:0: open:
> /usr/local/etc/rndc.key: file not found

This will get fixed by inserting a rndc key 

> Jul  1 15:41:30 hostname named[25973]: couldn't add command channel
> 127.0.0.1#953: file not found
> Jul  1 15:41:30 hostname named[25973]: no source of entropy found
> Jul  1 15:41:30 hostname named[25973]: zones/named.127:1: no TTL specified;
> using SOA MINTTL instead
> Jul  1 15:41:30 hostname named[25973]: zone 127.in-addr.arpa/IN: loaded
> serial 1
> Jul  1 15:41:30 hostname named[25973]: zones/named.localhost:1: no TTL
> specified; using SOA MINTTL instead
> Jul  1 15:41:30 hostname named[25973]: zone localhost/IN: loaded serial 1
> Jul  1 15:41:30 hostname named[25973]: running

> Do i need to worry anout rndc.key, or is this for something else other than
> resolving, and is there any specific options for named.conf to fix the
> "couldn't add command channel 127.0.0.1#953: file not found" error.
Probably solved when you have a working key configured.

> my conf file is attached below, i couldn't find a sample resolver file, or
> does anybody have a 9 specific one i can review.

/etc/resolv.conf is the same.  

Have a look at logging categories, they have changed substantially.


> many thanks

> Steve

> Conffile:

> # more named.conf
> options {
>         directory "/usr/local/etc" ;
>         pid-file "/var/domain/run/named.pid" ;
> };

> logging {
>         channel xferlog {
>                 file "/var/domain/log/named-xfer" versions 5 size 1m;
>                 print-time yes;
>                 print-category yes;
>                 severity info;
>         };

>         category xfer-in { xferlog ; } ;
>         category xfer-out { xferlog ; } ;
>         category notify { xferlog ; } ;
>         category lame-servers { null; };
>         channel queries {
>                 file "/var/domain/log/queries" versions 5 size 10m;
>                 print-time yes;
>                 print-category no;
>                 print-severity yes;
>         };
>         category queries { queries ; } ;

> };

> zone "." {
>         type hint ;
>         file "zones/named.hint" ;
> };

> zone "127.in-addr.arpa" {
>         type master ;
>         file "zones/named.127" ;
> };

> zone "localhost" {
>         type master ;
>         file "zones/named.localhost" ;
> };



> Steve Foster
> Senior Systems Administrator
> PSINet Europe
> Work: +44 (1223) 577322
> Mobile: +44 (7720) 425911


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list