Here I am again, hat in hand with humble demeanor.......

Tony Finch dot at dotat.at
Fri Sep 24 19:51:32 UTC 2010 

On Fri, 24 Sep 2010, Stewart Dean wrote:

> 1) I assume the canonical location of named.conf is always in /etc?

A default build of bind expects to find it in /etc/named.conf
If you are running chrooted it needs to be copied into the chroot.

> 2) My home-built binary is nearly 7MB, while the CentOS distro binary is about
> 400K.  Is this right?  Is there a way as in sendmail of determining what
> features bind was built with or is that an invalid question?

Apart from named -V which David Miller mentioned, try running ldd named to
compare how the two versions are linked.

> 3) My binary is (sensibly) in /usr/local/sbin where it is found first by the
> which command, but the distro init.d/named invocation file looks to the distro
> /usr/sbin.

Take a copy of the startup script. Remove the distro's named package.
Put a suitably edited version of the startup script in
/usr/local/etc/init.d (so it is clear it isn't owned by the distro) and
add a symlink from /etc/init.d/named to /usr/local/etc/init.d/named

> 5) What are the drawbacks in running a chrooted DNS?

It is a bit tricky to ensure all the paths compiled into the various
programs work both inside and outside the chroot, in particular
/etc/rndc.key and /var/run/named/session.key (for nsupdate -l).

The normal way is to set up the chroot in /var/run/named but this is also
bind's default working directory when running outside the chroot, and I
don't like chrooted programs being able to write to their root directory.

I run bind in the chroot /spool/bind and to minimize the number of
non-default run-time settings I configure it at compile time with
--localstatedir=/spool/bind/var --sysconfdir=/spool/bind/etc
At run-time I configure bind with directory "/spool/bind/var";
so all pathnames work chrooted or not. When running bind chrooted I need
to specify the configuration file path to suppress a warning, i.e.
named -u named -t /spool/bind -c /etc/named.conf

To set up the chroot, I do

		T=/spool/bind

		mkdir $T/etc
		$PREFIX/sbin/rndc-confgen -a -u named
		chmod g+r $T/etc/rndc.key

		mkdir $T/var # named working directory
		chown named $T/var

		mkdir $T/log
		chown named $T/log

		mkdir $T/dev
		cp -a /dev/urandom $T/dev
		cp -a /dev/random  $T/dev

		# so named can find things inside the chroot
		mkdir $T/var/run
		ln -s var/run $T/spool
		ln -s ../.. $T/spool/bind
		ln -s .. $T/var/run/named
		ln -s .. $T/var/run/lwresd

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.

More information about the bind-users mailing list