start script for bind9

Bill Larson wllarso.dns at gmail.com
Fri Apr 15 16:12:21 UTC 2011 

On Apr 15, 2011, at 9:29 AM, hugo hugoo wrote:

> I do not use the version provided bu Debian because I am migrating  
> from bind8 to Bind9 and I wan to have both versions available on the  
> same server.
> So, I want to have Bind9 totally separated from Bind8.
>
> I use Debian, version 5 and the last ESV bind9.
>
> - I have seen that in the debian distribution, bind9 is started via  
> "named -u bind"  ==> is it dangerous to run bind9 as root?

It is dangerous to run anything as root, "named", "httpd", etc.  This  
includes running anything you do on the console as root, unless it is  
absolutely necessary.

This is why software that requires root access to start up, such as  
BIND, is written such that it is easy to run as a non-privileged  
user.  Information about using this is included in the ARM, basically  
making sure that the necessary files/directories are readable (and  
maybe writable) by the identified user.  Easy enough that doing  
anything else is simply foolish.

>  - The following script is provided i nthe distribution to start/ 
> stop bind9.
>   But I hesitate to copy it to use it with a source installation.
>
> lennydnstest01:~# cat /etc/init.d/bind9
> #!/bin/sh
> ### BEGIN INIT INFO
> # Provides:          bind9
> # Required-Start:    $remote_fs
> # Required-Stop:     $remote_fs
> # Should-Start:      $network $syslog
> # Should-Stop:       $network $syslog
> # Default-Start:     2 3 4 5
> # Default-Stop:      0 1 6
> # Short-Description: Start and stop bind9
> # Description:       bind9 is a Domain Name Server (DNS)
> #        which translates ip addresses to and from internet names
> ### END INIT INFO
> PATH=/sbin:/bin:/usr/sbin:/usr/bin
> # for a chrooted server: "-u bind -t /var/lib/named"
> # Don't modify this line, change or create /etc/default/bind9.
> OPTIONS=""
> RESOLVCONF=no
> test -f /etc/default/bind9 && . /etc/default/bind9
> test -x /usr/sbin/rndc || exit 0
> . /lib/lsb/init-functions
> DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)
> PIDFILE=/var/run/bind/run/named.pid
> check_network() {
>     if [ -x /usr/bin/uname ] && [ "X$(/usr/bin/uname -o)" =  
> XSolaris ]; then
>         IFCONFIG_OPTS="-au"
>     else
>         IFCONFIG_OPTS=""
>     fi
>     if [ -z "$(/sbin/ifconfig $IFCONFIG_OPTS)" ]; then
>        #log_action_msg "No networks configured."
>        return 1
>     fi
>     return 0
> }
> case "$1" in
>     start)
>         log_daemon_msg "Starting domain name service..." "bind9"
>         modprobe capability >/dev/null 2>&1 || true
>         # dirs under /var/run can go away on reboots.
>         mkdir -p /var/run/bind/run
>         chmod 775 /var/run/bind/run
>         chown root:bind /var/run/bind/run >/dev/null 2>&1 || true
>         if [ ! -x /usr/sbin/named ]; then
>             log_action_msg "named binary missing - not starting"
>             log_end_msg 1
>             exit 1
>         fi
>         if ! check_network; then
>             log_end_msg 1
>             exit 1
>         fi
> echo $OPTIONS;
>         if start-stop-daemon --start --oknodo --quiet --exec /usr/ 
> sbin/named \
>                 --pidfile ${PIDFILE} -- $OPTIONS; then
>             if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/ 
> resolvconf ] ; then
>                 echo "nameserver 127.0.0.1" | /sbin/resolvconf -a  
> lo.named
>             fi
>             log_end_msg 0
>         else
>             log_end_msg 1
>         fi
>     ;;
>     stop)
>         log_daemon_msg "Stopping domain name service..." "bind9"
>         if ! check_network; then
>             log_end_msg 1
>             exit 1
>         fi
>         if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ;  
> then
>             /sbin/resolvconf -d lo.named
>         fi
>         pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}')
>         if [ -n "$pid" ]; then
>           while kill -0 $pid 2>/dev/null; do
>             log_progress_msg "waiting for pid $pid to die"
>             sleep 1
>           done
>         fi
>         log_end_msg $?
>     ;;
>     reload|force-reload)
>         log_daemon_msg "Reloading domain name service..." "bind9"
>         if ! check_network; then
>             log_end_msg 1
>             exit 1
>         fi
>         /usr/sbin/rndc reload >/dev/null
>         log_end_msg $?
>     ;;
>     restart)
>         if ! check_network; then
>             exit 1
>         fi
>         $0 stop
>         $0 start
>     ;;
>
>     status)
>         ret=0
>         status_of_proc -p ${PIDFILE} /usr/sbin/named bind9 2>/dev/ 
> null || ret=$?
>         ;;
>     *)
>         log_action_msg "Usage: /etc/init.d/bind9 {start|stop|reload| 
> restart|force-reload|status}"
>         exit 1
>     ;;
> esac
> exit 0

Wow, this does a lot of stuff, everything but putting out the cat at  
night!  So much that it makes me a little leery of it.  I like to know  
exactly what is occurring when running something, but this is a  
difference in administration styles.

This is the Debian supplied "bind9" etc script.  Why not copy and re- 
name this to something else such that it doesn't conflict with the  
Debian startup scripts.  Then you can configure it how you want and  
need and not worry about getting clobbered with updates from Debian.

Bill Larson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110415/d0a6242c/attachment.html>

More information about the bind-users mailing list