Fully automated DNSSEC with BIND 9.16

Petr Menšík pemensik at redhat.com
Mon Apr 17 12:32:32 UTC 2023 

If you have enabled SELinux and the package uses selinux policy to 
restrict file access of named, I think named-chroot is not necessary. It 
just complicates the usage and maintenance. But I think packages of ISC 
do not have similar SELinux protection as Red Hat supported bind or 
bind9.16 packages. ISC packages to not offer chroot helpers either. You 
would have to prepare it yourself.

On 4/13/23 18:17, David Carvalho via bind-users wrote:
> Hello and thank you for the reply.
> I can confirm my current dns servers have already EPEL repo enabled and jemalloc package is available.
> I'll setup my test machine accordingly to be able to install BIND 9.18. Will it also provide named-chroot (is it really necessary?)
> Thanks!
> David
>
>
> -----Original Message-----
> From: Anand Buddhdev <anandb at ripe.net>
> Sent: 13 April 2023 16:48
> To: David Carvalho <david at di.ubi.pt>
> Cc: 'Bind Users Mailing List' <bind-users at lists.isc.org>
> Subject: Re: Fully automated DNSSEC with BIND 9.16
>
> On 13/04/2023 17:17, David Carvalho via bind-users wrote:
>
> Hi David,
>
>> Hello and thanks for the reply.
>> I enabled this repo in Oracle Linux 8 with: dnf copr enable isc/bind
>>
>> Then  I tried to install (dnf install isc-bind) but I got:
>> Error:
>>    Problem: package isc-bind-1:2-3.el8.x86_64 requires isc-bind-bind, but none of the providers can be installed
>>     - package isc-bind-bind-9.18.13-1.1.el8.x86_64 requires libbind9-9.18.13.so()(64bit), but none of the providers can be installed
>>     - package isc-bind-bind-9.18.13-1.1.el8.x86_64 requires libdns-9.18.13.so()(64bit), but none of the providers can be installed
>>     - package isc-bind-bind-9.18.13-1.1.el8.x86_64 requires libisc-9.18.13.so()(64bit), but none of the providers can be installed
>>     - package isc-bind-bind-9.18.13-1.1.el8.x86_64 requires libisccc-9.18.13.so()(64bit), but none of the providers can be installed
>>     - package isc-bind-bind-9.18.13-1.1.el8.x86_64 requires libisccfg-9.18.13.so()(64bit), but none of the providers can be installed
>>     - package isc-bind-bind-9.18.13-1.1.el8.x86_64 requires libns-9.18.13.so()(64bit), but none of the providers can be installed
>>     - package isc-bind-bind-9.18.13-1.1.el8.x86_64 requires isc-bind-bind-libs = 9.18.13, but none of the providers can be installed
>>     - conflicting requests
>>     - nothing provides libjemalloc.so.2()(64bit) needed by
>> isc-bind-bind-libs-9.18.13-1.1.el8.x86_64
>> (try to add '--skip-broken' to skip uninstallable packages or
>> '--nobest' to use not only best candidate packages)
> BIND 9.18 and newer require jemalloc, but this package isn't part of Redhat base. You also need to enable the EPEL repository for this.
I think it is not required by all 9.18 builds. It is recommended, but 
can be omitted. It has to be configured at the build time however. 
configure --without-jemalloc is still supported. It is still possible to 
build even 9.18 without jemalloc.
>
> With Oracle Linux, there are 2 different EPELs available. Oracle's own rebuild of EPEL packages, and the Fedora EPEL. My personal preference is the Fedora EPEL repo, which you can install with:
>
> dnf -y install
> https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
>
> Then you should be able to install the ISC BIND packages.
>
> Regards,
> Anand
Interesting. I did not know Oracle rebuilds also EPEL packages. Are they 
also 100% compatible rebuilds like RHEL packages? Do they at least 
document how to contribute to EPEL anywhere?

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the bind-users mailing list