From bc59c3392f20dcf0f597d009604ffef2381b9419 Mon Sep 17 00:00:00 2001 From: jvdias Date: Mar 30 2006 00:52:34 +0000 Subject: fix bug 186577 - libbind.pc, more .spec file cleanup; add sample configuration files to %doc; rebuild for new gcc and glibc --- diff --git a/bind-chroot-admin.in b/bind-chroot-admin.in index 1bb3e1b..7d635ae 100644 --- a/bind-chroot-admin.in +++ b/bind-chroot-admin.in @@ -198,11 +198,14 @@ function sync_files() ng=$? shopt -s nullglob; pfx='' + changed=`/bin/mktemp /tmp/XXXXXX`; + rm -f $changed if rootdir ; then # chroot is enabled /usr/bin/find /{etc/{named.*,rndc.*},${BIND_DIR#/}{/*,/data/*,/slaves/*}} -maxdepth 0 -type f | while read f; do replace_with_link ${BIND_CHROOT_PREFIX}/$f $f; + [ ! -e $changed ] && touch $changed; done; pfx=${BIND_CHROOT_PREFIX} else # chroot is disabled @@ -211,31 +214,54 @@ function sync_files() do if [ ! -d "$f" ]; then replace_with_file $f ${f#$BIND_CHROOT_PREFIX}; + [ ! -e $changed ] && touch $changed; fi; done fi; - if [ $ng -eq 1 ]; then - shopt -u nullglob; - fi; + if [ ! -e ${pfx}/etc/rndc.key ]; then + echo 'key "rndckey" { + algorithm hmac-md5; + secret "'`/usr/sbin/dns-keygen`'"; +};' > /etc/rndc.key; + elif /bin/egrep -q '@KEY@' /etc/rndc.key; then + /bin/sed -i -e 's^@KEY@^'`/usr/sbin/dns-keygen`'^' /etc/rndc.key ; + fi chown root:named ${pfx}/var/named/* >/dev/null 2>&1; chmod 750 ${pfx}/var/named >/dev/null 2>&1; chmod 640 ${pfx}/var/named/* >/dev/null 2>&1; chown named:named ${pfx}/var/named/{data{,/*},slaves{,*/}} >/dev/null 2>&1; chmod 770 ${pfx}/var/named/{data,slaves} >/dev/null 2>&1; chmod 640 ${pfx}/var/named/{data/*,slaves/*} >/dev/null 2>&1; + if [ -e $changed ]; then + if [ -e /selinux/enforce ] && [ -x /sbin/restorecon ]; then + if [ -n "$pfx" ]; then + /sbin/restorecon -R $pfx/etc $pfx/var/named $pfx/var/run/named >/dev/null 2>&1; + if [ -e $pfx/etc/localtime ] && [ -e /etc/localtime ] ; then + /usr/bin/chcon --reference=/etc/localtime $pfx/etc/localtime >/dev/null 2>&1; + fi; + else + /sbin/restorecon /etc/{named,rndc}.* >/dev/null 2>&1; + /usr/bin/chcon --reference=/etc/named.conf /etc/named.* >/dev/null 2>&1; + /sbin/restorecon -e /var/named/chroot /var/named{/,/data/,/slaves/}* >/dev/null 2>&1; + fi; + fi; + /sbin/service named condrestart + rm -f $changed; + fi; + if [ $ng -eq 1 ]; then + shopt -u nullglob; + fi; } case $1 in -e|--enable) enable_bind_chroot; sync_files; - /sbin/service named condrestart exit $?; ;; -d|--disable) disable_bind_chroot; sync_files; - /sbin/service named condrestart /bin/umount ${BIND_CHROOT_PREFIX}/proc >/dev/null 2>&1 || :; /bin/umount ${BIND_CHROOT_PREFIX}/var/run/dbus >/dev/null 2>&1 || :; exit $?; diff --git a/bind.spec b/bind.spec index 14496e2..dc9fc25 100644 --- a/bind.spec +++ b/bind.spec @@ -52,6 +52,9 @@ Source25: rfc1912.txt Source26: bind-chroot-admin.in Source27: named.rfc1912.zones Source28: libbind.pc +Source29: named.conf.sample +Source30: named.rfc1912.zones.sample +Source31: named.root.hints # Patch: bind-9.2.0rc3-varrun.patch Patch1: bind-9.3.2b2-rndckey.patch @@ -464,15 +467,15 @@ sed -e 's^@BIND_CHROOT_PREFIX@^'%{chroot_prefix}'^;s^@BIND_DIR@^'%{bind_dir}'^' install -m 754 bind-chroot-admin ${RPM_BUILD_ROOT}/%{_sbindir} # sample bind configuration files for %doc: mkdir -p sample/etc sample/var/named/{data,slaves} -cp -fp %{_sourcedir}/named.conf.sample sample/etc/named.conf -cp -fp %{_sourcedir}/named.rfc1912.zones.sample sample/etc/named.rfc1912.zones -cp -fp %{_sourcedir}/named.root.hints sample/etc/ -cp -fp %{_sourcedir}/{named.root,named.local,localhost.zone,localdomain.zone,named.ip6.local,named.broadcast,named.zero} sample/var/named +cp -fp %{SOURCE29} sample/etc/named.conf +cp -fp %{SOURCE30} sample/etc/named.rfc1912.zones +cp -fp %{SOURCE31} sample/etc/ +cp -fp %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} sample/var/named for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do echo '@ in soa localhost. root 1 3H 15M 1W 1D ns localhost.' > sample/var/named/$f; done -/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.99 2006/03/30 00:35:52 jvdias Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\ +/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.100 2006/03/30 00:52:34 jvdias Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\ *\ * NOTE: you only need to create this file if it is to\ * differ from the following default contents: diff --git a/libbind.pc b/libbind.pc index cfab90c..27437f2 100644 --- a/libbind.pc +++ b/libbind.pc @@ -2,5 +2,5 @@ Name: libbind Description: BIND 8 compatible DNS Resolver Library Version: 9.3.2 -Libs: -L/usr/lib -lbind +Libs: -lbind Cflags: -I/usr/include/bind \ No newline at end of file diff --git a/named.caching-nameserver.conf b/named.caching-nameserver.conf index 34b23dc..8c5ee4f 100644 --- a/named.caching-nameserver.conf +++ b/named.caching-nameserver.conf @@ -5,6 +5,8 @@ // ISC BIND named(8) DNS server as a caching only nameserver // (as a localhost DNS resolver only). // +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// // DO NOT EDIT THIS FILE - use system-config-bind or an editor // to create named.conf - edits to this file will be lost on // bind-config package upgrade. diff --git a/named.conf.sample b/named.conf.sample new file mode 100644 index 0000000..0f46fbd --- /dev/null +++ b/named.conf.sample @@ -0,0 +1,127 @@ +// +// Sample named.conf BIND DNS server 'named' configuration file +// for the Red Hat BIND distribution. +// +// See the BIND Administrator's Reference Manual (ARM) for details, in: +// file:///usr/share/doc/bind-*/arm/Bv9ARM.html +// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and +// its manual. +// +options +{ + /* make named use port 53 for the source of all queries, to allow + * firewalls to block all ports except 53: + */ + query-source port 53; + query-source-v6 port 53; + + // Put files that named is allowed to write in the data/ directory: + directory "/var/named"; // the default + dump-file "data/cache_dump.db"; + statistics-file "data/named_stats.txt"; + memstatistics-file "data/named_mem_stats.txt"; + +}; +logging +{ +/* If you want to enable debugging, eg. using the 'rndc trace' command, + * named will try to write the 'named.run' file in the $directory (/var/named). + * By default, SELinux policy does not allow named to modify the /var/named directory, + * so put the default debug log file in data/ : + */ + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; +// +// All BIND 9 zones are in a "view", which allow different zones to be served +// to different types of client addresses, and for options to be set for groups +// of zones. +// +// By default, if named.conf contains no "view" clauses, all zones are in the +// "default" view, which matches all clients. +// +// If named.conf contains any "view" clause, then all zones MUST be in a view; +// so it is recommended to start off using views to avoid having to restructure +// your configuration files in the future. +// +view "localhost_resolver" +{ +/* This view sets up named to be a localhost resolver ( caching only nameserver ). + * If all you want is a caching-only nameserver, then you need only define this view: + */ + match-clients { localhost; }; + match-destinations { localhost; }; + recursion yes; + # all views must contain the root hints zone: + include "/etc/named.root.hints"; + + /* these are zones that contain definitions for all the localhost + * names and addresses, as recommended in RFC1912 - these names should + * ONLY be served to localhost clients: + */ + include "/etc/named.rfc1912.zones"; +}; +view "internal" +{ +/* This view will contain zones you want to serve only to "internal" clients + that connect via your directly attached LAN interfaces - "localnets" . + */ + match-clients { !localnets; !localhost; }; + match-destinations { !localnets; !localhost; }; + recursion yes; + // all views must contain the root hints zone: + include "/etc/named.root.hints"; + + // include "named.rfc1912.zones"; + // you should not serve your rfc1912 names to non-localhost clients. + + // These are your "authoritative" internal zones, and would probably + // also be included in the "localhost_resolver" view above : + + zone "my.internal.zone" { + type master; + file "my.internal.zone.db"; + }; + zone "my.slave.internal.zone" { + type slave; + file "slaves/my.slave.internal.zone.db"; + masters { /* put master nameserver IPs here */ 127.0.0.1; } ; + // put slave zones in the slaves/ directory so named can update them + }; + zone "my.ddns.internal.zone" { + type master; + allow-update { key ddns_key; }; + file "slaves/my.ddns.internal.zone.db"; + // put dynamically updateable zones in the slaves/ directory so named can update them + }; +}; +key ddns_key +{ + algorithm hmac-md5; + secret "use /usr/sbin/dns-keygen to generate TSIG keys"; +}; +view "external" +{ +/* This view will contain zones you want to serve only to "external" clients + * that have addresses that are not on your directly attached LAN interface subnets: + */ + match-clients { !localnets; !localhost; }; + match-destinations { !localnets; !localhost; }; + + recursion no; + // you'd probably want to deny recursion to external clients, so you don't + // end up providing free DNS service to all takers + + // all views must contain the root hints zone: + include "/etc/named.root.hints"; + + // These are your "authoritative" external zones, and would probably + // contain entries for just your web and mail servers: + + zone "my.external.zone" { + type master; + file "my.external.zone.db"; + }; +}; diff --git a/named.rfc1912.zones b/named.rfc1912.zones index 179c772..2a3b74d 100644 --- a/named.rfc1912.zones +++ b/named.rfc1912.zones @@ -5,7 +5,8 @@ // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // - +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// zone "." IN { type hint; file "named.ca"; diff --git a/named.rfc1912.zones.sample b/named.rfc1912.zones.sample new file mode 100644 index 0000000..c9b4aaf --- /dev/null +++ b/named.rfc1912.zones.sample @@ -0,0 +1,40 @@ +// named.rfc1912.zones: +// +// ISC BIND named zone configuration for zones recommended by +// RFC 1912 section 4.1 : localhost TLDs and address zones +// +zone "localdomain" IN { + type master; + file "localdomain.zone"; + allow-update { none; }; +}; + +zone "localhost" IN { + type master; + file "localhost.zone"; + allow-update { none; }; +}; + +zone "0.0.127.in-addr.arpa" IN { + type master; + file "named.local"; + allow-update { none; }; +}; + +zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { + type master; + file "named.ip6.local"; + allow-update { none; }; +}; + +zone "255.in-addr.arpa" IN { + type master; + file "named.broadcast"; + allow-update { none; }; +}; + +zone "0.in-addr.arpa" IN { + type master; + file "named.zero"; + allow-update { none; }; +}; diff --git a/named.root.hints b/named.root.hints new file mode 100644 index 0000000..7c5971d --- /dev/null +++ b/named.root.hints @@ -0,0 +1,15 @@ +// +// The 'named.root' root cache hints zone for the bind DNS 'named' nameserver. +// +// named's cache must be primed with the addresses of the root zone '.' nameservers. +// The root zone file can be obtained by querying the root 'A' nameserver: +// $ dig . ns @198.41.0.4 > named.root +// Or by download via FTP / HTTP: +// $ wget ftp://ftp.rs.internic.net/domain/named.root +// +// Every view that is to provide recursive service must include this zone. +// +zone "." IN { + type hint; + file "named.root"; +}; \ No newline at end of file