Revision history for opennicZoneScript
Additions:
''If you are running a public Tier-2 server, then the next step should be to visit http://www.opennicproject.org/t2log/ and enter your IP address. This page will test your server to confirm that it is able to answer queries from the internet, and that all OpenNIC zones are configured properly.''
Deletions:
Additions:
<<{{color c="red" text="This page is obsolete and has been left here for reference only!"}} Use [[http://wiki.opennicproject.org/srvzoneScript|this link]] instead for T2 configuration.<<::c::
Additions:
If you wish to have you log file timestamps match the system local time, copy this file into the chroot folder:
## # cp -a /etc/localtime /var/chroot/bind9/etc/ ##
Additions:
====Automated generation of ""OpenNIC"" configuration files====
Deletions:
Additions:
====Automated generation of ''OpenNIC'' configuration files====
Deletions:
Additions:
The following instructions are based on a clean install of BIND9 on a debian/ubuntu system with the configuration files located in /etc/bind/ and the zone files placed in /var/named/. Other distributions may use different locations for these files, or may use chroot. Please adjust accordingly, or ask for help on the mailing list or IRC chat. You are NOT required to have access to OpenNIC services prior to setting up the scripts below.
If you already have a functioning BIND9 server, notes will be included below to guide you in making the appropriate adjustments. Near the end of this document you will find notes on migrating BIND9 to a chrooted setup. These directions should be suitable both for a new configuration and an existing setup. If you do not already use chroot, please consider migrating your configuration for better security.
## # chown bind:bind /var/log/named ##
And finally, set the ownership of all file to the 'bind' user:
## # chown bind:bind /etc/bind/ ##
## # chown bind:bind /var/named/ ##
----''
==Chrooted setup==
If you wish to run BIND9 under a chroot for security purposes, now is the time to perform the migration. We are going to move all of the BIND9 configuration and zone files into their own self-contained folder at "/var/chroot/bin9/". Again, keep in mind that the given directory paths are based on a debian/ubuntu server, and your configuration may use different paths.
Begin by ensuring that BIND9 is not running:
## # /etc/init.d/bind9 stop ##
Create the chroot directories and special devices:
## # mkdir -p /var/chroot/bind9/{etc,dev,var/cache/bind,var/run/bind/run,var/log/named} ##
## # chown -R bind:bind /var/chroot/bind9/var/ ##
## # mknod /var/chroot/bind9/dev/null c 1 3 ##
## # mknod /var/chroot/bind9/dev/random c 1 8 ##
## # chmod 666 /var/chroot/bind9/dev/{null,random} ##
Now you are ready to move your original BIND configuration into the chroot:
## # mv /etc/bind /var/chroot/bind9/etc ##
## # ln -s /var/chroot/bind9/etc/bind /etc/bind ##
## # mv /var/named /var/chroot/bind9/var ##
## # ln -s /var/chroot/bind9/var/named /var/named ##
You need to configure bind9 to start up using the chroot. For debian/ubuntu:
-edit "/etc/default/bind9" and change the following line:
OPTIONS="-u bind -t /var/chroot/bind9"
''----
Ensure that the script permissions are set for your bind user:
## # chown bind:bind /etc/bind/zone.opennic* ##
Now add the following line to "/etc/crontab" (assuming that BIND9 is run under the username 'bind'):
If you already have a functioning BIND9 server, notes will be included below to guide you in making the appropriate adjustments. Near the end of this document you will find notes on migrating BIND9 to a chrooted setup. These directions should be suitable both for a new configuration and an existing setup. If you do not already use chroot, please consider migrating your configuration for better security.
## # chown bind:bind /var/log/named ##
And finally, set the ownership of all file to the 'bind' user:
## # chown bind:bind /etc/bind/ ##
## # chown bind:bind /var/named/ ##
----''
==Chrooted setup==
If you wish to run BIND9 under a chroot for security purposes, now is the time to perform the migration. We are going to move all of the BIND9 configuration and zone files into their own self-contained folder at "/var/chroot/bin9/". Again, keep in mind that the given directory paths are based on a debian/ubuntu server, and your configuration may use different paths.
Begin by ensuring that BIND9 is not running:
## # /etc/init.d/bind9 stop ##
Create the chroot directories and special devices:
## # mkdir -p /var/chroot/bind9/{etc,dev,var/cache/bind,var/run/bind/run,var/log/named} ##
## # chown -R bind:bind /var/chroot/bind9/var/ ##
## # mknod /var/chroot/bind9/dev/null c 1 3 ##
## # mknod /var/chroot/bind9/dev/random c 1 8 ##
## # chmod 666 /var/chroot/bind9/dev/{null,random} ##
Now you are ready to move your original BIND configuration into the chroot:
## # mv /etc/bind /var/chroot/bind9/etc ##
## # ln -s /var/chroot/bind9/etc/bind /etc/bind ##
## # mv /var/named /var/chroot/bind9/var ##
## # ln -s /var/chroot/bind9/var/named /var/named ##
You need to configure bind9 to start up using the chroot. For debian/ubuntu:
-edit "/etc/default/bind9" and change the following line:
OPTIONS="-u bind -t /var/chroot/bind9"
''----
Ensure that the script permissions are set for your bind user:
## # chown bind:bind /etc/bind/zone.opennic* ##
Now add the following line to "/etc/crontab" (assuming that BIND9 is run under the username 'bind'):
Deletions:
If you already have a functioning BIND9 server, notes will be included below to guide you in making the appropriate adjustments.
## # chown bind.bind /var/log/named ##
The simplest way to perform updates is to add the following line to "/etc/crontab":
%%50 */3 * * * root /opt/bind-tools/t1zone.sh%%
Note that if you wish to run this script as your local BIND user (assuming that username is 'bind'), you will need to adjust permissions on certain files and folders:
## # chown bind /etc/bind ##
## # chown bind /etc/bind/zone.opennic ##
The line in "/etc/crontab" should be as follows:
Additions:
And finally, test an ICANN lookup
''If you are running a public Tier-2 server, then the next step should be to visit http://www.opennicproject.org/t2log/test.php and enter your IP address. This page will test your server to confirm that it is able to answer queries from the internet, and that all OpenNIC zones are configured properly.''
Note that if you wish to run this script as your local BIND user (assuming that username is 'bind'), you will need to adjust permissions on certain files and folders:
## # chown -R bind /opt/bind-tools/ ##
## # chown bind /etc/bind ##
## # chown bind /etc/bind/zone.opennic ##
The line in "/etc/crontab" should be as follows:
%%50 */3 * * * bind /opt/bind-tools/t1zone.sh%%
''If you are running a public Tier-2 server, then the next step should be to visit http://www.opennicproject.org/t2log/test.php and enter your IP address. This page will test your server to confirm that it is able to answer queries from the internet, and that all OpenNIC zones are configured properly.''
Note that if you wish to run this script as your local BIND user (assuming that username is 'bind'), you will need to adjust permissions on certain files and folders:
## # chown -R bind /opt/bind-tools/ ##
## # chown bind /etc/bind ##
## # chown bind /etc/bind/zone.opennic ##
The line in "/etc/crontab" should be as follows:
%%50 */3 * * * bind /opt/bind-tools/t1zone.sh%%
Deletions:
''If you are running a public Tier-2 server, then the next step should be to visit http://www.opennicproject.org/t2log/test.php and enter your IP address. This page will test your server to confirm that it is able to answer queries from the internet, and that all OpenNIC zones are confirgured properly.''
Note that this can be run either as root, or as your local BIND user, but you will need to verify permissions on /opt/bind-tools/ and on /etc/bind/zone.opennic to ensure the updates can generate and overwrite files as needed.
Additions:
- $slaveZone and $masterZone will be located under $ZONEFILES, so using the default values, you would find your slave zone files in /var/named/opennic/slave/. **Please make sure you create these directories and chown them to your bind user!**
