How to properly install Bind9, opensuse11

English Network/Internet
1

Installed openSUSE 11.x basic, text only, auto-updated
Instaled bind9 with YaST2
but wont start.

After some search, i’ve encountered some stuff about apparmor, i decided to disable apparmor until i get the hang of it, but bind still won’t start anyway.

I’m not a linux guru, but ive succesfully implemented it on suse 9 and older nixes and also winxes.

I have ideated a the “jail/chmod” technique but only on winxes, i’m starting to realize it can be done with opensuse or any other nixes, i only need to get used to the commands but i got the concepts.

As for the YaST2 instalation of the rpm, lot has changed since my past experiencies with suse9, do you know a way i can build a map of all the files and directories installed also where and what configuration files changes. I need to know what the openSUSE repo-rpm tries to do in this instalation, wich it’s supposedly suited for this distro in special.

I believe this “map” would be a must for ANY rpm documentation but devs dont are not used to make it; should i “hack” into the rpm file to get this?

As for the rpm, obiously it’s AppArmor unaware, not that apparmor is a new thing, its just bind rpm needs an update, or its just that the rpm is not suited for opensuse.

Sorry to make questions than you may think stupid, but distros varies directory layout, and im not a mind reader, nor an adivine, or there may be some other types of securities that i dont know, applied in the newer versions of open suse…¿?

I believe many people have trouble with this, a comprensible guide on how to properly install bind9 on open suse 11.x would help lots.

Thanx for helping

2

What errors are you getting?

As for the YaST2 instalation of the rpm, lot has changed since my past experiencies with suse9, do you know a way i can build a map of all the files and directories installed also where and what configuration files changes. I need to know what the openSUSE repo-rpm tries to do in this instalation, wich it’s supposedly suited for this distro in special.

If I understand what you’re asking, you can get a detailed file listing of any installed RPM in Yast. If you’re in the text-mode interface, go into Software -> Software Manager, search for the name of the package, then tab over to the “views” option at the top of the screen. Select “file list.”

One good resource for help about Opensuse is Swerdna’s Linux pages. There’s also an Opensuse Wiki, but it appears that the link is busted at the moment. Finally, How-To Forge has a bunch of excellent walk-throughs on setting up a server with most major distributions.

As for Bind itself: interestingly enough, just today I had to get Bind working to do a Split DNS on a mail server. (Daggone Postfix. :slight_smile: ). Be warned that there have been some subtle changes in the latest releases of Bind – and more importantly, in the default config files provided by the distros, primarily to support the new “views” option. And as I found out, once you do anything with a “view,” everything has to be a “view.”

Post back with more details on the errors that you’re getting. There are some true Bind gurus here (which I most definitely am NOT).

3

The views feature isn’t particularly new. I’ve been using it for a few years and I think it was already there for a while by then.

4

I guess it’s new in the default config on what I installed yesterday under a different distro. (In plain English, the default config files now use “view,” whereas the ones I was using last year didn’t.) It’s interesting that a plain-jane bind9 install was what worked for me. When I tried the caching nameserver install, though, I just could NOT get it to work.

But like I said, I’m anything but a bind guru.

5

Extending my first post

The idea is to make 2 Hyper-V appliance for a cache only DNS
At first the instalation of open suse is incredible RAM hungry, i needed to configure 1Gb of ram to make the instalation, after installed i’ve reduced the available ram for the virtual machine to only 128Mb and also installed Webmin, it runs fine enough, i’ll try to install the drivers later, right now the server is running consuming only 80Mb of ram from the 128 available.

As for Bind itself: interestingly enough, just today I had to get Bind working to do a Split DNS on a mail server. (Daggone Postfix. ). Be warned that there have been some subtle changes in the latest releases of Bind – and more importantly, in the default config files provided by the distros, primarily to support the new “views” option. And as I found out, once you do anything with a “view,” everything has to be a “view.”

I in the hope the newest webmin module for bind9 will do the job, although it seems that its not capable to start/stop the service via webmin

When trying to start it using “rcnamed start” i get:
Starting Bind9 Done

Then i do “rcnamed status” i get:
Checking for name server Dead

I repeat the same command “rcnamed start” then i get another thing:
Starting nameserver BIND startproc: exit status of parent of /usr/bin/named:1 failed

By the way:
>named-checkconf /etc/named.conf

returns nothing

There are some stuff i configured with the Webmin module, like the key to sync for my 2nd vmachine of bind9
i have not configured any zones

The thread is diverging a little, this is something more about suse, permissions, etc.

6

By the way

>named-checkconf /etc/named.conf

returns nothing

7

I’ve checked those 2 sites, although they have good info, i dont think its related for this topic

8

I have only the vaguest idea of what you are actually saying here, but I need to comment that the commonest error with a chrooted bind installation is not to be fully aware of how the chrooting works and that the directories, once the bind start up process has got underway are relative to the chroot directory, and not therefore providing bind with all the directories that it expects to see (with the correct permissions, of course, so Bind can access them).

Basic question; if it is just for caching, why are you using Bind? There are simpler options (dnsmasq, pdnsd) and, if you are concerned about security, Djbdns has a far better record than Bind.

Having said that, O’Reilly does good Bind books (Bind and the recipes book) but you do have to be a bit careful; some of the config stuff has changed over the years, so if you get a book, get a reasonably up-to-date one.

And, of course, given the history of Bind, your Bind has to be up-to-date, too.

9

Ive seen u quoted 2 paragraphs.

For the first paragraph was the background prior to the error to the bind startup error, its written in a condensed manner, step by step.

a)Instalation of opensuse, options taken other than default ones.
b)Statement of having the OS updated.
c)Method of instaling the software in question.
d)The problem that rised.

For the second paragraph

As for “jail /and/or/ chmod” technique, i mean any ways or forms for encapsulating runtime environment of a given software in any operating system, i’ve said it in this manner because its more comon for linux users.

About “Why bind?”, well dnsmasq would be great, but i would really hate to use it now then switch to bind if an advanced funcionality is needed later on, and bind wont hurt much the limited resources of the virtual machine, Does dnsmasq haves any form of Webmin module? The main idea here is to interface with this “servers” only via web; I’ll try dnsmasq but after i cannot make bind to work.

About the past security issues with bind, every software, that is popular enough, will be in hard pressure from “hackers” to find it’s vulnerabilities, dnsmasq will be in pressure once it’s more widely used, but being simplier is easier to dont have vulnerabilities.

In any case, this topic is more about why the soft isnt running, ill try to write more information later on, i think there’s a running instance of bind, but somehow the system thinks bind is dead…

10

ps -A informs no instances of bind running

Why the 1st attempt shows
“Starting done” ?

as if it starts ok then suddenly stops

2hrs later rcnamed start, returned Done, but again rcnamed status Dead, further tries of rcnamed start, shows the error descrived before

11

Found useful information here 13.6. DNS – Domain Name System

/var/log/messages

shows several problems, including:

“the working directory is not writable”
“Loading Key1: bad base64 encoding”
“Loading configuration: bad base64 encoding”

seems Webmin’s key 1 has a bad encoding

>:(

12

Now that it’s running, we can get better into the topic, a proper instalation, would need a form of runtime encapsulation, I’ve read that jail and apparmor are complementary, and the safest method involves both approaches, each covering different aspects of security
Do u have any ideas regarding this?

By the way
As for the default configuration of bind, it only listens over IPv6

13

If advanced functionality is what you need, then use bind. If all you need is a caching nameserver that will painlessly handle the local machines (like those inside a virtual LAN) either from the local /etc/hosts file or from the names/addresses handed out by the dhcp server… dnsmasq is way easier - like 15 minutes (if that) to be set up and running.

Does dnsmasq haves any form of Webmin module?

Yes. A quick search on Webin’s site shows the module for it.

About the past security issues with bind, every software, that is popular enough, will be in hard pressure from “hackers” to find it’s vulnerabilities, dnsmasq will be in pressure once it’s more widely used, but being simplier is easier to dont have vulnerabilities.

I think you misjudge the intended use of dnsmasq; it’s not really designed for use on the open 'Net, or even as a part of a large corporate network. But for the small family or SOHO network… it is orders of magnitude simpler and easier to get set up right (which as you’re finding is the main problem with bind). dnsmasq doesn’t necessarily do anything that bind9 and dhcp3 won’t, but it’s way simpler to setup - edit one config file, that is massively documented, save the file, restart the daemon and go on to bigger and better things.

14

For my setup in particular its in a corporate environment, but the intend of this thread is a general setup, one that would rather be useful in any environment.

I think this ends here, as the other subjects enter into other areas, i’ve seen that the bind instalation is chrooted by default’s open suse rpm, i guess i’ll go to another forum where this thread is better fitted