Proper way to run bind9

Sean McNeil sean at mcneil.com
Fri Sep 24 15:27:32 PDT 2004 

On Fri, 2004-09-24 at 14:27, Doug Barton wrote:
> On Fri, 24 Sep 2004, Dag-Erling Smørgrav wrote:
> 
> > Grover Lines <grover at ceribus.net> writes:
> >> named_pidfile="/var/run/named/pid" # Must set this in named.conf as well
> >                 ^^^^^^^^^^^^^^^^^^
> > should be /var/run/named.pid, fixed in CVS.
> >
> > DES
> >
> 
> It's actually not named.pid in our structure. As explained in the note 
> behind the variable, we set the pid-file variable in named.conf so that 
> named running wit h -u bind (but not chrooted) will still be able to 
> drop a pid file in /var/run/named, which is chowned to user bind.

This is currently not correct in some files (i.e.
/etc/defaults/rc.conf).  Can it be fixed so that everyone points to
/var/run/named/pid?  This is hosed for a non-chrooted system since bind
doesn't have permission to write in /var/run.

Also, the /etc/rc.d/named script will do an

ln -fs "${named_chrootdir}${pidfile}" ${pidfile}

if named_symlink_enable is set (which is by default).  Please protect
this with

if [ -n "$named_chrootdir" ]; then
...
fi

for those who do not have a chrootdir.  Otherwise we end up with a
recursive link.

> To answer Grover's question, it really depends on what you want to use 
> it for. The system named.conf will run fine for bind 9 as a resolver, 
> now that the /etc/rc.d/named script has been updated to create an 
> rndc.key file if one doesn't exist.

This is broken too.  If named_chrootdir isn't set, then confgen_chroot
doesn't get set and it messes up the invokation of rndc-confgen.  I
think taking the "" off of the ${confgen_chroot} will solve this but I'm
not sure.

> If all you want to do is start up named as a resolver, 
> named_enable="yes" is all you need. You don't need to specify the conf 
> file to run the system's version of bind, that path is defined in.
> 
> I'm currently working on a setup so that named can be started chrooted 
> by default. Not sure if that will get in before 5.3-RELEASE or not, but 
> I'm hoping it will.

It would be nice to have it all working while you make these changes.

Cheers,
Sean

More information about the freebsd-current mailing list