aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/bind/APKBUILD26
-rw-r--r--main/bind/named.conf53
-rw-r--r--main/bind/named.conf.authoritative56
-rw-r--r--main/bind/named.conf.recursive104
-rw-r--r--main/bind/named.initd2
5 files changed, 177 insertions, 64 deletions
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index c14e77011e..7b64031a2f 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -5,7 +5,7 @@ pkgver=9.10.1
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
[ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
-pkgrel=0
+pkgrel=1
pkgdesc="The Berkeley Internet Name Domain Name Server and tools"
url="http://www.isc.org"
arch="all"
@@ -20,7 +20,8 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz
bind.so_bsdcompat.patch
named.initd
named.confd
- named.conf
+ named.conf.authoritative
+ named.conf.recursive
127.zone
localhost.zone
named.ca
@@ -88,8 +89,10 @@ package() {
"$pkgdir"/etc/init.d/named || return 1
install -Dm644 "$srcdir"/named.confd \
"$pkgdir"/etc/conf.d/named || return 1
- install -Dm644 "$srcdir"/named.conf \
- "$pkgdir"/etc/bind/named.conf || return 1
+ install -Dm644 "$srcdir"/named.conf.authoritative \
+ "$pkgdir"/etc/bind/named.conf.authoritative || return 1
+ install -Dm644 "$srcdir"/named.conf.recursive \
+ "$pkgdir"/etc/bind/named.conf.recursive || return 1
install -Dm644 "$srcdir"/named.ca \
"$pkgdir"/var/bind/named.ca || return 1
install -Dm644 "$srcdir"/127.zone \
@@ -111,25 +114,28 @@ tools() {
md5sums="82a69faf01b569568d9233f2666e744d bind-9.10.1.tar.gz
f270a5b0a28ab6e818840c5c368ddbcc bind.so_bsdcompat.patch
-216a2e5cd7c5406f18b648a4d877b750 named.initd
+4a5322cd4df5b33283b19b6010a5c024 named.initd
418a367cecfdf8760c92235d3967867e named.confd
-be5fd752bdbd59385f2a559d603098d5 named.conf
+a9de5fb1c027a7eedf440bf187594f07 named.conf.authoritative
+886fe73bf37335df1ef15ff842b568b3 named.conf.recursive
a7455b009b7fccd74ac6f6eaa6902a00 127.zone
c3220168fabfb31a25e8c3a545545e34 localhost.zone
a94e29ac677846f3d4d618c50b7d34f1 named.ca"
sha256sums="5361eca2b8b6bc0b13904b0f964336a478dfbc165711547f6cc3f8752ac60181 bind-9.10.1.tar.gz
4c5dc352da0a12bdda2644e835f7eabde4f5687f1a98acd65b22be4ee587c086 bind.so_bsdcompat.patch
-474088616d1c4a5fc835d3c64ba30264a72b7e107865a35a711149dde4443b6b named.initd
+058d9d1d6c35f79bc704e87186072d0a79f9a4f269363a8c367885dabf016913 named.initd
c0e7b365dca072dc96a97c8f81dff012aff7fe57337c10b63cd9f292d03c207d named.confd
-ab2f7305e9a1d30406528c5ef079beb4970c89572e90d57bb5ddb27b8126ad13 named.conf
+28fa20e9c744bd0cd57e0015823362af9bc7311a42cc7f3eae67826a60d6acdc named.conf.authoritative
+633f1b97fbf509880c278e92adedc85fd72d519f7a5b1ecd6b3fb727722f5098 named.conf.recursive
65b909fc1398dfa5b532ab395d6920758937093cf7e5b5bec8242dff4fe15e89 127.zone
b6dff70386920adb21883566610b0a45b9de5a3847a870e4ad1902c5c7900399 localhost.zone
0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56 named.ca"
sha512sums="16b05e3dbda72b6f5b7436271dd9cadbe0da9207b65b5ecbb6abe7042436c1baf740fb04ecaeefcff5f14e9f4747150faf9251deac68437323f05e80631e8723 bind-9.10.1.tar.gz
f3e3d1b680617485b9db20a59a10fec3b3b539d423984493228a7d5aaa29d699b9012ad60e863e56bdaf15b73952c22710d0ded1c86cd24417ac775ee062cfa3 bind.so_bsdcompat.patch
-de7c25cd8faa67355218c86a798ac803eb418a67c996490fdc3216e74ee4afaddc4113f8398217d385035ac286a17fce7b1d7b9f485db87ec0dec0de916b7e69 named.initd
+8ccc944eb35cd5523b63fabc912b63e60e3d97abebc81e2edcae557dbde6a9b2fc3da71ecaed8c991cffaf73061f59a76ab339ce90f8412b5516744c47887712 named.initd
127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd
-64d95e7171c990f3191455bfe88acc53ee7dc7e38b87c8317b0bbcffa3a0117337e8da5f74cd33e7c3cb23a5003ac26eb172fd744f580aa20d3f8aab90c1f279 named.conf
+d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative
+3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive
eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone
340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone
badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca"
diff --git a/main/bind/named.conf b/main/bind/named.conf
deleted file mode 100644
index d58c61bde0..0000000000
--- a/main/bind/named.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-options {
- directory "/var/bind";
-
- // uncomment the following lines to turn on DNS forwarding,
- // and change the forwarding ip address(es) :
- //forward first;
- //forwarders {
- // 123.123.123.123;
- // 123.123.123.123;
- //};
-
- listen-on-v6 { none; };
- listen-on { 127.0.0.1; };
-
- // to allow only specific hosts to use the DNS server:
- //allow-query {
- // 127.0.0.1;
- //};
-
- // if you have problems and are behind a firewall:
- //query-source address * port 53;
- pid-file "/var/run/named/named.pid";
-};
-
-// Briefly, a zone which has been declared delegation-only will be effectively
-// limited to containing NS RRs for subdomains, but no actual data beyond its
-// own apex (for example, its SOA RR and apex NS RRset). This can be used to
-// filter out "wildcard" or "synthesized" data from NAT boxes or from
-// authoritative name servers whose undelegated (in-zone) data is of no
-// interest.
-// See http://www.isc.org/products/BIND/delegation-only.html for more info
-
-//zone "COM" { type delegation-only; };
-//zone "NET" { type delegation-only; };
-
-zone "." IN {
- type hint;
- file "named.ca";
-};
-
-zone "localhost" IN {
- type master;
- file "pri/localhost.zone";
- allow-update { none; };
- notify no;
-};
-
-zone "127.in-addr.arpa" IN {
- type master;
- file "pri/127.zone";
- allow-update { none; };
- notify no;
-};
diff --git a/main/bind/named.conf.authoritative b/main/bind/named.conf.authoritative
new file mode 100644
index 0000000000..71e98ddc7c
--- /dev/null
+++ b/main/bind/named.conf.authoritative
@@ -0,0 +1,56 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as an
+// authoritative nameserver. If you want to run a recursive DNS resolver
+// instead, see /etc/bind/named.conf.recursive.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a secure starting point for running an authoritative nameserver.
+
+options {
+ directory "/var/bind";
+
+ // Configure the IPs to listen on here.
+ listen-on { 127.0.0.1; };
+ listen-on-v6 { none; };
+
+ // If you want to allow only specific hosts to use the DNS server:
+ //allow-query {
+ // 127.0.0.1;
+ //};
+
+ // Specify a list of IPs/masks to allow zone transfers to here.
+ //
+ // You can override this on a per-zone basis by specifying this inside a zone
+ // block.
+ //
+ // Warning: Removing this block will cause BIND to revert to its default
+ // behaviour of allowing zone transfers to any host (!).
+ allow-transfer {
+ none;
+ };
+
+ // If you have problems and are behind a firewall:
+ //query-source address * port 53;
+
+ pid-file "/var/run/named/named.pid";
+
+ // Changing this is NOT RECOMMENDED; see the notes above and in
+ // named.conf.recursive.
+ allow-recursion { none; };
+ recursion no;
+};
+
+// Example of how to configure a zone for which this server is the master:
+//zone "example.com" IN {
+// type master;
+// file "/etc/bind/master/example.com";
+//};
+
+// You can include files:
+//include "/etc/bind/example.conf";
diff --git a/main/bind/named.conf.recursive b/main/bind/named.conf.recursive
new file mode 100644
index 0000000000..a068b22d76
--- /dev/null
+++ b/main/bind/named.conf.recursive
@@ -0,0 +1,104 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as a
+// recursive DNS resolver. If you want to run an authoritative nameserver
+// instead, see /etc/bind/named.conf.authoritative.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a starting point for running a recursive resolver.
+//
+//
+// *** IMPORTANT ***
+// You should note that running an open DNS resolver (that is, a resolver which
+// answers queries from any globally routable IP) makes the resolver vulnerable
+// to abuse in the form of reflected DDoS attacks.
+//
+// These attacks are now widely prevalent on the open internet. Even if
+// unadvertised, attackers can and will find your resolver by portscanning the
+// global IPv4 address space.
+//
+// In one case the traffic generated using such an attack reached 300 Gb/s (!).
+//
+// It is therefore imperative that you take care to configure the resolver to
+// only answer queries from IP address space you trust or control. See the
+// "allow-recursion" directive below.
+//
+// Bear in mind that with these attacks, the "source" of a query will actually
+// be the intended target of a DDoS attack, so this only protects other networks
+// from attack, not your own; ideally therefore you should firewall DNS traffic
+// at the borders of your network to eliminate spoofed traffic.
+//
+// This is a complex issue and some level of understanding of these attacks is
+// advisable before you attempt to configure a resolver.
+
+options {
+ directory "/var/bind";
+
+ // Specify a list of CIDR masks which should be allowed to issue recursive
+ // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
+ allow-recursion {
+ 127.0.0.1/32;
+ };
+
+ // If you want this resolver to itself resolve via means of another recursive
+ // resolver, uncomment this block and specify the IP addresses of the desired
+ // upstream resolvers.
+ //forwarders {
+ // 123.123.123.123;
+ // 123.123.123.123;
+ //};
+
+ // By default the resolver will attempt to perform recursive resolution itself
+ // if the forwarders are unavailable. If you want this resolver to fail outright
+ // if the upstream resolvers are unavailable, uncomment this directive.
+ //forward only;
+
+ // Configure the IPs to listen on here.
+ listen-on { 127.0.0.1; };
+ listen-on-v6 { none; };
+
+ // If you have problems and are behind a firewall:
+ //query-source address * port 53;
+
+ pid-file "/var/run/named/named.pid";
+
+ // Removing this block will cause BIND to revert to its default behaviour
+ // of allowing zone transfers to any host (!). There is no need to allow zone
+ // transfers when operating as a recursive resolver.
+ allow-transfer { none; };
+};
+
+// Briefly, a zone which has been declared delegation-only will be effectively
+// limited to containing NS RRs for subdomains, but no actual data beyond its
+// own apex (for example, its SOA RR and apex NS RRset). This can be used to
+// filter out "wildcard" or "synthesized" data from NAT boxes or from
+// authoritative name servers whose undelegated (in-zone) data is of no
+// interest.
+// See http://www.isc.org/products/BIND/delegation-only.html for more info
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+zone "." IN {
+ type hint;
+ file "named.ca";
+};
+
+zone "localhost" IN {
+ type master;
+ file "pri/localhost.zone";
+ allow-update { none; };
+ notify no;
+};
+
+zone "127.in-addr.arpa" IN {
+ type master;
+ file "pri/127.zone";
+ allow-update { none; };
+ notify no;
+};
diff --git a/main/bind/named.initd b/main/bind/named.initd
index 812dfa90c6..a724848c1f 100644
--- a/main/bind/named.initd
+++ b/main/bind/named.initd
@@ -21,7 +21,7 @@ checkconfig() {
ebegin "Checking named configuration"
if [ ! -f "${NAMED_CONF}" ] ; then
- eerror "No ${NAMED_CONF} file exists!"
+ eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind."
return 1
fi