[blfs-dev] BIND, Part 2

Qrux qrux.qed at gmail.com
Fri Feb 17 15:56:58 PST 2012

On Feb 17, 2012, at 1:28 AM, Qrux wrote:

> The version of BIND included with BLFS doesn't work.  Googled:
> 	named initializing DST: openssl failure
> ...My gut says the chroot environment is somehow incomplete...


After /srv/named has been setup, do this for BIND-9.8 + chroot-jail:

sudo mkdir -p /srv/named/usr/lib
sudo /bin/cp -avf /usr/lib/engines /srv/named/usr/lib
sudo chown -vR named.named /srv/named

cd /srv/named
sudo ln -sfv lib lib64
cd /srv/named/usr
sudo ln -sfv lib lib64

The gist is, add /usr/lib/engines to the chroot-jail (which contains the shared libs for the engines that BIND can't seem to find).  Then--and this is the important part--add the /lib64 and /usr/lib64 symlinks in the jail.  This allows BIND-9.8 to run in a jail like a charm (odd image).  I'm sure someone can pretty this up for the book, but I've been able to get a server up and running with this.

* * *

On a related note...I quite like config files in /etc, so I was a fan of /etc/namedb to start.  But, I also am a fan of considering /etc to be "mostly-static".  Two things about BIND make that unpleasant:

1) /etc/namedb/named.run is written there, and it's a log file!  It can reach epic proportions if you enable any amount of debugging, especially if you run your own zones.

2) /etc/namedb/slave is maintained there, which is the zone-transfer slave dump.  This doesn't get huge (unless you're managing something like Stanford University's network), but it's also...more of a run-time thing.  This isn't a huge deal (I suppose it's no different, than, say, adding a identical number of users and seeing the impact against /etc/{passwd,shadow}).

I would suggest setting BIND up with something like this:

mkdir -p /srv/named/var/lib/named/slave
ln -s /srv/named/var/lib/named /srv/named/etc/namedb/var
sed -i 's^file\ \"named.run\";^file\ \"var/named.run\";^' /srv/named/etc/named.conf
ln -s /srv/named/var/lib/named/slave /srv/named/etc/namedb/slave

Gist: try to capture all the "run-time" stuff in <jail>/var/lib/named, and do a symlink in <jail>/etc/namedb/var.  In named.conf, just repath the log file.


More information about the blfs-dev mailing list