BIND Nameserver unter CentOS 6
Mit BIND1) des Internet Systems Consortium richten wir uns für unser SOHO2)-LAN ein Domain-Name-System-Server oder kurz DNS3)ein.
DNS wurde in den beiden RFC 1034 und RFC 1035 definiert und bekam von der Internet Assigned Numbers Authority die beiden Ports 53/UDP und 53/TCP.
Installation
Zu erst installieren wir uns die beiden Pakete bind und bind-chroot. Letzters hilft uns, unseren DNS in einem chroot4)-Umgebung laufen zu lassen.
# yum install bind bind-chroot -y
Grund-Konfiguration
RPM-Pakete
Als erstes sehen uns wir mal an, was die beiden Pakete alles an Dateien mitbringen und vor allem wohin diese gespeichert worden sind.
bind
# rpm -qil bind
Name : bind Relocations: (not relocatable) Version : 9.7.0 Vendor: CentOS Release : 5.P2.el6_0.1 Build Date: Sat 25 Jun 2011 05:48:43 AM CEST Install Date: Mon 22 Aug 2011 01:33:07 PM CEST Build Host: c6b6.bsys.dev.centos.org Group : System Environment/Daemons Source RPM: bind-9.7.0-5.P2.el6_0.1.src.rpm Size : 6695969 License: ISC Signature : RSA/8, Wed 06 Jul 2011 03:37:08 AM CEST, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem <http://bugs.centos.org> URL : http://www.isc.org/products/BIND/ Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. /etc/NetworkManager/dispatcher.d/13-named /etc/logrotate.d/named /etc/named /etc/named.conf /etc/named.iscdlv.key /etc/named.rfc1912.zones /etc/rc.d/init.d/named /etc/rndc.conf /etc/rndc.key /etc/sysconfig/named /usr/lib64/bind /usr/sbin/arpaname /usr/sbin/ddns-confgen /usr/sbin/dnssec-dsfromkey /usr/sbin/dnssec-keyfromlabel /usr/sbin/dnssec-keygen /usr/sbin/dnssec-revoke /usr/sbin/dnssec-settime /usr/sbin/dnssec-signzone /usr/sbin/genrandom /usr/sbin/isc-hmac-fixup /usr/sbin/lwresd /usr/sbin/named /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/named-compilezone /usr/sbin/named-journalprint /usr/sbin/nsec3hash /usr/sbin/rndc /usr/sbin/rndc-confgen /usr/share/doc/bind-9.7.0 /usr/share/doc/bind-9.7.0/CHANGES /usr/share/doc/bind-9.7.0/COPYRIGHT /usr/share/doc/bind-9.7.0/Copyright /usr/share/doc/bind-9.7.0/README /usr/share/doc/bind-9.7.0/arm /usr/share/doc/bind-9.7.0/arm/Bv9ARM-book.xml /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch01.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch02.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch03.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch04.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch05.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch06.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch07.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch08.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch09.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch10.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.html /usr/share/doc/bind-9.7.0/arm/Bv9ARM.pdf /usr/share/doc/bind-9.7.0/arm/Makefile /usr/share/doc/bind-9.7.0/arm/Makefile.in /usr/share/doc/bind-9.7.0/arm/README-SGML /usr/share/doc/bind-9.7.0/arm/dnssec.xml /usr/share/doc/bind-9.7.0/arm/isc-logo.eps /usr/share/doc/bind-9.7.0/arm/isc-logo.pdf /usr/share/doc/bind-9.7.0/arm/latex-fixup.pl /usr/share/doc/bind-9.7.0/arm/libdns.xml /usr/share/doc/bind-9.7.0/arm/man.arpaname.html /usr/share/doc/bind-9.7.0/arm/man.ddns-confgen.html /usr/share/doc/bind-9.7.0/arm/man.dig.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-dsfromkey.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-keyfromlabel.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-keygen.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-revoke.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-settime.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-signzone.html /usr/share/doc/bind-9.7.0/arm/man.genrandom.html /usr/share/doc/bind-9.7.0/arm/man.host.html /usr/share/doc/bind-9.7.0/arm/man.isc-hmac-fixup.html /usr/share/doc/bind-9.7.0/arm/man.named-checkconf.html /usr/share/doc/bind-9.7.0/arm/man.named-checkzone.html /usr/share/doc/bind-9.7.0/arm/man.named-journalprint.html /usr/share/doc/bind-9.7.0/arm/man.named.html /usr/share/doc/bind-9.7.0/arm/man.nsec3hash.html /usr/share/doc/bind-9.7.0/arm/man.nsupdate.html /usr/share/doc/bind-9.7.0/arm/man.rndc-confgen.html /usr/share/doc/bind-9.7.0/arm/man.rndc.conf.html /usr/share/doc/bind-9.7.0/arm/man.rndc.html /usr/share/doc/bind-9.7.0/arm/managed-keys.xml /usr/share/doc/bind-9.7.0/arm/pkcs11.xml /usr/share/doc/bind-9.7.0/draft /usr/share/doc/bind-9.7.0/draft/draft-ietf-6man-text-addr-representation-01.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-behave-dns64-01.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-axfr-clarify-13.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dns-tcp-requirements-02.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dnssec-gost-06.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-ecc-key-07.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-interop3597-02.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc2671bis-edns0-02.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc2672bis-dname-18.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc3597-bis-00.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-tsig-md5-deprecated-03.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-bad-dns-res-05.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-default-local-zones-09.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-inaddr-required-07.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-name-server-management-reqs-02.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-respsize-06.txt /usr/share/doc/bind-9.7.0/draft/draft-kato-dnsop-local-zones-00.txt /usr/share/doc/bind-9.7.0/draft/update /usr/share/doc/bind-9.7.0/misc /usr/share/doc/bind-9.7.0/misc/Makefile /usr/share/doc/bind-9.7.0/misc/Makefile.in /usr/share/doc/bind-9.7.0/misc/dnssec /usr/share/doc/bind-9.7.0/misc/format-options.pl /usr/share/doc/bind-9.7.0/misc/ipv6 /usr/share/doc/bind-9.7.0/misc/migration /usr/share/doc/bind-9.7.0/misc/migration-4to9 /usr/share/doc/bind-9.7.0/misc/options /usr/share/doc/bind-9.7.0/misc/rfc-compliance /usr/share/doc/bind-9.7.0/misc/roadmap /usr/share/doc/bind-9.7.0/misc/sdb /usr/share/doc/bind-9.7.0/misc/sort-options.pl /usr/share/doc/bind-9.7.0/named.conf.default /usr/share/doc/bind-9.7.0/rfc /usr/share/doc/bind-9.7.0/rfc/index.gz /usr/share/doc/bind-9.7.0/rfc/rfc1032.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1033.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1034.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1035.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1101.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1122.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1123.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1183.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1348.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1535.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1536.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1537.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1591.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1611.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1612.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1706.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1712.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1750.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1876.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1886.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1912.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1982.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1995.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1996.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2052.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2104.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2119.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2133.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2136.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2137.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2163.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2168.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2181.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2230.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2308.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2317.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2373.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2374.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2375.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2418.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2535.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2536.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2537.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2538.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2539.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2540.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2541.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2553.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2671.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2672.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2673.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2782.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2825.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2826.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2845.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2874.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2915.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2929.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2930.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2931.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3007.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3008.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3071.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3090.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3110.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3123.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3152.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3197.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3225.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3226.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3258.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3363.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3364.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3425.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3445.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3467.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3490.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3491.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3492.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3493.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3513.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3596.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3597.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3645.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3655.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3658.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3755.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3757.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3833.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3845.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3901.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4025.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4033.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4034.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4035.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4074.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4159.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4193.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4255.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4294.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4339.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4343.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4367.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4398.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4408.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4431.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4470.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4471.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4472.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4509.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4634.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4635.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4641.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4648.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4697.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4701.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4892.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4955.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4956.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5001.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5011.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5155.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5205.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5452.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5507.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5625.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5702.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc952.txt.gz /usr/share/doc/bind-9.7.0/rfc1912.txt /usr/share/doc/bind-9.7.0/sample /usr/share/doc/bind-9.7.0/sample/etc /usr/share/doc/bind-9.7.0/sample/etc/named.conf /usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones /usr/share/doc/bind-9.7.0/sample/var /usr/share/doc/bind-9.7.0/sample/var/named /usr/share/doc/bind-9.7.0/sample/var/named/data /usr/share/doc/bind-9.7.0/sample/var/named/my.external.zone.db /usr/share/doc/bind-9.7.0/sample/var/named/my.internal.zone.db /usr/share/doc/bind-9.7.0/sample/var/named/named.ca /usr/share/doc/bind-9.7.0/sample/var/named/named.empty /usr/share/doc/bind-9.7.0/sample/var/named/named.localhost /usr/share/doc/bind-9.7.0/sample/var/named/named.loopback /usr/share/doc/bind-9.7.0/sample/var/named/slaves /usr/share/doc/bind-9.7.0/sample/var/named/slaves/my.ddns.internal.zone.db /usr/share/doc/bind-9.7.0/sample/var/named/slaves/my.slave.internal.zone.db /usr/share/man/man1/arpaname.1.gz /usr/share/man/man5/named.conf.5.gz /usr/share/man/man5/rndc.conf.5.gz /usr/share/man/man8/ddns-confgen.8.gz /usr/share/man/man8/dnssec-dsfromkey.8.gz /usr/share/man/man8/dnssec-keyfromlabel.8.gz /usr/share/man/man8/dnssec-keygen.8.gz /usr/share/man/man8/dnssec-revoke.8.gz /usr/share/man/man8/dnssec-settime.8.gz /usr/share/man/man8/dnssec-signzone.8.gz /usr/share/man/man8/genrandom.8.gz /usr/share/man/man8/isc-hmac-fixup.8.gz /usr/share/man/man8/lwresd.8.gz /usr/share/man/man8/named-checkconf.8.gz /usr/share/man/man8/named-checkzone.8.gz /usr/share/man/man8/named-compilezone.8.gz /usr/share/man/man8/named-journalprint.8.gz /usr/share/man/man8/named.8.gz /usr/share/man/man8/nsec3hash.8.gz /usr/share/man/man8/rndc-confgen.8.gz /usr/share/man/man8/rndc.8.gz /var/log/named.log /var/named /var/named/data /var/named/dynamic /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback /var/named/slaves /var/run/named
bind-chroot
# rpm -qil bind-chroot
Name : bind-chroot Relocations: /var/named/chroot Version : 9.7.0 Vendor: CentOS Release : 5.P2.el6_0.1 Build Date: Sat 25 Jun 2011 05:48:43 AM CEST Install Date: Mon 22 Aug 2011 01:33:10 PM CEST Build Host: c6b6.bsys.dev.centos.org Group : System Environment/Daemons Source RPM: bind-9.7.0-5.P2.el6_0.1.src.rpm Size : 0 License: ISC Signature : RSA/8, Wed 06 Jul 2011 03:37:09 AM CEST, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem <http://bugs.centos.org> URL : http://www.isc.org/products/BIND/ Summary : A chroot runtime environment for the ISC BIND DNS server, named(8) Description : This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz> /var/named/chroot /var/named/chroot/dev /var/named/chroot/dev/null /var/named/chroot/dev/random /var/named/chroot/dev/zero /var/named/chroot/etc /var/named/chroot/etc/localtime /var/named/chroot/etc/named /var/named/chroot/etc/named.conf /var/named/chroot/etc/pki/dnssec-keys /var/named/chroot/usr/lib64/bind /var/named/chroot/var /var/named/chroot/var/log /var/named/chroot/var/named /var/named/chroot/var/run /var/named/chroot/var/run/named /var/named/chroot/var/tmp
change root - Umgebung
Bei der Installation unserer chroot-Umgebung wurde automatisch die Konfigurationsdatei /etc/sysconfig/named entsprechend angepasst, in dem die Konfigurationsoption
ROOTDIR=/var/named/chroot
aktiviert wird.
In der Konfigurationsdatei /etc/sysconfig/named finden wir darüber hinaus noch weitere Angaben, wie die chroot-Umgebung für bind unter CentOS 6 realisiert wird, und welche Konfigurationsdateien beim Starten des Daemon in die chroot-Umgebung gemountet werden.
- /etc/sysconfig/named
# BIND named process options # ~~~~~~~~~~~~~~~~~~~~~~~~~~ # Currently, you can use the following options: # # ROOTDIR="/var/named/chroot" -- will run named in a chroot environment. # you must set up the chroot environment # (install the bind-chroot package) before # doing this. # NOTE: # Those directories are automatically mounted to chroot if they are # empty in the ROOTDIR directory. It will simplify maintenance of your # chroot environment. # - /var/named # - /etc/pki/dnssec-keys # - /etc/named # - /usr/lib64/bind or /usr/lib/bind (architecture dependent) # # Those files are mounted as well if target file doesn't exist in # chroot. # - /etc/named.conf # - /etc/rndc.conf # - /etc/rndc.key # - /etc/named.rfc1912.zones # - /etc/named.dnssec.keys # - /etc/named.iscdlv.key # # Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" # line to your /etc/rsyslog.conf file. Otherwise your logging becomes # broken when rsyslogd daemon is restarted (due update, for example). # # OPTIONS="whatever" -- These additional options will be passed to named # at startup. Don't add -t here, use ROOTDIR instead. # # KEYTAB_FILE="/dir/file" -- Specify named service keytab file (for GSS-TSIG) ROOTDIR=/var/named/chroot
Beim Starten des named Daemon werden die betreffenden Konfigurationsdateien gemountet. Bei laufendem Daemon können wir uns ganz einfach überzeugen, wohin diese gemountet wurden.
# df -ah | grep named
/etc/named 7.2G 941M 6.0G 14% /var/named/chroot/etc/named /var/named 7.2G 941M 6.0G 14% /var/named/chroot/var/named /etc/named.conf 7.2G 941M 6.0G 14% /var/named/chroot/etc/named.conf /etc/named.rfc1912.zones 7.2G 941M 6.0G 14% /var/named/chroot/etc/named.rfc1912.zones /etc/rndc.key 7.2G 941M 6.0G 14% /var/named/chroot/etc/rndc.key /usr/lib64/bind 7.2G 941M 6.0G 14% /var/named/chroot/usr/lib64/bind /etc/named.iscdlv.key 7.2G 941M 6.0G 14% /var/named/chroot/etc/named.iscdlv.key
Beenden wir den Daemon erfolgt automatisch das Unmounten der betreffenden Konfigurationsverzeichnisse.
# service named stop && df -ah | grep named
Stopping named: [ OK ]
Wir können also bei der weiteren Konfiguration unser Augenmerk auf die Konfigurationsdatei named.conf im Verzeichnis /etc richten.
rsyslogd
Darüber hinaus erfolgt hier auch ein Hinweis zum Anpassen des rsyslogd Daemon. Wie in den Bemerkungen in der /etc/sysconfig/named angegeben, werden wir nun noch die rsyslogd Daemon anpassen. Hierzu öffnen wir mit dem Editor unserer Wahl die Konfigurationsdatei /etc/rsyslog.conf.
# vim /etc/rsyslog.conf
- /etc/rsyslog.conf
#rsyslog v3 config file # if you experience problems, check # http://www.rsyslog.com/troubleshoot for assistance #### MODULES #### $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) #$ModLoad immark.so # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp.so #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp.so #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Django: 2011-08-22 # Erweiterung für die chroot-Umgebung des bind Nameservers eingetragen $AddUnixListenSocket /var/named/chroot/dev/log #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/spppl/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ###
Zur Aktivierung unserer Änderung bedarf es nur noch eines Restarts des rsyslogd Daemon.
# service rsyslog restart
Shutting down system logger: [ OK ] Starting system logger: [ OK ]
SELinux
In aller Regel werden wir auf die Dienste von SELinux in unserer vHOST-Installation verzichten können. Wir deaktivieren also, wenn noch nicht bereits bei der Erstinstallation erfolgt, SELinux komplett, indem wir in der Konfigurationsdatei unter /etc/sysconfig das Thema SELinux deaktivieren.
# vim /etc/sysconfig/selinux
- /etc/sysconfig/selinux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # Django : 2011-08-22 SELinux deaktiviert # default : SELINUX=enforcing SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
IPv6
Bei unserer Musterinstallation begnügen wir uns mit einer IPv4-Inststallation. In der Grundkonfiguration unseres bind Daemon sehen wir im Syslog, dass versucht wird auch jedesmal via IPv6 eine Anfrage zu starten.
Aug 22 14:45:30 vml000020 named[3376]: error (network unreachable) resolving 'heise.de.dlv.isc.org/DLV/IN': 2001:500:71::29#53
Da wir aber (noch) keine IPv6-Anbindung haben, werden wir die IPv6 lookups einfach abstellen. In unserer bind-Konfigurationsdatei /etc/named.conf deaktivieren wir einfach die betreffende Zeile durch Voranstellen von zwei Schrägstriche „/„.
# vim /var/named/chroot/etc/named/named.conf
//listen-on-v6 port 53 { ::1; }; // Django: 2011-08-22 IPv6 deaktiviert
In der Datei /etc/sysconfig/named vermerken wir ferner, dass wir lediglich die IPv4-Unterstützung nutzen wollen.
# vim /etc/sysconfig/named
# Django : 2011-08-22 nur die IPv4-Unterstützung aktivieren OPTIONS="-4"
Anschließend starten wir den Nameserver einmal durch, damit die Konfigurationsänderunegn auch greifen. # service named restart
iptables Paketfilter
Nach dem Starten unseres named Daemon können wir mit Hilfe vonnetstat überprüfen, ob der Daemon auf den gewünschten Ports lauscht.
# netstat -tulpen | grep named
tcp 0 0 10.0.0.20:53 0.0.0.0:* LISTEN 25 12850 4010/named tcp 0 0 10.0.10.1:53 0.0.0.0:* LISTEN 25 12848 4010/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 12846 4010/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 12853 4010/named udp 0 0 10.0.0.20:53 0.0.0.0:* 25 12849 4010/named udp 0 0 10.0.10.1:53 0.0.0.0:* 25 12847 4010/named udp 0 0 127.0.0.1:53 0.0.0.0:* 25 12845 4010/named
Damit der Zugriff auf den Port 53 (TCP/UDP) auch erfolgen kann, müssen wir noch unseren Paketfilter i.d.R. erweitern. Wir tragen hierzu in der Konfigurationsdatei /etc/sysconfig/iptables hierzu die folgenden Zeilen am Ende der INPUT-Regeln nach.
# Django : 2011-08-22 DNS freigeschaltet -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT # Django : 2011-08-22 bei Bedarf Logging aktivieren #-A INPUT -j LOG # Django : end
Anschließend aktivieren wir die Änderungen an unserem Paketfilter, indem wir den Daemon durchstarten.
# service iptables restart
iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter nat [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
erweiterte Konfigurationen
caching-only Nameserver
Im ersten Schritt wollen wir erst einmal einen caching-only Nameserver aufsetzen. Die mitgelieferte Konfigurationsdate /etc/named.conf des RPM-Pakets bind passen wir unseren Gegebenheiten an.
# vim /etc/named.conf
- /etc/named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 10.0.0.0; 10.0.10.0 }; // Django : 2011-08-22 unsere Netzwerk- // interfaces definiert listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 10.0.0.0/24; 10.0.10.0/26 }; // Django : 2011-08-22 unsere Netzwerke // die unseren Nameserver befragen dürfen recursion yes; // Django : 2011-08-22 dnssec erst einmal deaktiviert für den caching-only Betrieb // dnssec-enable yes; // dnssec-validation yes; // dnssec-lookaside auto; /* Path to ISC DLV key */ // Django : 2011-08-22 bindkeys-file erst einmal deaktiviert für den caching-only Betrieb // bindkeys-file "/etc/named.iscdlv.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones";
Nach der Bearbeitung startetn wir nun unseren Nameserver das erste mal.
# service named start
Starting named: [ OK ]
Sollte wider Erwarten beim Starten etwas schief gelaufen sein, so ist der Syslog die Anlaufstelle für weitere Fehlermeldungen. Im Regelfall wird der erfolgreiche Start entsprechend quittiert.
Oct 6 11:16:08 vml000020 named[4010]: starting BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 -u named -4 -t /var/named/chroot Oct 6 11:16:08 vml000020 named[4010]: built with '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--tar get=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbi n' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' ' --sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--e nable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--wit h-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alia s=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pip e -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDI G_SIGCHASE' Oct 6 11:16:08 vml000020 named[4010]: adjusted limit on open files from 1024 to 1048576 Oct 6 11:16:08 vml000020 named[4010]: found 1 CPU, using 1 worker thread Oct 6 11:16:08 vml000020 named[4010]: using up to 4096 sockets Oct 6 11:16:08 vml000020 named[4010]: loading configuration from '/etc/named.conf' Oct 6 11:16:08 vml000020 named[4010]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Oct 6 11:16:08 vml000020 named[4010]: using default UDP/IPv4 port range: [1024, 65535] Oct 6 11:16:08 vml000020 named[4010]: using default UDP/IPv6 port range: [1024, 65535] Oct 6 11:16:08 vml000020 named[4010]: no IPv6 interfaces found Oct 6 11:16:08 vml000020 named[4010]: listening on IPv4 interface lo, 127.0.0.1#53 Oct 6 11:16:08 vml000020 named[4010]: listening on IPv4 interface eth0, 10.0.10.1#53 Oct 6 11:16:08 vml000020 named[4010]: listening on IPv4 interface eth1, 10.0.0.20#53 Oct 6 11:16:08 vml000020 named[4010]: generating session key for dynamic DNS Oct 6 11:16:08 vml000020 named[4010]: using built-in trusted-keys for view _default Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 127.IN-ADDR.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 254.169.IN-ADDR.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: D.F.IP6.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 8.E.F.IP6.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 9.E.F.IP6.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: A.E.F.IP6.ARPA Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: B.E.F.IP6.ARPA Oct 6 11:16:08 vml000020 named[4010]: using built-in trusted-keys for view _meta Oct 6 11:16:08 vml000020 named[4010]: set up managed-keys.bind meta-zone Oct 6 11:16:08 vml000020 named[4010]: command channel listening on 127.0.0.1#953 Oct 6 11:16:08 vml000020 named[4010]: the working directory is not writable Oct 6 11:16:08 vml000020 named[4010]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 6 11:16:08 vml000020 named[4010]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 6 11:16:08 vml000020 named[4010]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Oct 6 11:16:08 vml000020 named[4010]: zone localhost.localdomain/IN: loaded serial 0 Oct 6 11:16:08 vml000020 named[4010]: zone localhost/IN: loaded serial 0 Oct 6 11:16:08 vml000020 named[4010]: zone managed-keys.bind/IN/_meta: loaded serial 12 Oct 6 11:16:08 vml000020 named[4010]: running <code> In der named-eigenen Logdatei //**/var/named/data/named.run**// wird außerdem der Start mit Angabe der geladenen Zonen dokumentiert. # less /var/named/data/named.run <code>zone 0.in-addr.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone managed-keys.bind/IN/_meta: loaded serial 12 running
Nach dem Starten unseres named Daemon können wir mit Hilfe vonnetstat überprüfen, ob der Daemon auf den gewünschten Ports lauscht.
# netstat -tulpen | grep named
tcp 0 0 10.0.0.20:53 0.0.0.0:* LISTEN 25 12850 4010/named tcp 0 0 10.0.10.1:53 0.0.0.0:* LISTEN 25 12848 4010/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 12846 4010/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 12853 4010/named udp 0 0 10.0.0.20:53 0.0.0.0:* 25 12849 4010/named udp 0 0 10.0.10.1:53 0.0.0.0:* 25 12847 4010/named udp 0 0 127.0.0.1:53 0.0.0.0:* 25 12845 4010/named
Dass der Daemon in einer chroot-Umgebung gestartet wurde sehen wir anhand folgender Ausgabe:
# ps aux | grep named
named 4010 0.0 1.4 161628 15300 ? Ssl 11:16 0:00 /usr/sbin/named -u named -4 -t /var/named/chroot root 4042 0.0 0.0 103148 828 pts/0 S+ 11:36 0:00 grep named
Nachdem unser nameserver nun läuft werden wir auch gleich mal unsere erste Abfrage tätigen
# dig @localhost heise.de
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> @localhost heise.de ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50804 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0 ;; QUESTION SECTION: ;heise.de. IN A ;; ANSWER SECTION: heise.de. 3600 IN A 193.99.144.80 ;; AUTHORITY SECTION: heise.de. 86400 IN NS ns.s.plusline.de. heise.de. 86400 IN NS ns.pop-hannover.de. heise.de. 86400 IN NS ns2.pop-hannover.net. heise.de. 86400 IN NS ns.plusline.de. heise.de. 86400 IN NS ns.heise.de. ;; Query time: 86 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 22 14:52:07 2011 ;; MSG SIZE rcvd: 168
Die gleiche Abfrage mit Hilfe von nslookup sieht wie folgt aus:
# nslookup heise
Server: 10.0.0.20 Address: 10.0.0.20#53 Non-authoritative answer: Name: heise.dmz.nausch.org Address: 88.217.187.21
Nameserver für Intranet und Demilitarized Zone
Im folgenden Beispiel erweitern wir unsere ersten Konfigurationsschritt ein wenig, denn schließlich möchten wir ja nicht nur Anfragen nach öffentlichen IP-Adressen beantworten, sondern auch für unser privates Netzwerk im SOHO mit den folgenden zwei Zonen:
- DMZ : dmz.nausch.org mit Netz: 10.0.0.0/24
- Intranet : intra.nausch.org mit Netz: 10.0.10.0/26
bind Konfiguration
named.conf
Basierend auf den Rahmenbedingungen erweitern wir als erstes die Hauptkonfigurationsdatei unseres Nameservers bind. Hierzu bemühen wir wieder den Editor unserer Wahl vim. Die entsprechenden Optionen sind im nachfolgenden Beispiel entsprechend beschrieben.
# vim /etc/named.conf
- named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl dmz { 10.0.0.0/24; }; // Django : 2011-10-05 Variablendefinition acl intra { 10.0.10.0/26; }; // Django : 2011-10-05 Variablendefinition options { listen-on port 53 { 127.0.0.1; 10.0.0.20; 10.0.10.1; }; // Django : 2011-08-22 unsere Netzwerk- // interfaces definiert // listen-on-v6 port 53 { ::1; }; // IPv6 deaktiviert directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; dmz; intra; }; // Django : 2011-08-22 unsere Netzwerke allow-recursion { localhost; dmz; intra; }; // die unseren Nameserver befragen dürfen recursion yes; query-source address * port *; // Django : 2011-10-05 // unpriviligierten Port nutzen, wenn Anfragen // nach extern gestellt werden check-names master warn; // Django : 2011-10-05 // Der Nameserver soll nur warnen und nicht // abbrechen, wenn er eine Anfrage nicht // beantworten kann. (Bsp. DKIM-keys) auth-nxdomain no; // Django : 2011-10-05 // RFC1035 Konforme Arbeit (keine alten // Anfragen und Konfigurationen nutzen) dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; zone "dmz.nausch.org" IN { type master; file "dynamic/dmz-forward"; allow-update { none; }; }; zone "0.0.10.in-addr.arpa" IN { type master; file "dynamic/dmz-reverse"; allow-update { none; }; }; zone "intra.nausch.org" IN { type master; file "dynamic/intra-forward"; allow-update { none; }; }; zone "10.0.10.in-addr.arpa" IN { type master; file "dynamic/intra-reverse"; allow-update { none; }; }; zone "nausch.org" IN { type master; file "dynamic/domain-forward"; allow-update { none; }; }; zone "187.217.88.in-addr.arpa" IN { type master; file "dynamic/domain-reverse"; allow-update { none; }; };
Die einzelnen Zonen-Dateien legen wir im Verzeichnis /var/named/dynamic/ ab.
- dmz-forward
- dmz-reverse
- intra-forward
- intra-reverse
- domain-forward
- domain-reverse
dmz-forward
Für die forward-Auflösung des Subnetzes DMZ legen wir uns eine Konfigurationsdatei nach folgendem Muster an.
- /var/named/dynamic/dmz-forward
$ORIGIN dmz.nausch.org. $TTL 86400 @ IN SOA vml000020.dmz.nausch.org. root.nausch.org. ( 2011100501 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ; IN NS vml000020.dmz.nausch.org. ; fwe IN CNAME vml000010 fwi IN CNAME vml000020 time IN CNAME vml000020 dns IN CNAME vml000020 dhcp IN CNAME vml000020 ; localhost IN A 127.0.0.1 ; vml000010 IN A 10.0.0.10 vml000020 IN A 10.0.0.20 vml000030 IN A 10.0.0.30
dmz-reverse
Für die reverse-Auflösung des Subnetzes DMZ legen wir uns eine Konfigurationsdatei nach folgendem Muster an.
- /var/named/dynamic/dmz-reverse
$ORIGIN 0.0.10.in-addr.arpa. $TTL 86400 @ IN SOA vml000020.dmz.nausch.org. root.nss.nausch.org. ( 2011100501 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum ; @ IN NS vml000020.dmz.nausch.org. ; 10 IN PTR vml000010.dmz.nausch.org. 20 IN PTR vml000020.dmz.nausch.org. 30 IN PTR vml000030.dmz.nausch.org.
intra-forward
Für die forward-Auflösung des Subnetzes intra legen wir uns eine Konfigurationsdatei nach folgendem Muster an.
- /var/named/dynamic/intra-forward
$ORIGIN intra.nausch.org. $TTL 86400 @ IN SOA vml000020.dmz.nausch.org. root.nausch.org. ( 2011100501 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ; IN NS vml000020.dmz.nausch.org. ; proton IN CNAME pml010051 ; pml010001 IN A 10.0.10.1 pml010051 IN A 10.0.10.51
intra-reverse
Für die reverse-Auflösung des Subnetzes intra legen wir uns eine Konfigurationsdatei nach folgendem Muster an.
- /var/named/dynamic/intra-reverse
$ORIGIN 10.0.10.in-addr.arpa. $TTL 86400 @ IN SOA vml000020.dmz.nausch.org. root.nss.nausch.org. ( 2011100501 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum ; @ IN NS pml010001.intra.nausch.org. ; 1 IN PTR pml010001.intra.nausch.org. 51 IN PTR pml010051.intra.nausch.org.
domain-forward
Für die forward-Auflösung unserer eigenen Domäne nausch.org legen wir uns eine Konfigurationsdatei nach folgendem Muster an.
- /var/named/dynamic/domain-forward
$ORIGIN nausch.org. $TTL 86400 @ IN SOA ns1.dmz.nausch.org. root.nausch.org. ( 2011100501 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ; IN NS ns1.dmz.nausch.org. ; ns1.dmz.nausch.org IN A 88.217.187.21 ; nausch.org. IN A 88.217.187.21 *.nausch.org. IN A 88.217.187.21
domain-reverse
Für die reverse-Auflösung unserer eigenen Domäne nausch.org legen wir uns eine Konfigurationsdatei nach folgendem Muster an.
- /var/named/dynamic/domain-reverse
$ORIGIN 187.217.88.in-addr.arpa. $TTL 86400 @ IN SOA vml000020.dmz.nausch.org. root.nss.nausch.org. ( 2011100501 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum ; @ IN NS ns1.dmz.nausch.org. ; 21 IN PTR mx1.nausch.org.
Utilities rund um den Nameserver bind
Konfiguration überprüfen
Möchte man die Konfiguration(sdatei) seinen bind-Nameservers überprüfen so nutzt man den Befehl named-checkconf
# named-checkconf
Benutzt man hierbei die Option -p wird, sofern keine Fehler existieren, die Konfigurationsdatei named.conf ohne Kommentare auf der Konsole ausgegeben.
# named-checkconf -p
options { bindkeys-file "/etc/named.iscdlv.key"; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; listen-on port 53 { 127.0.0.1/32; 10.0.0.20/32; 10.0.10.1/32; }; memstatistics-file "/var/named/data/named_mem_stats.txt"; statistics-file "/var/named/data/named_stats.txt"; allow-recursion { "localhost"; "dmz"; "intra"; }; auth-nxdomain no; check-names master warn; dnssec-enable yes; dnssec-lookaside "auto" ; dnssec-validation yes; query-source address 0.0.0.0 port 0; recursion yes; allow-query { "localhost"; "dmz"; "intra"; }; }; acl "dmz" { 10.0.0.0/24; }; acl "intra" { 10.0.10.0/26; }; logging { channel "default_debug" { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { "none"; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { "none"; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { "none"; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { "none"; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { "none"; }; }; zone "dmz.nausch.org" IN { type master; file "dynamic/dmz-forward"; allow-update { "none"; }; }; zone "0.0.10.in-addr.arpa" IN { type master; file "dynamic/dmz-reverse"; allow-update { "none"; }; }; zone "intra.nausch.org" IN { type master; file "dynamic/intra-forward"; allow-update { "none"; }; }; zone "10.0.10.in-addr.arpa" IN { type master; file "dynamic/intra-reverse"; allow-update { "none"; }; }; zone "nausch.org" IN { type master; file "dynamic/domain-forward"; allow-update { "none"; }; }; zone "187.217.88.in-addr.arpa" IN { type master; file "dynamic/domain-reverse"; allow-update { "none"; }; };
Versionsabfrage
Will man die Version eines Namservers abfragen, so kann man dies mit Hilfe folgenden Befehls erreichen.
# dig txt chaos version.bind
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> txt chaos version.bind ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18905 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. ;; Query time: 1 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu Oct 6 14:50:47 2011 ;; MSG SIZE rcvd: 91
Zonenfiles überprüfen
Will man (s)ein Zonenfile überprüfen und/oder die verwendete Seriennummer ausgeben, so nutz man den Befehl named-checkzone
# named-checkzone dmz.nausch.org /var/named/dynamic/dmz-forward
zone dmz.nausch.org/IN: loaded serial 2011100601 OK
Zonenfiles neu laden
Das Neuladen der Zonenkonfigurationsdateien eines DNS-Server, ohne den DNS-Server neu starten zu müssen, erreicht man mit:
# rndc reload
dnssec-tools
# yum install dnssec-tools
# rpm -qil dnssec-tools
Name : dnssec-tools Relocations: (not relocatable)
Version : 1.13 Vendor: Fedora Project
Release : 12.el6 Build Date: Fri 24 May 2013 01:05:40 AM CEST
Install Date: Sat 24 May 2014 08:44:32 PM CEST Build Host: buildvm-24.phx2.fedoraproject.org
Group : System Environment/Base Source RPM: dnssec-tools-1.13-12.el6.src.rpm
Size : 2004766 License: BSD
Signature : RSA/8, Fri 24 May 2013 06:56:53 PM CEST, Key ID 3b49df2a0608b895
Packager : Fedora Project
URL : http://www.dnssec-tools.org/
Summary : A suite of tools for managing dnssec aware DNS usage
Description :
The goal of the DNSSEC-Tools project is to create a set of tools,
patches, applications, wrappers, extensions, and plugins that will
help ease the deployment of DNSSEC-related technologies.
/etc/dnssec-tools
/etc/dnssec-tools/dnssec-tools.conf
/usr/bin/blinkenlights
/usr/bin/bubbles
/usr/bin/buildrealms
/usr/bin/check-zone-expiration
/usr/bin/cleanarch
/usr/bin/cleankrf
/usr/bin/convertar
/usr/bin/dnspktflow
/usr/bin/donuts
/usr/bin/donutsd
/usr/bin/drawvalmap
/usr/bin/dt-getaddr
/usr/bin/dt-gethost
/usr/bin/dt-getname
/usr/bin/dt-getquery
/usr/bin/dt-getrrset
/usr/bin/dt-validate
/usr/bin/dtck
/usr/bin/dtconf
/usr/bin/dtconfchk
/usr/bin/dtdefs
/usr/bin/dtinitconf
/usr/bin/dtrealms
/usr/bin/expchk
/usr/bin/fixkrf
/usr/bin/genkrf
/usr/bin/getdnskeys
/usr/bin/getds
/usr/bin/grandvizier
/usr/bin/keyarch
/usr/bin/keymod
/usr/bin/krfcheck
/usr/bin/libval_check_conf
/usr/bin/lights
/usr/bin/lsdnssec
/usr/bin/lskrf
/usr/bin/lsrealm
/usr/bin/lsroll
/usr/bin/maketestzone
/usr/bin/mapper
/usr/bin/realmchk
/usr/bin/realmctl
/usr/bin/realminit
/usr/bin/realmset
/usr/bin/rollchk
/usr/bin/rollctl
/usr/bin/rollerd
/usr/bin/rollinit
/usr/bin/rolllog
/usr/bin/rollrec-editor
/usr/bin/rollset
/usr/bin/signset-editor
/usr/bin/tachk
/usr/bin/timetrans
/usr/bin/trustman
/usr/bin/zonesigner
/usr/share/dnssec-tools
/usr/share/dnssec-tools/donuts
/usr/share/dnssec-tools/donuts/rules
/usr/share/dnssec-tools/donuts/rules/check_nameservers.txt
/usr/share/dnssec-tools/donuts/rules/dns.errors.txt
/usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt
/usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
/usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt
/usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt
/usr/share/dnssec-tools/validator-testcases
/usr/share/doc/dnssec-tools-1.13
/usr/share/doc/dnssec-tools-1.13/COPYING
/usr/share/doc/dnssec-tools-1.13/INSTALL
/usr/share/doc/dnssec-tools-1.13/README
/usr/share/man/man1/blinkenlights.1.gz
/usr/share/man/man1/bubbles.1.gz
/usr/share/man/man1/buildrealms.1.gz
/usr/share/man/man1/check-zone-expiration.1.gz
/usr/share/man/man1/cleanarch.1.gz
/usr/share/man/man1/cleankrf.1.gz
/usr/share/man/man1/convertar.1.gz
/usr/share/man/man1/dnspktflow.1.gz
/usr/share/man/man1/dnssec-tools.1.gz
/usr/share/man/man1/donuts.1.gz
/usr/share/man/man1/donutsd.1.gz
/usr/share/man/man1/drawvalmap.1.gz
/usr/share/man/man1/dt-getaddr.1.gz
/usr/share/man/man1/dt-gethost.1.gz
/usr/share/man/man1/dt-getname.1.gz
/usr/share/man/man1/dt-getquery.1.gz
/usr/share/man/man1/dt-getrrset.1.gz
/usr/share/man/man1/dt-libval_check_conf.1.gz
/usr/share/man/man1/dt-validate.1.gz
/usr/share/man/man1/dtck.1.gz
/usr/share/man/man1/dtconf.1.gz
/usr/share/man/man1/dtconfchk.1.gz
/usr/share/man/man1/dtdefs.1.gz
/usr/share/man/man1/dtinitconf.1.gz
/usr/share/man/man1/dtrealms.1.gz
/usr/share/man/man1/expchk.1.gz
/usr/share/man/man1/fixkrf.1.gz
/usr/share/man/man1/genkrf.1.gz
/usr/share/man/man1/getdnskeys.1.gz
/usr/share/man/man1/getds.1.gz
/usr/share/man/man1/grandvizier.1.gz
/usr/share/man/man1/keyarch.1.gz
/usr/share/man/man1/keymod.1.gz
/usr/share/man/man1/krfcheck.1.gz
/usr/share/man/man1/lights.1.gz
/usr/share/man/man1/lsdnssec.1.gz
/usr/share/man/man1/lskrf.1.gz
/usr/share/man/man1/lsrealm.1.gz
/usr/share/man/man1/lsroll.1.gz
/usr/share/man/man1/maketestzone.1.gz
/usr/share/man/man1/mapper.1.gz
/usr/share/man/man1/realmchk.1.gz
/usr/share/man/man1/realmctl.1.gz
/usr/share/man/man1/realminit.1.gz
/usr/share/man/man1/realmset.1.gz
/usr/share/man/man1/rollchk.1.gz
/usr/share/man/man1/rollctl.1.gz
/usr/share/man/man1/rollerd.1.gz
/usr/share/man/man1/rollinit.1.gz
/usr/share/man/man1/rolllog.1.gz
/usr/share/man/man1/rollrec-editor.1.gz
/usr/share/man/man1/rollset.1.gz
/usr/share/man/man1/signset-editor.1.gz
/usr/share/man/man1/tachk.1.gz
/usr/share/man/man1/timetrans.1.gz
/usr/share/man/man1/trustman.1.gz
/usr/share/man/man1/zonesigner.1.gz
/usr/share/man/man3/Net::DNS::SEC::Tools::realm.3pm.gz
/usr/share/man/man3/Net::DNS::SEC::Tools::realmmgr.3pm.gz
/usr/share/man/man3/p_ac_status.3.gz
/usr/share/man/man3/p_val_status.3.gz
zone-check
# yum install zone-check -y
# rpm -qil zonecheck
Name : zonecheck Relocations: (not relocatable) Version : 2.0.4 Vendor: Dag Apt Repository, http://dag.wieers.com/apt/ Release : 1.2.el6.rf Build Date: Fri 12 Nov 2010 10:58:44 AM CET Install Date: Sat 24 May 2014 11:00:03 PM CEST Build Host: lisse.hasselt.wieers.com Group : Applications/Internet Source RPM: zonecheck-2.0.4-1.2.el6.rf.src.rpm Size : 792719 License: GPL Signature : DSA/SHA1, Sat 13 Nov 2010 12:05:24 AM CET, Key ID a20e52146b8d79e6 Packager : Dag Wieers <dag@wieers.com> URL : http://www.zonecheck.fr/ Summary : Perform consistency checks on DNS zones Description : ZoneCheck is intended to help solve DNS misconfigurations or inconsistencies that are usually revealed by an increase in the latency of the application. The DNS is a critical resource for every network application, so it is quite important to ensure that a zone or domain name is correctly configured in the DNS. /etc/zonecheck /etc/zonecheck/afnic.profile /etc/zonecheck/de.profile /etc/zonecheck/default.profile /etc/zonecheck/reverse.profile /etc/zonecheck/rootservers /etc/zonecheck/zc.conf /usr/bin/zonecheck /usr/lib/zonecheck /usr/lib/zonecheck/cgi-bin /usr/lib/zonecheck/cgi-bin/zc.cgi /usr/lib/zonecheck/lib /usr/lib/zonecheck/lib/address /usr/lib/zonecheck/lib/address.rb /usr/lib/zonecheck/lib/address/common.rb /usr/lib/zonecheck/lib/address/ipv4.rb /usr/lib/zonecheck/lib/address/ipv6.rb /usr/lib/zonecheck/lib/nresolv /usr/lib/zonecheck/lib/nresolv.rb /usr/lib/zonecheck/lib/nresolv/compatibility.rb /usr/lib/zonecheck/lib/nresolv/config.rb /usr/lib/zonecheck/lib/nresolv/constants.rb /usr/lib/zonecheck/lib/nresolv/dbg.rb /usr/lib/zonecheck/lib/nresolv/dig_output.rb /usr/lib/zonecheck/lib/nresolv/dns.rb /usr/lib/zonecheck/lib/nresolv/dns_message.rb /usr/lib/zonecheck/lib/nresolv/dns_name.rb /usr/lib/zonecheck/lib/nresolv/dns_resource.rb /usr/lib/zonecheck/lib/nresolv/host.rb /usr/lib/zonecheck/lib/nresolv/resolver.rb /usr/lib/zonecheck/lib/nresolv/transport.rb /usr/lib/zonecheck/lib/nresolv/wire.rb /usr/lib/zonecheck/lib/textfmt.rb /usr/lib/zonecheck/lib/whois.rb /usr/lib/zonecheck/locale /usr/lib/zonecheck/locale/cgi.en /usr/lib/zonecheck/locale/cgi.fr /usr/lib/zonecheck/locale/cli.en /usr/lib/zonecheck/locale/cli.fr /usr/lib/zonecheck/locale/gtk.en /usr/lib/zonecheck/locale/gtk.fr /usr/lib/zonecheck/locale/inetd.en /usr/lib/zonecheck/locale/inetd.fr /usr/lib/zonecheck/locale/test /usr/lib/zonecheck/locale/test/axfr.en /usr/lib/zonecheck/locale/test/axfr.fr /usr/lib/zonecheck/locale/test/connectivity.en /usr/lib/zonecheck/locale/test/connectivity.fr /usr/lib/zonecheck/locale/test/generic.en /usr/lib/zonecheck/locale/test/generic.fr /usr/lib/zonecheck/locale/test/interop.en /usr/lib/zonecheck/locale/test/interop.fr /usr/lib/zonecheck/locale/test/loopback.en /usr/lib/zonecheck/locale/test/loopback.fr /usr/lib/zonecheck/locale/test/mail.en /usr/lib/zonecheck/locale/test/mail.fr /usr/lib/zonecheck/locale/test/misc.en /usr/lib/zonecheck/locale/test/misc.fr /usr/lib/zonecheck/locale/test/mx.en /usr/lib/zonecheck/locale/test/mx.fr /usr/lib/zonecheck/locale/test/nameserver.en /usr/lib/zonecheck/locale/test/nameserver.fr /usr/lib/zonecheck/locale/test/ns.en /usr/lib/zonecheck/locale/test/ns.fr /usr/lib/zonecheck/locale/test/rootserver.en /usr/lib/zonecheck/locale/test/rootserver.fr /usr/lib/zonecheck/locale/test/soa.en /usr/lib/zonecheck/locale/test/soa.fr /usr/lib/zonecheck/locale/zc.en /usr/lib/zonecheck/locale/zc.fr /usr/lib/zonecheck/test /usr/lib/zonecheck/test/axfr.rb /usr/lib/zonecheck/test/connectivity.rb /usr/lib/zonecheck/test/generic.rb /usr/lib/zonecheck/test/interop.rb /usr/lib/zonecheck/test/loopback.rb /usr/lib/zonecheck/test/mail.rb /usr/lib/zonecheck/test/misc.rb /usr/lib/zonecheck/test/mx.rb /usr/lib/zonecheck/test/nameserver.rb /usr/lib/zonecheck/test/ns.rb /usr/lib/zonecheck/test/rootserver.rb /usr/lib/zonecheck/test/soa.rb /usr/lib/zonecheck/www /usr/lib/zonecheck/www/html /usr/lib/zonecheck/www/html/batch.html.en /usr/lib/zonecheck/www/html/batch.html.fr /usr/lib/zonecheck/www/html/form.html.en /usr/lib/zonecheck/www/html/form.html.fr /usr/lib/zonecheck/www/img /usr/lib/zonecheck/www/img/details.png /usr/lib/zonecheck/www/img/element.png /usr/lib/zonecheck/www/img/fatal.png /usr/lib/zonecheck/www/img/gear.png /usr/lib/zonecheck/www/img/info.png /usr/lib/zonecheck/www/img/light.png /usr/lib/zonecheck/www/img/logo.png /usr/lib/zonecheck/www/img/loupe.png /usr/lib/zonecheck/www/img/notepad.png /usr/lib/zonecheck/www/img/ok.png /usr/lib/zonecheck/www/img/primary.png /usr/lib/zonecheck/www/img/ref.png /usr/lib/zonecheck/www/img/secondary.png /usr/lib/zonecheck/www/img/warning.png /usr/lib/zonecheck/www/img/zc-fav.png /usr/lib/zonecheck/www/img/zone.png /usr/lib/zonecheck/www/js /usr/lib/zonecheck/www/js/formvalidation.js /usr/lib/zonecheck/www/js/popupmenu.js /usr/lib/zonecheck/www/js/progress.js /usr/lib/zonecheck/www/style /usr/lib/zonecheck/www/style/zc.css /usr/lib/zonecheck/www/zonecheck.conf.in /usr/lib/zonecheck/zc /usr/lib/zonecheck/zc/cache.rb /usr/lib/zonecheck/zc/cachemanager.rb /usr/lib/zonecheck/zc/config.rb /usr/lib/zonecheck/zc/console.rb /usr/lib/zonecheck/zc/data /usr/lib/zonecheck/zc/data/catalog.xml /usr/lib/zonecheck/zc/data/config.dtd /usr/lib/zonecheck/zc/data/logo.rb /usr/lib/zonecheck/zc/data/msgcat.dtd /usr/lib/zonecheck/zc/data/xpm.rb /usr/lib/zonecheck/zc/data/zonecheck.dtd /usr/lib/zonecheck/zc/dbg.rb /usr/lib/zonecheck/zc/ext /usr/lib/zonecheck/zc/ext/array.rb /usr/lib/zonecheck/zc/ext/file.rb /usr/lib/zonecheck/zc/ext/gtk.rb /usr/lib/zonecheck/zc/ext/myxml.rb /usr/lib/zonecheck/zc/framework.rb /usr/lib/zonecheck/zc/input /usr/lib/zonecheck/zc/input/cgi.rb /usr/lib/zonecheck/zc/input/cli.rb /usr/lib/zonecheck/zc/input/gtk.rb /usr/lib/zonecheck/zc/input/inetd.rb /usr/lib/zonecheck/zc/instructions.rb /usr/lib/zonecheck/zc/locale.rb /usr/lib/zonecheck/zc/mail.rb /usr/lib/zonecheck/zc/msgcat.rb /usr/lib/zonecheck/zc/param.rb /usr/lib/zonecheck/zc/publisher /usr/lib/zonecheck/zc/publisher.rb /usr/lib/zonecheck/zc/publisher/gtk.rb /usr/lib/zonecheck/zc/publisher/html.rb /usr/lib/zonecheck/zc/publisher/text.rb /usr/lib/zonecheck/zc/publisher/xml.rb /usr/lib/zonecheck/zc/report /usr/lib/zonecheck/zc/report.rb /usr/lib/zonecheck/zc/report/byhost.rb /usr/lib/zonecheck/zc/report/byseverity.rb /usr/lib/zonecheck/zc/testmanager.rb /usr/lib/zonecheck/zc/zc.rb /usr/lib/zonecheck/zc/zonecheck.rb /usr/share/doc/zonecheck-2.0.4 /usr/share/doc/zonecheck-2.0.4/BUGS /usr/share/doc/zonecheck-2.0.4/COPYING /usr/share/doc/zonecheck-2.0.4/CREDITS /usr/share/doc/zonecheck-2.0.4/ChangeLog /usr/share/doc/zonecheck-2.0.4/GPL /usr/share/doc/zonecheck-2.0.4/HISTORY /usr/share/doc/zonecheck-2.0.4/README /usr/share/doc/zonecheck-2.0.4/TODO /usr/share/doc/zonecheck-2.0.4/html /usr/share/doc/zonecheck-2.0.4/html/FAQ.html /usr/share/doc/zonecheck-2.0.4/html/apa.html /usr/share/doc/zonecheck-2.0.4/html/ch01.html /usr/share/doc/zonecheck-2.0.4/html/ch01s02.html /usr/share/doc/zonecheck-2.0.4/html/ch01s03.html /usr/share/doc/zonecheck-2.0.4/html/ch01s04.html /usr/share/doc/zonecheck-2.0.4/html/ch02.html /usr/share/doc/zonecheck-2.0.4/html/ch02s02.html /usr/share/doc/zonecheck-2.0.4/html/ch02s03.html /usr/share/doc/zonecheck-2.0.4/html/ch03.html /usr/share/doc/zonecheck-2.0.4/html/ch04.html /usr/share/doc/zonecheck-2.0.4/html/ch05.html /usr/share/doc/zonecheck-2.0.4/html/ch05s02.html /usr/share/doc/zonecheck-2.0.4/html/ch06.html /usr/share/doc/zonecheck-2.0.4/html/ch07.html /usr/share/doc/zonecheck-2.0.4/html/ch07s02.html /usr/share/doc/zonecheck-2.0.4/html/ch07s03.html /usr/share/doc/zonecheck-2.0.4/html/ch08.html /usr/share/doc/zonecheck-2.0.4/html/ch08s02.html /usr/share/doc/zonecheck-2.0.4/html/index-toc.html /usr/share/doc/zonecheck-2.0.4/html/index.html /usr/share/man/man1/zonecheck.1.gz