[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [blfs-dev] BIND, Part 2 Qrux Fri Feb 17 16:01:06 2012

On Feb 17, 2012, at 1:28 AM, Qrux wrote:

> The version of BIND included with BLFS doesn't work.  Googled:
>       named initializing DST: openssl failure
> ...My gut says the chroot environment is somehow incomplete...


After /srv/named has been setup, do this for BIND-9.8 + chroot-jail:

sudo mkdir -p /srv/named/usr/lib
sudo /bin/cp -avf /usr/lib/engines /srv/named/usr/lib
sudo chown -vR named.named /srv/named

cd /srv/named
sudo ln -sfv lib lib64
cd /srv/named/usr
sudo ln -sfv lib lib64

The gist is, add /usr/lib/engines to the chroot-jail (which contains the shared 
libs for the engines that BIND can't seem to find).  Then--and this is the 
important part--add the /lib64 and /usr/lib64 symlinks in the jail.  This 
allows BIND-9.8 to run in a jail like a charm (odd image).  I'm sure someone 
can pretty this up for the book, but I've been able to get a server up and 
running with this.

* * *

On a related note...I quite like config files in /etc, so I was a fan of 
/etc/namedb to start.  But, I also am a fan of considering /etc to be 
"mostly-static".  Two things about BIND make that unpleasant:

1) /etc/namedb/named.run is written there, and it's a log file!  It can reach 
epic proportions if you enable any amount of debugging, especially if you run 
your own zones.

2) /etc/namedb/slave is maintained there, which is the zone-transfer slave 
dump.  This doesn't get huge (unless you're managing something like Stanford 
University's network), but it's also...more of a run-time thing.  This isn't a 
huge deal (I suppose it's no different, than, say, adding a identical number of 
users and seeing the impact against /etc/{passwd,shadow}).

I would suggest setting BIND up with something like this:

mkdir -p /srv/named/var/lib/named/slave
ln -s /srv/named/var/lib/named /srv/named/etc/namedb/var
sed -i 's^file\ \"named.run\";^file\ \"var/named.run\";^' 
ln -s /srv/named/var/lib/named/slave /srv/named/etc/namedb/slave

Gist: try to capture all the "run-time" stuff in <jail>/var/lib/named, and do a 
symlink in <jail>/etc/namedb/var.  In named.conf, just repath the log file.


FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page