On Apr 15, 2011, at 9:29 AM, hugo hugoo wrote:
I do not use the version provided bu Debian because I am migrating
from bind8 to Bind9 and I wan to have both versions available on the
same server.
So, I want to have Bind9 totally separated from Bind8.
I use Debian, version 5 and the last ESV bind9.
- I have seen that in the debian distribution, bind9 is started via
"named -u bind" ==> is it dangerous to run bind9 as root?
It is dangerous to run anything as root, "named", "httpd", etc. This
includes running anything you do on the console as root, unless it is
absolutely necessary.
This is why software that requires root access to start up, such as
BIND, is written such that it is easy to run as a non-privileged
user. Information about using this is included in the ARM, basically
making sure that the necessary files/directories are readable (and
maybe writable) by the identified user. Easy enough that doing
anything else is simply foolish.
- The following script is provided i nthe distribution to start/
stop bind9.
But I hesitate to copy it to use it with a source installation.
lennydnstest01:~# cat /etc/init.d/bind9
#!/bin/sh
### BEGIN INIT INFO
# Provides: bind9
# Required-Start: $remote_fs
# Required-Stop: $remote_fs
# Should-Start: $network $syslog
# Should-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start and stop bind9
# Description: bind9 is a Domain Name Server (DNS)
# which translates ip addresses to and from internet names
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# for a chrooted server: "-u bind -t /var/lib/named"
# Don't modify this line, change or create /etc/default/bind9.
OPTIONS=""
RESOLVCONF=no
test -f /etc/default/bind9 && . /etc/default/bind9
test -x /usr/sbin/rndc || exit 0
. /lib/lsb/init-functions
DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)
PIDFILE=/var/run/bind/run/named.pid
check_network() {
if [ -x /usr/bin/uname ] && [ "X$(/usr/bin/uname -o)" =
XSolaris ]; then
IFCONFIG_OPTS="-au"
else
IFCONFIG_OPTS=""
fi
if [ -z "$(/sbin/ifconfig $IFCONFIG_OPTS)" ]; then
#log_action_msg "No networks configured."
return 1
fi
return 0
}
case "$1" in
start)
log_daemon_msg "Starting domain name service..." "bind9"
modprobe capability >/dev/null 2>&1 || true
# dirs under /var/run can go away on reboots.
mkdir -p /var/run/bind/run
chmod 775 /var/run/bind/run
chown root:bind /var/run/bind/run >/dev/null 2>&1 || true
if [ ! -x /usr/sbin/named ]; then
log_action_msg "named binary missing - not starting"
log_end_msg 1
exit 1
fi
if ! check_network; then
log_end_msg 1
exit 1
fi
echo $OPTIONS;
if start-stop-daemon --start --oknodo --quiet --exec /usr/
sbin/named \
--pidfile ${PIDFILE} -- $OPTIONS; then
if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/
resolvconf ] ; then
echo "nameserver 127.0.0.1" | /sbin/resolvconf -a
lo.named
fi
log_end_msg 0
else
log_end_msg 1
fi
;;
stop)
log_daemon_msg "Stopping domain name service..." "bind9"
if ! check_network; then
log_end_msg 1
exit 1
fi
if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ;
then
/sbin/resolvconf -d lo.named
fi
pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}')
if [ -n "$pid" ]; then
while kill -0 $pid 2>/dev/null; do
log_progress_msg "waiting for pid $pid to die"
sleep 1
done
fi
log_end_msg $?
;;
reload|force-reload)
log_daemon_msg "Reloading domain name service..." "bind9"
if ! check_network; then
log_end_msg 1
exit 1
fi
/usr/sbin/rndc reload >/dev/null
log_end_msg $?
;;
restart)
if ! check_network; then
exit 1
fi
$0 stop
$0 start
;;
status)
ret=0
status_of_proc -p ${PIDFILE} /usr/sbin/named bind9 2>/dev/
null || ret=$?
;;
*)
log_action_msg "Usage: /etc/init.d/bind9 {start|stop|reload|
restart|force-reload|status}"
exit 1
;;
esac
exit 0
Wow, this does a lot of stuff, everything but putting out the cat at
night! So much that it makes me a little leery of it. I like to know
exactly what is occurring when running something, but this is a
difference in administration styles.
This is the Debian supplied "bind9" etc script. Why not copy and re-
name this to something else such that it doesn't conflict with the
Debian startup scripts. Then you can configure it how you want and
need and not worry about getting clobbered with updates from Debian.
Bill Larson
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
