On Feb 17, 2012, at 1:28 AM, Qrux wrote:
> The version of BIND included with BLFS doesn't work. Googled:
>
> named initializing DST: openssl failure
>
> ...My gut says the chroot environment is somehow incomplete...
Fixed!
After /srv/named has been setup, do this for BIND-9.8 + chroot-jail:
==
sudo mkdir -p /srv/named/usr/lib
sudo /bin/cp -avf /usr/lib/engines /srv/named/usr/lib
sudo chown -vR named.named /srv/named
cd /srv/named
sudo ln -sfv lib lib64
cd /srv/named/usr
sudo ln -sfv lib lib64
==
The gist is, add /usr/lib/engines to the chroot-jail (which contains the shared
libs for the engines that BIND can't seem to find). Then--and this is the
important part--add the /lib64 and /usr/lib64 symlinks in the jail. This
allows BIND-9.8 to run in a jail like a charm (odd image). I'm sure someone
can pretty this up for the book, but I've been able to get a server up and
running with this.
* * *
On a related note...I quite like config files in /etc, so I was a fan of
/etc/namedb to start. But, I also am a fan of considering /etc to be
"mostly-static". Two things about BIND make that unpleasant:
1) /etc/namedb/named.run is written there, and it's a log file! It can reach
epic proportions if you enable any amount of debugging, especially if you run
your own zones.
2) /etc/namedb/slave is maintained there, which is the zone-transfer slave
dump. This doesn't get huge (unless you're managing something like Stanford
University's network), but it's also...more of a run-time thing. This isn't a
huge deal (I suppose it's no different, than, say, adding a identical number of
users and seeing the impact against /etc/{passwd,shadow}).
I would suggest setting BIND up with something like this:
==
mkdir -p /srv/named/var/lib/named/slave
ln -s /srv/named/var/lib/named /srv/named/etc/namedb/var
sed -i 's^file\ \"named.run\";^file\ \"var/named.run\";^'
/srv/named/etc/named.conf
ln -s /srv/named/var/lib/named/slave /srv/named/etc/namedb/slave
==
Gist: try to capture all the "run-time" stuff in <jail>/var/lib/named, and do a
symlink in <jail>/etc/namedb/var. In named.conf, just repath the log file.
Q
--
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
