| 1 | # Additional informations for DNS setup using BIND
|
|---|
| 2 |
|
|---|
| 3 | # If you are running a capable version of BIND and you wish to support secure
|
|---|
| 4 | # GSS-TSIG updates, you must make the following configuration changes:
|
|---|
| 5 |
|
|---|
| 6 | # - Insert the following lines into the options {} section of your named.conf
|
|---|
| 7 | # file:
|
|---|
| 8 | tkey-gssapi-credential "DNS/${DNSDOMAIN}";
|
|---|
| 9 | tkey-domain "${REALM}";
|
|---|
| 10 |
|
|---|
| 11 | # - Modify BIND init scripts to pass the location of the generated keytab file.
|
|---|
| 12 | # Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
|
|---|
| 13 | # for this purpose:
|
|---|
| 14 | KEYTAB_FILE="${DNS_KEYTAB_ABS}"
|
|---|
| 15 | # Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
|
|---|
| 16 | # variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
|
|---|
| 17 | # your distribution does not provide a variable like KEYTAB_FILE to pass a
|
|---|
| 18 | # keytab file to the BIND daemon, a workaround is to place the following line in
|
|---|
| 19 | # BIND's sysconfig file or in the init script for BIND:
|
|---|
| 20 | export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
|
|---|
| 21 |
|
|---|
| 22 | # - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note
|
|---|
| 23 | # that most distributions have BIND configured to run under a non-root user
|
|---|
| 24 | # account. For example, Fedora 9 runs BIND as the user "named" once the daemon
|
|---|
| 25 | # relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable
|
|---|
| 26 | # by the user that BIND run as. If BIND is running as a non-root user, the
|
|---|
| 27 | # "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
|
|---|
| 28 | # read it. Under Fedora 9, execute the following commands:
|
|---|
| 29 | chgrp named ${DNS_KEYTAB_ABS}
|
|---|
| 30 | chmod g+r ${DNS_KEYTAB_ABS}
|
|---|
| 31 |
|
|---|
| 32 | # - Ensure the BIND zone file(s) that will be dynamically updated are in a
|
|---|
| 33 | # directory where the BIND daemon can write. When BIND performs dynamic
|
|---|
| 34 | # updates, it not only needs to update the zone file itself but it must also
|
|---|
| 35 | # create a journal (.jnl) file to track the dynamic updates as they occur.
|
|---|
| 36 | # Under Fedora 9, the /var/named directory can not be written to by the "named"
|
|---|
| 37 | # user. However, the directory /var/named/dynamic directory does provide write
|
|---|
| 38 | # access. Therefore the zone files were placed under the /var/named/dynamic
|
|---|
| 39 | # directory. The file directives in both example zone statements at the
|
|---|
| 40 | # beginning of this file were changed by prepending the directory "dynamic/".
|
|---|
| 41 |
|
|---|
| 42 | # - If SELinux is enabled, ensure that all files have the appropriate SELinux
|
|---|
| 43 | # file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon
|
|---|
| 44 | # and should have a SELinux type of named_conf_t. This can be set with the
|
|---|
| 45 | # following command:
|
|---|
| 46 | chcon -t named_conf_t ${DNS_KEYTAB_ABS}
|
|---|
