BIND Configuration Requirements

On each server that you prepared, install and configure BIND 9 so that the following requirements are met:

Note: To learn how to install and configure BIND 9, please refer to its documentation.

  1. The service is installed and configured to start automatically. For example:

    yum install bind
    systemctl enable named.service
  2. The service uses an IP address that is accessible from the Internet. For example:

    /etc/named.conf:
    
    options {
    	...
    	listen-on port 53 { 10.10.10.10; };
    	...
    };
    
  3. Ordinary DNS queries are allowed. For example:

    /etc/named.conf:
    
    options {
    	...
    	allow-query { any; };
    	...
    };
    
  4. Recursive DNS queries are prohibited. For example:

    /etc/named.conf:
    
    options {
    	...
    	recursion no;
    	...
    };
    
  5. Zone transfers from primary to secondary DNS servers are allowed. For example:

    /etc/named.conf:
    
    options {
    	...
    	allow-transfer { 10.10.10.20; };
    	...
    };
    
  6. The dedicated user that will be used by the system to perform provisioning operations is created and configured as described:

    1. The dedicated user is created and its password is set. For example:

      adduser binduser
      passwd binduser
    2. The dedicated user can log in to the server from the Pods of the OSS component through SSH. For example:

      ssh binduser@PRIVATE_IP_ADDRESS_OF_SERVER
    3. The dedicated user can execute commands as the named user without specifying its password. For example:

      /etc/sudoers:
      
      binduser ALL=(named) NOPASSWD: ALL
    4. On the server, SSH key-based authentication is configured for the dedicated user. For example:

      ssh binduser@PRIVATE_IP_ADDRESS_OF_SERVER
      ssh-keygen -t rsa -f ./ssh.rsa.key
      mkdir ~/.ssh
      chmod 700 ~/.ssh
      cat ssh.rsa.key.pub >> ~/.ssh/authorized_keys
      chmod 644 ~/.ssh/authorized_keys

      Important: If you specified a passphrase for the private SSH key of the dedicated user, write down this passphrase.

      Warning: After configuring SSH key-based authentication for the dedicated user, save its private SSH key in a safe place and remove the private SSH key from the server.

  7. The following files and directories are created and configured for DNS zones that will be managed by the system:

    File or Directory Ownership and Permissions Example
    <the directory for files of forward DNS zones> named.named 755 /var/named
    <the directory for files of forward DNS zones>/<the directory for files of reverse DNS zones> named.named 755 /var/named/cbc_reverse_zones
    <the directory for files of forward DNS zones>/<the directory for files of secondary DNS zones> named.named 755 /var/named/cbc_secondary_zones
    <the directory for files of forward DNS zones>/<the file that forward DNS zone files will be included into> named.named 644 /var/named/cbc_forward_zone_list
    <the directory for files of forward DNS zones>/<the file that reverse DNS zone files will be included into> named.named 644 /var/named/cbc_reverse_zone_list

    For example:

    mkdir /var/named/cbc_reverse_zones /var/named/cbc_secondary_zones
    touch /var/named/cbc_forward_zone_list /var/named/cbc_reverse_zone_list
    chown -R named:named /var/named/cbc_reverse_zones /var/named/cbc_secondary_zones /var/named/cbc_forward_zone_list /var/named/cbc_reverse_zone_list
    chmod 755 /var/named/cbc_reverse_zones /var/named/cbc_secondary_zones
    chmod 644 /var/named/cbc_forward_zone_list /var/named/cbc_reverse_zone_list

    Note: In this example, the /var/named directory is used as the directory for files of forward DNS zones. It is automatically created and configured during the installation of the BIND service.

    The following files must be included in /etc/named.conf:

    • The file that forward DNS zone files will be included into

    • The file that reverse DNS zone files will be included into

    For example:

    /etc/named.conf:
    
    include "cbc_forward_zone_list";
    include "cbc_reverse_zone_list";
  8. The service is started. For example:

    systemctl start named.service
CloudBlue, an Ingram Micro business, uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.