On each server that you prepared, install and configure BIND 9 so that the following requirements are met:
Note: To learn how to install and configure BIND 9, please refer to its documentation.
-
The service is installed and configured to start automatically. For example:
yum install bind systemctl enable named.service
-
The service uses an IP address that is accessible from the Internet. For example:
/etc/named.conf: options { ... listen-on port 53 { 10.10.10.10; }; ... }; -
Ordinary DNS queries are allowed. For example:
/etc/named.conf: options { ... allow-query { any; }; ... }; -
Recursive DNS queries are prohibited. For example:
/etc/named.conf: options { ... recursion no; ... }; -
Zone transfers from primary to secondary DNS servers are allowed. For example:
/etc/named.conf: options { ... allow-transfer { 10.10.10.20; }; ... }; -
The dedicated user that will be used by the system to perform provisioning operations is created and configured as described:
-
The dedicated user is created and its password is set. For example:
adduser binduser passwd binduser
-
The dedicated user can log in to the server from the Pods of the OSS component through SSH. For example:
ssh binduser@PRIVATE_IP_ADDRESS_OF_SERVER
-
The dedicated user can execute commands as the named user without specifying its password. For example:
/etc/sudoers: binduser ALL=(named) NOPASSWD: ALL
-
On the server, SSH key-based authentication is configured for the dedicated user. For example:
ssh binduser@PRIVATE_IP_ADDRESS_OF_SERVER ssh-keygen -t rsa -f ./ssh.rsa.key mkdir ~/.ssh chmod 700 ~/.ssh cat ssh.rsa.key.pub >> ~/.ssh/authorized_keys chmod 644 ~/.ssh/authorized_keys
Important: If you specified a passphrase for the private SSH key of the dedicated user, write down this passphrase.
Warning: After configuring SSH key-based authentication for the dedicated user, save its private SSH key in a safe place and remove the private SSH key from the server.
-
-
The following files and directories are created and configured for DNS zones that will be managed by the system:
File or Directory Ownership and Permissions Example <the directory for files of forward DNS zones> named.named 755 /var/named <the directory for files of forward DNS zones>/<the directory for files of reverse DNS zones> named.named 755 /var/named/cbc_reverse_zones <the directory for files of forward DNS zones>/<the directory for files of secondary DNS zones> named.named 755 /var/named/cbc_secondary_zones <the directory for files of forward DNS zones>/<the file that forward DNS zone files will be included into> named.named 644 /var/named/cbc_forward_zone_list <the directory for files of forward DNS zones>/<the file that reverse DNS zone files will be included into> named.named 644 /var/named/cbc_reverse_zone_list For example:
mkdir /var/named/cbc_reverse_zones /var/named/cbc_secondary_zones touch /var/named/cbc_forward_zone_list /var/named/cbc_reverse_zone_list chown -R named:named /var/named/cbc_reverse_zones /var/named/cbc_secondary_zones /var/named/cbc_forward_zone_list /var/named/cbc_reverse_zone_list chmod 755 /var/named/cbc_reverse_zones /var/named/cbc_secondary_zones chmod 644 /var/named/cbc_forward_zone_list /var/named/cbc_reverse_zone_list
Note: In this example, the
/var/nameddirectory is used as the directory for files of forward DNS zones. It is automatically created and configured during the installation of the BIND service.The following files must be included in
/etc/named.conf:-
The file that forward DNS zone files will be included into
-
The file that reverse DNS zone files will be included into
For example:
/etc/named.conf: include "cbc_forward_zone_list"; include "cbc_reverse_zone_list";
-
-
The service is started. For example:
systemctl start named.service