Add a section covering BIND9, more work is needed here.

svn path=/head/; revision=22566

en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml

@@ -4010,6 +4010,188 @@ zone "10.168.192.in-addr.arpa" in {
     </sect2>
   </sect1>
 
+  <sect1 id="network-bind9">
+    <sect1info>
+      <authorgroup>
+	<author>
+	  <firstname>Tom</firstname>
+	  <surname>Rhodes</surname>
+	  <contrib>Written by </contrib>
+	</author>
+      </authorgroup>
+    </sect1info>
+    <title><acronym>BIND</acronym>9 and &os;</title>
+
+<!-- This section is here to get users up with BIND9 configurations!  It
+  does not cover the terminology, theoretical discussion (why run a name
+  server) or the further reading which is still in the previous section.
+  I did things this way to avoid repetition of content and obviously we
+  cannot just remove the previous section since other supported releases
+  use it.  When the previous section is removed then those comments
+  should be moved here.  // Tom Rhodes -->
+
+    <indexterm><primary>bind9</primary>
+      <secondary>setting up</secondary></indexterm>
+
+    <para>The release of &os;&nbsp;5.3 brought the
+      <acronym>BIND</acronym>9 <acronym>DNS</acronym> server software
+      into the distribution.  New security features, a new file system
+      layout and automated &man.chroot.8; configuration came with the
+      import.  This section has been written in two parts, the first
+      will discuss new features and their configuration; the latter
+      will cover upgrades to aid in move to &os;&nbsp;5.3.  From this
+      moment on, the server will be referred to simply as
+      &man.named.8; in place of <acronym>BIND</acronym>.  This section
+      skips over the terminology described in the previous section as
+      well as some of the theoretical discussions; thus, it is
+      recommended that the previous section be consulted before reading
+      any further here.</para>
+
+    <para>Configuration files for <command>named</command> currently
+      reside in
+      <filename role="directory">/var/named/etc/namedb/</filename> and
+      will need modification before use.  This is where most of the
+      configuration will be performed.</para>
+
+    <sect2>
+      <title>Configuration of a Master Zone</title>
+
+      <para>To configure a master zone visit
+	<filename role="directory">/var/named/etc/namedb/</filename>
+	and run the following command:</para>
+
+      <screen>&prompt.root; <userinput>sh make-localhost</userinput></screen>
+
+      <para>If all went well a new file should exist in the
+	<filename role="directory">master</filename> directory.  The
+	filenames should be <filename>localhost.rev</filename> for
+	the local domain name and <filename>localhost-v6.rev</filename>
+	for <acronym>IPv6</acronym> configurations.  As the default
+	configuration file, configuration for its use will already
+	be present in the <filename>named.conf</filename> file.</para>
+    </sect2>
+
+    <sect2>
+      <title>Configuration of a Slave Zone</title>
+
+      <para>Configuration for extra domains or sub domains may be
+	done properly by setting them as a slave zone.  In most cases,
+	the <filename>master/localhost.rev</filename> could just be
+	copied over into the <filename role="directory">slave</filename>
+	directory and modified.  Once completed, the files need
+	to be properly added in <filename>named.conf</filename> such
+	as in the following configuration for
+	<hostid role="fqdn">example.com</hostid>:</para>
+
+      <programlisting>zone "example.com" {
+        type slave;
+        file "slave/example.com";
+        masters {
+                10.0.0.1;
+        };
+};
+
+zone "0.168.192.in-addr.arpa" {
+        type slave;
+        file "slave/0.168.192.in-addr.arpa";
+        masters {
+                10.0.0.1;
+        };
+};</programlisting>
+
+      <para>Note well that in this example, the master
+	<acronym>IP</acronym> address is the primary domain server
+	from which the zones are transferred; it does not necessary serve
+	as <acronym>DNS</acronym> server itself.</para>
+    </sect2>
+
+    <sect2>
+      <title>System Initialization Configuration</title>
+
+      <para>In order for the <command>named</command> daemon to start
+	when the system is booted, the following option must be present
+	in the <filename>rc.conf</filename> file:</para>
+
+      <programlisting>named_enable="YES"</programlisting>
+
+      <para>While other options exist, this is the bare minimal
+	requirement.  Consult the &man.rc.conf.5; manual page for
+	a list of the other options.  If nothing is entered in the
+	<filename>rc.conf</filename> file then <command>named</command>
+	may be started on the command line by invoking:</para>
+
+      <screen>&prompt.root; <userinput>/etc/rc.d/named start</userinput></screen>
+    </sect2>
+
+    <sect2>
+      <title><acronym>BIND</acronym>9 Security</title>
+
+      <para>While &os automatically drops <command>named</command>
+	into a &man.chroot.8; environment; there are several other
+	security mechanisms in place which could help to lure off
+	possible <acronym>DNS</acronym> service attacks.
+
+      <sect3>
+	<title>Query Access Control Lists</title>
+
+	<para>A query access control list can be used to restrict
+	  queries against the zones.  The configuration works by
+	  defining the network inside of the <literal>acl</literal>
+	  token and then listing <acronym>IP</acronym> addresses in
+	  the zone configuration.  To permit domains to query the
+	  example host, just define it like this:</para>
+
+	<programlisting>acl "example.com" {
+        192.168.0.0/24;
+};
+
+zone "example.com" {
+        type slave;
+        file "slave/example.com";
+        masters {
+                10.0.0.1;
+        };
+	allow-query { example.com; };
+};
+
+zone "0.168.192.in-addr.arpa" {
+        type slave;
+        file "slave/0.168.192.in-addr.arpa";
+        masters {
+                10.0.0.1;
+        };
+	allow-query { example.com; };
+};</programlisting>
+      </sect3>
+
+      <sect3>
+	<title>Restrict Version</title>
+
+	<para>Permitting version lookups on the <acronym>DNS</acronym>
+	  server could be opening the doors for an attacker.  A
+	  malicious user may use this information to hunt up known
+	  exploits or bugs to utilize against the host.  A false version
+	  string can be placed the <literal>options</literal> section of
+	  <filename>named.conf</filename>:</para>
+
+	<programlisting>options {
+        directory       "/etc/namedb";
+        pid-file        "/var/run/named/pid";
+        dump-file       "/var/dump/named_dump.db";
+        statistics-file "/var/stats/named.stats";
+	version		"None of your business";</programlisting>
+      </sect3>
+<!-- Here is where I stopped for now
+      <sect3>
+        <title>Authentication</title>
+
+	<para> ... </para>
+
+-->
+    </sect2>
+  </sect1>
+
+
   <sect1 id="network-apache">
     <sect1info>
       <authorgroup>