rpms/bind/F-10 bind.spec,1.285,1.286 named.conf.sample,1.4,1.5
Adam Tkac
atkac at fedoraproject.org
Mon Dec 1 15:56:53 UTC 2008
- Previous message (by thread): rpms/glib2/devel glib2.spec, 1.188, 1.189 gio-2.18-always-pass-fuse-file-uri.patch, 1.1, NONE glib-2.17.4-gio-guess-content-sync.patch, 1.2, NONE glib-2.18.2-no-generic-icons.patch, 1.1, NONE statfs-check.patch, 1.1, NONE
- Next message (by thread): rpms/vim/F-10 7.2.027, NONE, 1.1 7.2.028, NONE, 1.1 7.2.029, NONE, 1.1 7.2.030, NONE, 1.1 7.2.031, NONE, 1.1 7.2.032, NONE, 1.1 7.2.033, NONE, 1.1 7.2.034, NONE, 1.1 7.2.035, NONE, 1.1 7.2.036, NONE, 1.1 7.2.037, NONE, 1.1 7.2.038, NONE, 1.1 7.2.039, NONE, 1.1 7.2.040, NONE, 1.1 7.2.041, NONE, 1.1 7.2.042, NONE, 1.1 7.2.043, NONE, 1.1 7.2.044, NONE, 1.1 7.2.045, NONE, 1.1 7.2.046, NONE, 1.1 7.2.047, NONE, 1.1 7.2.048, NONE, 1.1 7.2.049, NONE, 1.1 7.2.050, NONE, 1.1 7.2.051, NONE, 1.1 7.2.052, NONE, 1.1 7.2.053, NONE, 1.1 7.2.054, NONE, 1.1 7.2.055, NONE, 1.1 7.2.056, NONE, 1.1 7.2.057, NONE, 1.1 7.2.058, NONE, 1.1 7.2.059, NONE, 1.1 7.2.060, NONE, 1.1 filetype.vim, NONE, 1.1 gzip.vim, NONE, 1.1 netrw.vim, NONE, 1.1 netrwFileHandlers.vim, NONE, 1.1 netrwPlugin.vim, NONE, 1.1 netrwSettings.vim, NONE, 1.1 tar.vim, NONE, 1.1 zip.vim, NONE, 1.1 README.patches, 1.114, 1.115 vim.spec, 1.226, 1.227 vim-6.4-cvim.patch, 1.2, NONE vim-7.1-ada.patch, 1.3, NONE vim-7.1-erlang.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: atkac
Update of /cvs/pkgs/rpms/bind/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14651
Modified Files:
bind.spec named.conf.sample
Log Message:
- improved sample config file (#473586)
Index: bind.spec
===================================================================
RCS file: /cvs/pkgs/rpms/bind/F-10/bind.spec,v
retrieving revision 1.285
retrieving revision 1.286
diff -u -r1.285 -r1.286
--- bind.spec 11 Nov 2008 14:21:44 -0000 1.285
+++ bind.spec 1 Dec 2008 15:56:22 -0000 1.286
@@ -19,7 +19,7 @@
Name: bind
License: ISC
Version: 9.5.1
-Release: 0.9.%{PREVER}%{?dist}
+Release: 0.9.1.%{PREVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -636,6 +636,9 @@
%{_sbindir}/bind-chroot-admin
%changelog
+* Mon Dec 01 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.9.1.b3
+- improved sample config file (#473586)
+
* Tue Nov 11 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.9.b3
- 9.5.1b3 release
- don't mount /proc in chroot, it is no longer needed
Index: named.conf.sample
===================================================================
RCS file: /cvs/pkgs/rpms/bind/F-10/named.conf.sample,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- named.conf.sample 2 Jun 2008 12:12:39 -0000 1.4
+++ named.conf.sample 1 Dec 2008 15:56:22 -0000 1.5
@@ -1,21 +1,64 @@
-//
-// Sample named.conf BIND DNS server 'named' configuration file
-// for the Red Hat BIND distribution.
-//
-// See the BIND Administrator's Reference Manual (ARM) for details, in:
-// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
-// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
-// its manual.
-//
+/*
+ Sample named.conf BIND DNS server 'named' configuration file
+ for the Red Hat BIND distribution.
+
+ See the BIND Administrator's Reference Manual (ARM) for details, in:
+ file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
+ Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
+ its manual.
+*/
+
options
{
// Put files that named is allowed to write in the data/ directory:
- directory "/var/named"; // the default
+ directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
+
+ /*
+ Specify listenning interfaces. You can use list of addresses (';' is
+ delimiter) or keywords "any"/"none"
+ */
+ //listen-on port 53 { any; };
+ listen-on port 53 { 127.0.0.1; };
+
+ //listen-on-v6 port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+
+ /*
+ Access restrictions
+
+ There are two important options:
+ allow-query { argument; };
+ - allow queries for authoritative data
+
+ allow-query-cache { argument; };
+ - allow queries for non-authoritative data (mostly cached data)
+
+ You can use address, network address or keywords "any"/"localhost"/"none" as argument
+ Examples:
+ allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
+ allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
+ */
+
+ allow-query { localhost; };
+ allow-query-cache { localhost; };
+
+ // Enable/disable recursion - recursion yes/no;
+ recursion yes;
+
+ /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
+
+ /* Enable serving of DNSSEC related data - enable on both authoritative
+ and recursive servers DNSSEC aware servers */
+ dnssec-enable yes;
+
+ /* Enable DNSSEC validation on recursive servers */
+ dnssec-validation yes;
};
+
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
@@ -28,18 +71,19 @@
severity dynamic;
};
};
-//
-// All BIND 9 zones are in a "view", which allow different zones to be served
-// to different types of client addresses, and for options to be set for groups
-// of zones.
-//
-// By default, if named.conf contains no "view" clauses, all zones are in the
-// "default" view, which matches all clients.
-//
-// If named.conf contains any "view" clause, then all zones MUST be in a view;
-// so it is recommended to start off using views to avoid having to restructure
-// your configuration files in the future.
-//
+
+/*
+ Views let a name server answer a DNS query differently depending on who is asking.
+
+ By default, if named.conf contains no "view" clauses, all zones are in the
+ "default" view, which matches all clients.
+
+ Views are processed sequentially. The first match is used so the last view should
+ match "any" - it's fallback and the most restricted view.
+
+ If named.conf contains any "view" clause, then all zones MUST be in a view.
+*/
+
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
@@ -47,8 +91,12 @@
*/
match-clients { localhost; };
recursion yes;
+
# all views must contain the root hints zone:
- include "/etc/named.root.hints";
+ zone "." IN {
+ type hint;
+ file "/var/named/named.ca";
+ };
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
@@ -63,9 +111,11 @@
*/
match-clients { localnets; };
recursion yes;
- // all views must contain the root hints zone:
- include "named.ca";
+ zone "." IN {
+ type hint;
+ file "/var/named/named.ca";
+ };
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
@@ -76,6 +126,19 @@
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
+ /*
+ NOTE for dynamic DNS zones and secondary zones:
+
+ DO NOT USE SAME FILES IN MULTIPLE VIEWS!
+
+ If you are using views and DDNS/secondary zones it is strongly
+ recommended to read FAQ on ISC site (www.isc.org), section
+ "Configuration and Setup Questions", questions
+ "How do I share a dynamic zone between multiple views?" and
+ "How can I make a server a slave for both an internal and an external
+ view at the same time?"
+ */
+
zone "my.internal.zone" {
type master;
file "my.internal.zone.db";
@@ -89,29 +152,33 @@
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
- file "slaves/my.ddns.internal.zone.db";
+ file "dynamic/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};
+
key ddns_key
{
algorithm hmac-md5;
secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
};
-view "external"
+
+view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not match any above view:
*/
match-clients { any; };
+ zone "." IN {
+ type hint;
+ file "/var/named/named.ca";
+ };
+
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
- // all views must contain the root hints zone:
- include "named.ca";
-
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
@@ -120,3 +187,43 @@
file "my.external.zone.db";
};
};
+
+/* Trusted keys
+
+ This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
+ have to configure at least one trusted key.
+
+ Note that no key written below is valid. Especially root key because root zone
+ is not signed yet.
+*/
+/*
+trusted-keys {
+// Root Key
+"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
+ E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
+ zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
+ MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
+ /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
+ iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
+ Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+
+// Key for forward zone
+example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
+ 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
+ OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
+ lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
+ 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
+ iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
+ SCThlHf3xiYleDbt/o1OTQ09A0=";
+
+// Key for reverse zone.
+2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
+ VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
+ tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
+ yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
+ 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
+ zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
+ 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
+ 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+};
+*/
- Previous message (by thread): rpms/glib2/devel glib2.spec, 1.188, 1.189 gio-2.18-always-pass-fuse-file-uri.patch, 1.1, NONE glib-2.17.4-gio-guess-content-sync.patch, 1.2, NONE glib-2.18.2-no-generic-icons.patch, 1.1, NONE statfs-check.patch, 1.1, NONE
- Next message (by thread): rpms/vim/F-10 7.2.027, NONE, 1.1 7.2.028, NONE, 1.1 7.2.029, NONE, 1.1 7.2.030, NONE, 1.1 7.2.031, NONE, 1.1 7.2.032, NONE, 1.1 7.2.033, NONE, 1.1 7.2.034, NONE, 1.1 7.2.035, NONE, 1.1 7.2.036, NONE, 1.1 7.2.037, NONE, 1.1 7.2.038, NONE, 1.1 7.2.039, NONE, 1.1 7.2.040, NONE, 1.1 7.2.041, NONE, 1.1 7.2.042, NONE, 1.1 7.2.043, NONE, 1.1 7.2.044, NONE, 1.1 7.2.045, NONE, 1.1 7.2.046, NONE, 1.1 7.2.047, NONE, 1.1 7.2.048, NONE, 1.1 7.2.049, NONE, 1.1 7.2.050, NONE, 1.1 7.2.051, NONE, 1.1 7.2.052, NONE, 1.1 7.2.053, NONE, 1.1 7.2.054, NONE, 1.1 7.2.055, NONE, 1.1 7.2.056, NONE, 1.1 7.2.057, NONE, 1.1 7.2.058, NONE, 1.1 7.2.059, NONE, 1.1 7.2.060, NONE, 1.1 filetype.vim, NONE, 1.1 gzip.vim, NONE, 1.1 netrw.vim, NONE, 1.1 netrwFileHandlers.vim, NONE, 1.1 netrwPlugin.vim, NONE, 1.1 netrwSettings.vim, NONE, 1.1 tar.vim, NONE, 1.1 zip.vim, NONE, 1.1 README.patches, 1.114, 1.115 vim.spec, 1.226, 1.227 vim-6.4-cvim.patch, 1.2, NONE vim-7.1-ada.patch, 1.3, NONE vim-7.1-erlang.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list