Today I am going to document the process of install BIND in Solaris 11. I am using a Solaris 11.1 zone for this task, though nothing in this is specific to zones, and it should work on previous versions of Solaris 11. I have done this quite a few times and it is not a very intuitive process. As of the time of this writing the version of BIND in IPS is 9.6.3.7.2 (9.6-ESV-R7-P2).
Install BIND
Using the IPS we can install the BIND software.
# pkg install pkg://solaris/network/dns/bind
Create Required Directories
We will need a few directories to have a functional name server.
# mkdir -p /var/named/master
Create Group to Run BIND
We don’t want to run the service as root, so we will need to create a group. Disregard the warning, this is due to the gid being <100.
# groupadd -g 98 named UX: groupadd: WARNING: gid 98 is reserved.
Create User to Run BIND
We will also create another user to run the software. Disregard the warning, this is due to the uid being <100.
# useradd -g named -d /var/named -u 98 named UX: useradd: WARNING: uid 98 is reserved.
Set Directory Ownership
Permissions will need to be modified as well to support the new user/group.
# chown -R named:named /var/named
Modify Start User
Here we are going to set the dns/server service (full FMRI: svc:/network/dns/server) to use the named user we created earlier.
# svccfg -s dns/server:default setprop start/user=named
Modify Start Group
Here we are going to set the dns/server service (full FMRI: svc:/network/dns/server) to use the named group we created earlier.
# svccfg -s dns/server:default setprop start/group=named
Build Basic Configuration
Solaris 11 doesn’t come with a sample configuration, so we need to start from scratch. To test our previous steps we will simply setup a caching and forward only DNS server. Keep in mind you will need to allow additional networks to query or the name resolution itself will not work.
# cat /etc/named.conf
options {
directory "/var/named";
version "unknown";
pid-file "/var/named/named.pid";
forwarders { 8.8.8.8; 8.8.4.4; };
forward only;
allow-transfer { "none"; };
allow-query {192.168.1.0/24; 192.168.2.0/24;};
};
zone "localhost" {
type master;
file "localhost.db";
allow-update{none;};
};
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev.db";
allow-update{none;};
};
Build Localhost Zone
# cat /var/named/localhost.db $TTL 3h @ IN SOA ns01.yourdomain.local. hostmaster.yourdomain.net. ( 2014061201 ; se = serial numbers 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS ns01.yourdomain.local. IN NS ns02.yourdomain.local. IN NS ns03.yourdomain.local. @ IN NS @ IN NS 127.0.0.1
Build Localhost Reverse Zone
# cat /var/named/localhost.rev.db $TTL 3h @ IN SOA ns01.yourdomain.local. hostmaster.yourdomain.net. ( 2014061201 ; se = serial numbers 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS ns01.yourdomain.local. IN NS ns02.yourdomain.local. IN NS ns03.yourdomain.local. 1 IN PTR localhost.
Add BIND Authorization
This allows the named user to administer the dns/server service.
# usermod -A solaris.smf.manage.bind named
Refresh Service Configuration
This will re-read the configuration from the SMF and capture the user and group changes we made earlier.
# svcadm refresh dns/server
Start DNS Server
Now we are done and ready to validate. Lets start the service.
# svcadm enable dns/server
Check the Service
If the following command generates no output then that means the service has started properly with no errors.
# svcs -x
To confirm with actual output we can use the following command.
# svcs dns/server STATE STIME FMRI online 18:58:31 svc:/network/dns/server:default
But lets assume that we have a problem for a second, this is what you will see.
# svcs -x svc:/network/dns/server:default (BIND DNS server) State: maintenance since June 14, 2014 06:57:34 PM CDT Reason: Start method failed repeatedly, last exited with status 1. See: http://support.oracle.com/msg/SMF-8000-KS See: named(1M) See: /var/svc/log/network-dns-server:default.log Impact: This service is not running.
Now we have two things to check the log file of the SMF service /var/svc/log/network-dns-server:default.log and /var/adm/messages. Usually tailing the service file and grepping for named in the messages file will reveal the problem. A common problem I have had is forgetting to set permissions properly or forgetting to refresh the service after the user and groups are updated. The latter is visible by checking which user is running the named process. If you do run into a problem, once the problem is fixed you can mark the service as fixed by using the following.
# svcadm clear dns/server