BIND 9.9.6-P1

コンパイル

IDNライブラリ

Solaris 9/10/11ではidnkitライブラリが/usr/libにありますが、ヘッダー ファイルが足りないため、あらかじめidnkitをインストールしておきます。

% cd contrib/idn/idnkit-1.0-src

Solaris 10のgethostbyaddrとgethostbyaddr_rのプロトタイプ宣言が異 なるため、/usr/include/netdb.hのプロトタイプ宣言と矛盾が生じます。
よって、とりあえずSolaris 10では--enable-runidnを指定しないようにし ます。

#!/bin/sh

if [ $# -eq 1 ]; then
    . ../../../../setup-pre.sh $1
else
    . ../../../../setup-pre.sh
fi

case `uname -r` in
"5.8"|"5.9"|"5.11")
    iconvpath=/usr
    iconvlib=-lc
    RUNIDN="--enable-runidn"
    CPPFLAGS="-I/usr/include $CPPFLAGS"; export CPPFLAGS
    ;;

"5.10")
    iconvpath=/usr
    iconvlib=-lc
    RUNIDN=
    CPPFLAGS="-I/usr/include $CPPFLAGS"; export CPPFLAGS
    ;;

*)
    iconvpath=/usr/local
    iconvlib=-liconv
    RUNIDN=
    CPPFLAGS="-I/usr/include $CPPFLAGS"; export CPPFLAGS
    ;;
esac
% setup.sh [sparcv9|sparcv8plus|i386|amd64]
% gmake
# gmake install

BIND

Solaris 10ではPKCS11 ENGINEを有効にするためにOpenSSLのバージョンチェックを無効にします。

--- lib/dns/openssl_link.c.orig 2009-03-06 17:43:04.418140000 +0900
+++ lib/dns/openssl_link.c      2009-03-06 17:43:41.959606000 +0900
@@ -54,9 +54,9 @@
 #include <openssl/conf.h>
 #include <openssl/crypto.h>

-#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER >= 0x0090707f)
+#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER >= 0x0090704f)
 #define USE_ENGINE 1
 #endif

 #ifdef USE_ENGINE
 #include <openssl/engine.h>

以下のようなスクリプトを用意して実行します。

普通にconfigureを起動するとSolaris 10のOpenSSLのバージョンのチェッ クでひっかかってしまうので、Solaris 10ではチェックをしないようにします。

#!/bin/sh

if [ $# -eq 1 ]; then
        . ../setup-pre.sh $1
else
        . ../setup-pre.sh
fi

if [ ! -f configure.orig ]; then
        cp -p configure configure.orig
fi

#
# for sparcv9 and amd64
#
if [ ! -f configure.64 ]; then
        cat configure.orig | sed 's/DNS_OPENSSL_LIBS=\"-L\$use_openssl\/lib -R\$use_openssl\/lib -lcrypto\"/DNS_OPENSSL_LIBS=\"-L\$use_openssl\/lib\/64 -R\$use_openssl\/lib\/64 -lcrypto\"/' > configure.64
        chmod 755 configure.64
fi

if [ "$ISA" = "sparcv9" -o "$ISA" = "amd64" ]; then
        cp -p configure.64 configure
else
        cp -p configure.orig configure
fi

case `uname -r` in
"5.8"|"5.9"|"5.10"|"5.11")
        iconvpath=/usr
        iconvlib=-lc
        idnpath=/usr/local
        idnlib="-L/usr/local/lib$LIBISA -R/usr/local/lib$LIBISA -lidnkit"
        CPPFLAGS="-I/usr/local/include $CPPFLAGS"; export CPPFLAGS
        ;;

*)
        iconvpath=/usr/local
        iconvlib=-liconv
        idnpath=/usr/local
        idnlib="-L/usr/local/lib$LIBISA -R/usr/local/lib$LIBISA -lidnkit"
        #idnlib="-lidnkit"
        CPPFLAGS="-I/usr/local/include $CPPFLAGS"; export CPPFLAGS
        ;;
esac

./configure $CONFDIRS \
        --sysconfdir=/etc \
        --localstatedir=/var \
        --enable-threads \
        --enable-largefile \
        --enable-fixed-rrset \
        --with-export-libdir=/usr/local/lib/bind9$LIBISA \
        --with-pkcs11 \
        --with-openssl=$sslpath $OPENSSL_VERSION_CHECK_OPTION \
        --with-gssapi=$krb5path \
        --with-idn=$idnpath \
        --with-idnlib="$idnlib" \
        --with-libiconv=$iconvpath \
        --with-iconv=$iconvlib

if [ -f "config.h" ]; then
        echo '#define ENGINE_ID "pkcs11"' >> config.h
        if [ "$ISA" = "sparcv9" -o "$ISA" = "amd64" ]; then
                echo '#define PKCS11_MODULE_PATH "/usr/lib/64/libpkcs11.so"' >> config.h
        else
                echo '#define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so"' >> config.h
        fi
fi
% setup.sh [sparcv9|sparcv8plus|i386|amd64]
% gmake
# gmake install

ISA自動起動リンクを作るために、以下のスクリプトを実行します。

#!/bin/sh
#
SBINPROG="pkcs11-destroy pkcs11-list pkcs11-keygen ddns-confgen rndc-confgen named-compilezone named-checkzone named-checkconf isc-hmac-fixup genrandom nsec3hash named-journalprint arpaname dnssec-settime dnssec-revoke dnssec-dsfromkey dnssec-keyfromlabel dnssec-signzone dnssec-keygen rndc lwresd named"
BINPROG="nsupdate dig host nslookup idnconv"

if [ "${SBINPROG}" != "" ]; then
  cd /usr/local/sbin
  for prog in ${SBINPROG}
  do
    rm -f $prog
    ln /usr/lib/isaexec $prog
    echo $prog
  done
fi

if [ "${BINPROG}" != "" ]; then
  cd /usr/local/bin
  for prog in ${BINPROG}
  do
    rm -f $prog
    ln /usr/lib/isaexec $prog
    echo $prog
  done
fi

起動

設定ファイルを用意します。

/etc/named.conf

include "/var/namedb/rndc.key";

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc"; };
        inet ::1 port 953
                allow { ::1; } keys { "rndc"; };
};

/etc/rndc.conf

include "/var/namedb/rndc.key";

options {
        default-key "rndc";
        default-server 127.0.0.1;
        default-port 953;
};

mkdnsseckey.sh

#!/bin/sh
#
# mkdnsseckey.sh
#
if [ $# -lt 1 ]; then
        echo "Usage:"
        echo "    $0 key-name"
        echo "Example:"
        echo "    $0 key-name > key-name.key"
        exit 1
fi

keyname=$1

dnssec-keygen -a HMAC-SHA512 -b 512 -n USER ${keyname} > /dev/null
cat K${keyname}.*.private | awk -v keyname=${keyname} 'BEGIN{
        printf("key %s {\n", keyname);
        printf("\talgorithm HMAC-SHA512;\n");
}
{
        if (match(substr($1, 1, 4), "Key:"))
                printf("\tsecret \"%s\";\n", $2);
}
END {
        printf("};\n");
}'
rm -f K${keyname}.*.*

/var/namedb/rndc.key

# ./mkdnsseckey.sh rndc > rndc.key

起動バイナリパスをインストールしたnamedに変更します。

# svccfg -s svc:/network/dns/server:default setprop options/server=/usr/local/sbin/named

サービスを有効化します。

# svcadm enable svc:/network/dns/server

Dynamic DNS

#!/bin/sh
AWK=awk
if [ -x /usr/local/bin/awk ]; then
        AWK=/usr/local/bin/awk
elif [ -x /usr/xpg4/bin/awk ]; then
        AWK=/usr/xpg4/bin/awk
fi

segment=$1
date=`date +%Y%m%d`
host="ns.next-hop.net."
hostmaster="hostmaster.next-hop.net."
nameserver1="ns.next-hop.net."
nameserver2="ns2.next-hop.net."

$AWK -v segment=$segment -v date=$date -v host=$host -v hostmaster=$hostmaster -v nameserver1=$nameserver1 -v nameserver2=$nameserver2 '
BEGIN {
        split(segment, octet, ".");
        printf("$ORIGIN %s.%s.%s.IN-ADDR.ARPA.\n", octet[3], octet[2], octet[1]);
        printf("$TTL 86400\n");

        printf(".\t\t\tIN SOA\t%s %s (\n", host, hostmaster);
        printf("\t\t\t\t%s00 ; serial\n", date);
        printf("\t\t\t\t3600       ; refresh (1 hour)\n");
        printf("\t\t\t\t900        ; retry (15 minutes)\n");
        printf("\t\t\t\t604800     ; expire (1 week)\n");
        printf("\t\t\t\t3600       ; minimum (1 hour)\n");
        printf("\t\t\t\t)\n");

        printf("\t\t\tNS\t%s\n", nameserver1);
        printf("\t\t\tNS\t%s\n", nameserver2);

        printf("0\t\t\tA\t255.255.255.0\n");
}'
#!/bin/sh

AWK=awk
if [ -x /usr/local/bin/awk ]; then
        AWK=/usr/local/bin/awk
elif [ -x /usr/xpg4/bin/awk ]; then
        AWK=/usr/xpg4/bin/awk
fi

segment=$1

$AWK -v segment=$segment '
BEGIN {
        split(segment, octet, ".");
        printf("zone \"%s.%s.%s.in-addr.arpa\" {\n", octet[3], octet[2], octet[1]);
        printf("\ttype master;\n");
        printf("\tfile \"dynamic/%s.zone\";\n", segment);
        printf("\tallow-update { key ddns.key; };\n");
        printf("\tallow-transfer {\n");
        printf("\t\tdns-server;\n");
        printf("\t};\n");
        printf("};\n");
}'

Copyright ©2001-2014 T.Hiraga <hiraga@next-hop.net> All Rights Reserved.
Last modified: $Date: 2014/12/11 04:24:56 $
Apache