BIND package configuration
--------------------------

Documentation and packaging structure
-------------------------------------

The main named daemon binary is in the bind main package.
The BIND documentation is in the sub package bind-doc.
All shared libraries and the DNS utilities are in the bind-utils package.
As all the bind (shared) libraries are for bind-internal use only, no
development package is provided.


The BIND prep script
--------------------

The prep script, /usr/libexec/bind/named.prep, checks if all configuration
files are available.  On absence of /etc/rndc.key it will be created.


rndc access
-----------

As an additional configuration file /etc/named.d/rndc-access.conf is added to
limit rndc access to and from localhost only.  See this file even for a less
restricted example.

You have to activate this by un-commenting the appropriate "include"
directive in /etc/named.conf using your editor of choice.


File permissions
----------------

File access permissions/restrictions are defined by appropriated directives
in the "named.service" systemd unit files.

The BIND package uses by default /var__NSD__/named/ to store its zone files.

For security reasons 'named' runs as user 'named' and the name server
directory is owned by user and group root. Therefore slave zone files can only
be stored at /var__NSD__/named/slave/, because this directory is owned by user
'named'.

The same applies to dynamically updated zones.  Here the zone and the journal
files must be owned by 'named' to allow the 'named' process to write these
files.  From time to time as an intermediate step 'named' dumps the current
content of the journal to a new created temporary file.

If you use dynamic updated zones, you must change the file definition of the
concerned zone to use the subdirectory /var__NSD__/named/dyn/ like in the
following example.

zone "example.net" IN {
          type master;
          file "dyn/example.net.zone";
          #[ other unlisted options ]
};

The owner of /etc/named.conf is set to root:named and to permissions 0640 by
default. By this only root can change the file, user named and the 'named'
process can read, but others can't access the file. This is indispensable if
the configuration file contains shared secrets for zone updates.  Ensure that
all 'named' configuration files are readable either by the user or group
'named'.
