Men & Mice Community

This message was edited 8 times. Last update was at 24/07/2008 15:26:42

Please find below a step-by-step tutorial on installing BIND 9.4.2-P1 on MacOS X 10.4 or 10.5 from Source.

Compiling and installing BIND from source is for experienced admins.

Requirements:

* MacOS X XCode Development tools installed
* MacOS X 10.4 or 10.5 (Intel or PPC)
* older BIND 9.4.x already installed

Security note: XCode developer tools should not be installed on a DNS Server (or any other machine) exposed to the internet. The developer tools can be used by an attacker to build more tools to attack other systems! Either remove the Developer tools after compiling BIND on the machine, or compile BIND on a dedicated development machine and copy the created file to the production DNS Server

preparing the environment

open Terminal App

create a directory for compiling programs from source

change into that directory

download the BIND 9.4.2-P1 source code

check that the MD5 checksum is identical with the one in this tutorial

uncompress the source

compiling BIND

change in the created directory

call the 'configure' script. the configure script is testing your operating system environment to make sure everything needed for compiling is available. Here we are configuring BIND without IPv6 and without DNSSEC support.

if the configure script is working without error messages, we use the 'make' command to compile the new BIND DNS Server and all tools

if the 'make' command finishes without errors, we issue 'sudo make install' to install the new BIND DNS Server

if BIND is installed sucessfull, a request of the version number should now show "9.4.2-P1"

make sure that your BIND configuration does not include a "query-source" statement (file /var/named/conf/options)

enable the new BIND DNS Server

next we reboot the machine to make sure that the new BIND is used when rebooting the server

test the Server

after sucessful reboot, we check that our DNS Server is working fine with the 'rndc status' command

next we check if we now have a secure DNS Server, if the UDP Port randomization is working

the result should be similar to this:

What about Mac OS X 10.3.9 Server ?

It's running BIND 9.3.4-P1

Could I use your tutorial to update it ?

I'm using MM 4.6.1.1

This message was edited 3 times. Last update was at 25/07/2008 05:28:21

maurice.inzirillo wrote:What about Mac OS X 10.3.9 Server ?

It's running BIND 9.3.4-P1

Could I use your tutorial to update it ?

I'm using MM 4.6.1.1

It should also work on 10.3.x, but we haven't tested it. Make sure to read the BIND release notes about any configuration changes between 9.3.x and 9.4.x.

If you want to stay safe on the configuration side, update to BIND 9.3.5-P1:
ftp://ftp.isc.org:21/isc/bind9/9.3.5-P1/bind-9.3.5-P1.tar.gz

This message was edited 3 times. Last update was at 03/09/2008 16:39:04

If you want to build on a separate host, but you want the full install to happen on the server, you can. It just takes more steps. The following requires that the server have ssh (Remote Login in System Preferences) turned on.

Replace the 'make install' step above with the following, replacing "user" and "server" with your user account name and the server's hostname or IP address.

You have now installed into a temporary directory, packaged it up, copied it to the server, and unpacked the installation there. You should now proceed with restarting the server to make sure it comes up correctly.

Note: I have modified the instructions above to tar up just DEST/usr rather than DEST/*, because DEST/* includes 'etc' and 'var'. Untarring a tarball containing these on a Mac OS X system will damage the system. To fix such damage, execute:

I tried.

make command finishes without errors

I installed the new BIND DNS Server with sudo make install

BIND is installed sucessfully, a request of the version number show "9.4.2-P1"

named -v
BIND 9.4.2-P1

I reboot

When I check tif the DNS Server is working fine with the 'rndc status' command I get this error :

[ns01:/Developer/source/bind-9.4.2-P1] maurice% sudo rdnc status
sudo: rdnc: command not found

if I try :

[ns01:~] maurice% dig +short porttest.dns-oarc.net txt @127.0.0.1

I get no answer

If I launch QuickDNS I get this message "Unable to connect to the server "ns01.xxx.com"

Could you help ?

This message was edited 1 time. Last update was at 24/07/2008 16:56:51

maurice.inzirillo wrote:
When I check tif the DNS Server is working fine with the 'rndc status' command I get this error :

[ns01:/Developer/source/bind-9.4.2-P1] maurice% sudo rdnc status
sudo: rdnc: command not found

if I try :

[ns01:~] maurice% dig +short porttest.dns-oarc.net txt @127.0.0.1

I get no answer

If I launch QuickDNS I get this message "Unable to connect to the server "ns01.xxx.com"

Could you help ?

The command is 'rndc' (Remote Name Daemon Control), it does not need 'sudo', should work from a normal, non 'administrator' account.

Please send us the output of the command

That will start BIND in the foreground and will sind all messages to the screen. There we will see if there is an error in th configuration somewhere.

You can also send it to 'support@menandmice.com' if you do not want the data to appear in this forum.

Carsten Strotmann wrote:
Requirements:

* older BIND 9.4.x already installed

And if 9.4.x is NOT already installed.... what other steps are necessary?

I'm on 9.2.2

thanks.

billc108 wrote:

Carsten Strotmann wrote:
Requirements:

* older BIND 9.4.x already installed

And if 9.4.x is NOT already installed.... what other steps are necessary?

I'm on 9.2.2

thanks.

Please read forum post
http://support.menandmice.com/jforum/posts/list/2.page
and
http://support.menandmice.com/jforum/posts/list/36.page

and run the 9.4.1 fix in the 2nd post.

How can I compile this on an Intel machine for a PPC machine?

I've successfully compiled 9.3.5-P1 on Intel for Intel.

This message was edited 3 times. Last update was at 29/07/2008 16:40:52

The following should work for cross-compiling between architectures.

We have not yet tested it thoroughly, but it's similar to the process for building a universal binary.

When cross-compiling on Mac OS X, it is necessary to disable atomic operations due to the selection of incorrect assembler code. To do this, add the following to your ./configure line:

--disable-atomic

For example:

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --disable-threads --enable-largefile --with-openssl --with-pic --disable-atomic

Then replace the 'make' step with this:

make CFLAGS="-isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch ppc"

If you want to make a universal binary:

make CFLAGS="-isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch ppc -arch i386"

This will* build a 32-bit binary for PowerPC and Intel architectures suitable for use on Tiger. If you want a 64-bit binary, you either have to compile for Leopard or disable openssl - Apple's openssl install for Tiger does not have 64-bit versions of the libraries.

To use Leopard, change the SDK from MacOSX10.4u to MacOSX10.5. Then, for 64-bit support, add some arch's:

make CFLAGS="-isysroot /Developer/SDKs/MacOSX10.5.sdk -arch ppc -arch ppc64 -arch i386 -arch x86_64"

* Footnote: When using the 10.4u SDK on 10.5, we have found that there is a missing symlink. We have not tested this on Tiger itself to see if the error existed there, but if you get an error about a missing library (-lcrt1.10.5.o), execute these commands:

cd /Developer/SDKs/MacOSX10.4u.sdk/usr/lib
ln -vs crt1.o crt1.10.5.o

How does one archive their existing BIND install, and revert back to it if necessary?

Also, do these build instructions work on PPC?

Thanks!

- ohn

To archive your existing BIND version... Hmm... That depends on what you end up installing.

Try backing up any binaries you care about. For example, you might use this bash script:

for binary in /usr/bin/{host,dig,nslookup,nsupdate} /usr/sbin/{named*,rndc*,dnssec*} ; do
cp $binary $binary.bak
done

However, there are a large number of things this doesn't back up. If you prefer to be as safe as possible, use this to "install" the new version:

mkdir ../DEST
make DESTDIR=$(pwd)/../DEST install

This will create a folder named DEST in the same location as the BIND source code folder (i.e. outside of the folder where you execute ./configure and make). Then look through the resulting file.

You do not need:

etc/
var/
usr/lib/
usr/include/

You do need the contents of:

usr/bin/
usr/sbin/

Except you most likely don't need:

usr/bin/isc-config.sh

You may want:

usr/share/man/

Whatever you end up copying out of this DEST directory will probably replace something already installed. So back those up first.

jmay wrote:Also, do these build instructions work on PPC?

Yes, if you have the necessary SDK's. Worst case is you get an error - it won't cause any lasting harm to try it out.

One last question - will this new build work OK with QuickDNS 5.1.3?

- John

Yes it will. Building and installing your own copy of BIND from source code will not interfere with Men & Mice Suite.