wiki:SystemNotesUbuntuQuantal

Ubuntu 12.10 (Quantal Quetzal) Install Notes

Introduction and System Description

This page describes a setup of bind10-1.0.0 on Ubuntu 12.10.

These notes are quite dated. Keep in mind that many things have changed since they were created. In particular, Kea does not require python3 or SQLite. It can also use either OpenSSL or Botan, so Botan is no longer a strict dependency.


The starting point is a text-based

installation of Ubuntu Server 64-bit with no additional software packages added. I am running a virtualized environment on VMware vSphere 5.1 with the VMware Tools installed on each virtual machine.

Insofar as practical, I built the BIND 10 prerequisites from downloaded source using the development tools provided by Ubuntu. The source downloads were the current versions as of March 6, 2013.

The bash samples below were run as the root user (sudo -i). For the most part they could be run under a nonprivileged account except that sudo apt-get and sudo make install would be required. Root privileges would also be required for the commands in the Notes on Running section.

Setup of Packaged Prerequisites

The first step is to install a basic Ubuntu development environment.

# apt-get install build-essential autoconf libtool pkg-config

Note that pkg-config is specified as a prerequisite for BIND 10, and autoconf is required to run autoreconf if BIND 10 patches are applied.

The packages zlib1g, libssl, and libexpat1 are part of the standard Ubuntu installation. The development versions of these packages are required to build Python 3 with the cryptographic and XML support required by BIND 10. libreadline6 is optional but very convenient. It enables the Python readline module that provides for command history and command line editing in the bindctl administration tool. For the sake of simplicity and error avoidance, I installed these with the Ubuntu package manager.

# apt-get install zlib1g-dev libssl-dev libexpat1-dev libreadline6-dev

Setup of Other Prerequisites

I installed the remaining BIND 10 prerequisites from downloaded source. The installation order is important only in that Python 3 must be built last so that it can incorporate the packages above and Sqlite 3 as Python modules. The use of --prefix=/usr below is typical of Ubuntu package installations, but this choice is arbitrary. If omitted, the default is /usr/local.

Boost

Boost C++ Libraries version 1.35 or greater is required. Version 1.53.0 is current.

# wget http://downloads.sourceforge.net/project/boost/boost/1.53.0/boost_1_53_0.tar.bz2 
# tar xjf boost_1_53_0.tar.bz2
# cd boost_1_53_0
# ./bootstrap.sh –-prefix=/usr --with-libraries=thread
# ./b2 install
# cd ..

The Boost thread library is optional, but likely to be required in the future. Threading for BIND 10 is just beginning to be developed. The other Boost libraries requiring separate compilation are not needed. To install Boost without the thread library, substitute ./b2 install-headers above. In this case leave the bootstrap parameter --with-libraries=thread as is. Without this, all the libraries are compiled, and that takes a long time. Apparently there is no simple way to make Boost not compile any libraries at all.

Also be aware that as of this writing, a patch is required for BIND 10 1.0.0 to successfully build with Boost 1.53.0. Workarounds are to apply the patch to BIND 10 1.0.0 described in ticket:2764, which is now closed, or to use the previous version of Boost 1.52.0, or to use the latest BIND 10 code from the Git source tree with Boost 1.53.0.

Botan

Botan version 1.8 or greater is required. Version 1.10.4 is current.

# wget http://botan.randombit.net/files/Botan-1.10.4.tbz
# tar xjf Botan-1.10.4.tbz
# cd Botan-1.10.4
# ./configure.py --prefix=/usr
# make
# make check
# make install
# ./check --validate
# cd ..

None of the Botan modules requiring external libraries is required. Note that the Botan configuration script configure.py requires Python 2, which is a standard component of Ubuntu. It will not run with Python 3 without taking extra steps, and Python 3 is not installed at this point anyway.

Log4cplus

Log4cplus version 1.0.3 or greater is required. Version 1.0.4.3 is current.

# wget http://downloads.sourceforge.net/project/log4cplus/log4cplus-stable/1.0.4/log4cplus-1.0.4.3.tar.bz2
# tar xjf log4cplus-1.0.4.3.tar.bz2
# cd log4cplus-1.0.4.3
# ./configure --prefix=/usr
# make
# make install
# cd ..

SQLite

Sqlite version 3.3.9 or greater is required. Version 3.7.15.2 is current.

# wget http://www.sqlite.org/sqlite-autoconf-3071502.tar.gz
# tar xzf sqlite-autoconf-3071502.tar.gz
# cd sqlite-autoconf-3071502
# ./configure --prefix=/usr
# make
# make install
# cd ..

Python 3

Python version 3.1 or greater is required. Version 3.3.0 is current.

# wget http://www.python.org/ftp/python/3.3.0/Python-3.3.0.tar.xz
# tar xJf Python-3.3.0.tar.xz
# cd Python-3.3.0
# ./configure --prefix=/usr
# make
# make test
# make install
# cd ..

Note that with Python make test, certain module tests will fail since the software packages that they require have not been installed. In general those modules are not required for BIND 10’s use of Python 3, so the failures can be ignored. Do pay attention to any failure of the _hashlib or _ssl module. These are required by BIND 10. Be sure that the zlib1g-dev and libssl-dev packages have been installed as described above.

Python 3 setproctitle Module

Installing setproctitle is optional, but it provides for more readable process titles, for example in the output of the ps command. Without setproctitle the BIND 10 message queue process is titled /usr/bin/python3 /usr/libexec/bind10/b10-msgq. With setproctitle it is just b10-msgq, and so on for the other BIND 10 processes. setproctitle version 1.1 or greater is required to work with Python 3. Version 1.1.7 is current.

# wget https://pypi.python.org/packages/source/s/setproctitle/setproctitle-1.1.7.tar.gz
# tar xzf setproctitle-1.1.7.tar.gz
# cd setproctitle-1.1.7
# python3 setup.py install

Using Ubuntu Packages Instead of Compiling Prerequisites

Note that if you have followed the steps above to build all the prerequisites from source, then you do not need to do this step. All of the BIND 10 prerequisites can, however, be installed using the Ubuntu package manager instead of building them from downloaded source. Using Ubuntu packages, you won't get the very latest versions, but installation will be quicker and easier, and perhaps the software will be more stable. Always use the development versions of the BIND 10 prerequisite packages. Detailed information about all Ubuntu 12.10 packages is available here.

# apt-get install libboost-all-dev libbotan1.10-dev liblog4cplus-dev libsqlite3-dev python3-dev

Be aware that the Python setproctitle module has not been packaged for Python 3. You will need to download the source distribution as shown above.

Building and Installing

Start by downloading and extracting the source code for the released version 1.0.0 of BIND 10:

# wget http://ftp.isc.org/isc/bind10/devel-20120517/bind10-1.0.0.tar.gz
# tar xzf bind10-1.0.0.tar.gz
# cd bind10-1.0.0

Instead of the using released version 1.0.0 of BIND 10, you may decide to use the latest code from the Git source tree.

# git clone --quiet git://git.bind10.isc.org/bind10 bind10-1.0.0-git
# cd bind10-1.0.0-git
# autoreconf --install

If you are using the released version 1.0.0 of BIND 10 along with Boost 1.53.0, before proceeding with the build process, recall that a patch is required for a successful build. The patch file base_n.diff is attached to ticket:2764. Install the patch as follows (be sure that the current directory is bind10-1.0.0). The patch is not required if you are using Boost 1.52.0 or earlier or if you are using BIND 10 code from the Git source tree.

# wget http://bind10.isc.org/attachment/ticket/2764/base_n.diff
# patch -p1 -i base_n.diff
# autoreconf --install

In the configuration of any of the BIND 10 prerequisites, if you set --prefix to anything other than /usr, including omitting this option, which makes it default to /usr/local, you must execute ldconfig prior to building BIND 10, i.e. immediately prior to executing configure below. Otherwise certain BIND 10 compilation steps will fail because various library files cannot be found.

# ldconfig

The BIND 10 configure parameter --disable-silent-rules can be a useful troubleshooting tool when there are build problems. It causes make to echo every g++ command that it issues, as opposed to the default behavior, which is to output a summary message listing only the file being built.

Now continue with the build of BIND 10.

# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --disable-silent-rules
# make
# make install
# cd ..

Notes on Running

BIND 10 can be made to run as non-root user bind with the following additional configuration.

# addgroup --system bind
# adduser --system --home /var/bind10 --no-create-home --disabled-password --ingroup bind bind
# chown -R bind:bind /etc/bind10
# chmod -R g+w /etc/bind10
# chown -R bind:bind /var/bind10
# chmod -R g+w /var/bind10

BIND 10 can be made to start and stop automatically using Ubuntu Upstart, which is a standard Ubuntu component.

First create the file bind10.conf as follows:

# bind10 - BIND 10 job file
description "BIND 10 Domain Name Server"

start on runlevel [2345]                                
stop on runlevel [!2345]         

exec /usr/sbin/bind10 --user=bind

Then install this file into the Upstart configuration directory, and finally start the bind10 service.

# install --mode=644 bind10.conf /etc/init
# start bind10

Verify that the BIND 10 processes are running.

# ps -aef | grep b10 
bind     20742     1  0 21:21 ?        00:00:00 b10-init                                                   
root     20743 20742  0 21:21 ?        00:00:00 b10-sockcreator
bind     20744 20742  0 21:21 ?        00:00:00 b10-msgq                                       
bind     20746 20742  0 21:21 ?        00:00:00 b10-cfgmgr                                       
bind     20748 20742  0 21:21 ?        00:00:00 b10-cmdctl                                       
bind     20749 20742  0 21:21 ?        00:00:01 b10-stats                                       
root     20780  2366  0 22:06 pts/0    00:00:00 grep --color=auto b10

The bindctl administrative utility no longer uses the default user name and password root and bind10. You must create one or more administrative accounts using the BIND 10 user manager. You will do this with the b10-cmdctl-usermgr utility running with the current directory set to /etc/bind10. It will create the file cmdctl-accounts.csv containing the user name you specify and your password hashed and salted.

# cd /etc/bind10
# b10-cmdctl-usermgr
Desired Login Name:admin
Choose a password:<type your secret password here>
Re-enter password:<type it again>

 create new account successfully! 

continue to create new account by input 'y' or 'Y':n
# chown bind:bind cmdctl-accounts.csv 
# chmod 660 cmdctl-accounts.csv 

With the cmdctl-accounts.csv file in place you can now use the bindctl administrative tool to configure your BIND 10 server. To log into bindctl, provide the user name and password you just created. Unlike some earlier development releases, BIND 10 1.0.0 no longer automatically starts its authoritative DNS service by default. You can use bindctl to start this service for testing purposes.

# bindctl
No stored password file found, please see sections "Configuration specification for b10-cmdctl" and "bindctl command-line options" of the BIND 10 guide.
Username: admin
Password: <type your secret password here>
["login success "]
> execute init_authoritative_server
adding Authoritative server component
adding Xfrin component
adding Xfrout component
adding Zone Manager component
Components added. Please enter "config commit" to
finalize initial setup and run the components.
> config commit
> quit

Exit from bindctl

Another check of running processes will show that the b10-zonemgr, b10-xfrin, b10-xfrout, and b10-auth modules are now in operation.

Be aware from a security standpoint that after a successful login, bindctl creates the file .bind10/default_user.csv in the user’s home directory. This file contains in clear text the user name and password used to authenticate with bindctl. Subsequent logins to bindctl use these cached credentials rather than prompting. You can delete default-user.csv if you wish, but on its next execution bindctl will issue an error message that there is no such file. It will then prompt for credentials again and recreate default-user.csv.

Now submit a sample query to your BIND 10 authoritative server.

# dig @localhost ch txt authors.bind

The dig utility will return the names of the BIND 10 developers.

See the Bind10 Guide to reconfigure your server to meet your specific needs.

Cryptographic Verification of Source Files

Since BIND 10 is a cryptographic application in the sense that it supports DNSSEC, it is a good idea to verify that the source files from which you are installing are authentic. The BIND 10 source distribution and some of the prerequisites are digitally signed. Other prerequisites have published message digests. Following are some basic verification procedures using gpg, sha1sum, and md5sum. Your own standards for establishing trust may lead you to do more to verify the authenticity of any public keys on which you will rely. To learn more, see the GnuPG User Guides page.

Boost

SHA1 message digests for Boost downloads are published here. Click the gray circular information icon to see the digests related to the file you are downloading. MD5 message digests are given as well but are now deprecated.

# sha1sum boost_1_53_0.tar.bz2 
e6dd1b62ceed0a51add3dda6f3fc3ce0f636a7f3  boost_1_53_0.tar.bz2

Botan

Botan downloads are digitally signed with detached signatures located here. Botan’s public key is located here along with its serial number and fingerprint. You will need to place the ASCII-armored public key into a file and import it into your gpg public key ring. Check the key serial number on import and the key fingerprint on verification.

# wget http://botan.randombit.net/pgpkey.html
# awk '{ if( $0 ~ /^-+BEGIN PGP/ ) { print $0; while( $0 !~ /^-+END PGP/ && getline ) { print $0 } } }' pgpkey.html > BotanKey.asc
# gpg --import BotanKey.asc 
gpg: key EFBADFBC: public key "Botan Distribution Key" imported
# wget http://botan.randombit.net/files/Botan-1.10.4.tbz.asc
# gpg --verify Botan-1.10.4.tbz.asc Botan-1.10.4.tbz
gpg: Signature made Mon 07 Jan 2013 06:13:29 PM EST using RSA key ID EFBADFBC
gpg: Good signature from "Botan Distribution Key"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 621D AF64 11E1 851C 4CF9  A2E1 6211 EBF1 EFBA DFBC

Log4cplus

SHA1 message digests for Log4cplus downloads are published here. Click the gray circular information icon to see the digests related to the file you are downloading. MD5 message digests are given as well but are now deprecated.

# sha1sum log4cplus-1.0.4.3.tar.bz2 
917d244f7f3d58a5fff35e3eef7fff9c74e9409b  log4cplus-1.0.4.3.tar.bz2

SQLite

SHA1 message digests for SQLite downloads are published here in the body of the web page.

# sha1sum sqlite-autoconf-3071502.tar.gz 
075732562183d560cd46a0d8d08b50bc44e34eac  sqlite-autoconf-3071502.tar.gz

Python 3

Python 3 downloads are digitally signed with detached signatures located here. The text of the web page indicates which key has been used to sign which file, and the serial number and fingerprint are given. MD5 message digests are also listed on the web page but are now deprecated. Python’s public keys are located here along with serial numbers. The ASCII armored key files are directly downloadable. Check the key serial number on import and the key fingerprint on verification.

# wget http://www.python.org/~gbrandl/gbrandlpub.asc
# gpg --import gbrandlpub.asc
gpg: key 36580288: public key "Georg Brandl (Python release signing key) <georg@python.org>" imported
# wget http://www.python.org/ftp/python/3.3.0/Python-3.3.0.tar.xz.asc
# gpg --verify Python-3.3.0.tar.xz.asc Python-3.3.0.tar.xz
gpg: Signature made Sat 29 Sep 2012 04:28:17 AM EDT using DSA key ID 36580288
gpg: Good signature from "Georg Brandl (Python release signing key) <georg@python.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 26DE A9D4 6133 91EF 3E25  C9FF 0A5B 1018 3658 0288

Python 3 setproctitle Module

MD5 message digests for setproctitle downloads are published here in the download section as clickable links next to the associated file names.

# md5sum  setproctitle-1.1.7.tar.gz
b6a46974133016e16f4b8571d6c2afdb  setproctitle-1.1.7.tar.gz

BIND 10

BIND 10 is digitally signed with detached signatures located here. ISC’s public key is located here along with its serial number. From the link pgpkey2013.txt you will need to place the ASCII-armored key into a file for import it into your gpg public key ring. Check the key serial number on import. The key fingerprint is not given on the ISC web page.

# wget -O pgpkey2013.html https://www.isc.org/pgpkey2013
# awk '{ if( $0 ~ /-+BEGIN PGP/ ) { print $0; while( $0 !~ /-+END PGP/ && getline ) { print $0 } } }' pgpkey2013.html | sed 's/<\/p>/\n/' | sed 's/ *<\/\?[a-z][^>]*>//g' > ISCKey.asc
# gpg --import ISCKey.asc
gpg: key 189CDBC5: public key "Internet Systems Consortium, Inc. (Signing key, 2013) <codesign@isc.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
# wget http://ftp.isc.org/isc/bind10/1.0.0/bind10-1.0.0.tar.gz.sha512.asc
# gpg --verify bind10-1.0.0.tar.gz.sha512.asc bind10-1.0.0.tar.gz
gpg: Signature made Thu 21 Feb 2013 12:52:30 PM EST using RSA key ID 189CDBC5
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2013) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B48 A38A E1CF 9886 435F  89EE 45AC 7857 189C DBC5
Last modified 3 years ago Last modified on Dec 3, 2014, 6:04:07 PM