DNSSEC validation turned on by default as of BIND 9.8.1 ------------------------------------------------------- As of version 9.8.1.dfsg-1, BIND ships with DNSSEC validation turned on by default. As the keys get changed over time, this means that a fresh install of BIND will require that the admin manually upgrade bind.keys to account for the change, before BIND will be able to resolve hosts in DNSSEC validated zones. Configuration Schema: -------------------- The Debian BIND package ships with a config that will work for the majority of leaf servers with no user input required. The named configuration file named.conf is located in /etc/bind, so that all static configuration files relating to bind are in one place. If you really don't want named.conf in /etc/bind, then the best way to handle it is probably to replace /etc/bind/named.conf with a symlink to the location you want to use. You could also use an option to named in the init.d script, but that only works for named, not for things like ndc. Zone data files for the root servers, and the forward and reverse localhost zones are also provided in /etc/bind. The working directory for named is now /var/cache/bind. Thus, any transient files generated by named, such as database files for zones the daemon is secondary for, will be written to the /var filesystem, where they belong. To make this work, the named.conf provided uses explicitly fully-qualified pathnames to reference the files in /etc/bind. Unlike previous BIND packages for Debian, the named.conf and provided db.* files are tagged as conffiles. Thus, if you just want a "caching mostly" server configuration for a server that does not need to be authoritative for anything else, you can run the provided configuration as-is. If you want to hack on named.conf, or even the init.d fragment, you can feel free to. Future package upgrades will treat your configuration changes sanely, as all Debian packages should. While you are free to craft whatever structure you wish for servers which need to be authoritative for additional zones, what we suggest is that you put the db files for any zones you are master for in /etc/bind (perhaps even in a subdirectory structure depending on complexity), using full pathnames in the named.conf file. Any zones you are secondary for should be configured in named.conf with simple filenames (relative to /var/cache/bind), so the data files will be stored in BIND's working directory (defaults to /var/cache/bind). Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be stored in /var/lib/bind, and specified with full pathnames. Apparmor Profile ---------------- If your system uses apparmor, please note that the shipped enforcing profile works with the default installation, and changes in your configuration may require changes to the installed apparmor profile. Please see https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this software. -- Ondřej Surý , Thu, 18 Jan 2018 14:02:44 +0000