Copying an existing jail to try bind918

Leave a Comment / DNS, FreeBSD, Jails, named, Open Source / By

bind916 will be EOL in a few months (April 2024). In this post, I’m going to copy an existing jail (running bind916) and configure it to run the new bind. If all goes well, the new jail will replace the old jail. This has an added benefit of effectively renaming the old jail (toiler) to dns2 (my other dns server at home is called dns1). Given the jail runs both dhcpd and named, perhaps it needs a different name, but that is out of scope for today.

In this post:

  • FreeBSD 14.0
  • named 9.16 (source)
  • named 9.18 (destination

Copy the jail

I don’t have to, but I like to stop the jail when copying it over.

[15:10 r730-03 dvl ~] % zfs list | grep toiler
data01/jails/toiler                           15.7G  14.0T  10.6G  /jails/toiler
[15:10 r730-03 dvl ~] % sudo service jail stop toiler
Stopping jails: toiler.
INFO: Sending oldest full snapshot data01/jails/toiler@syncoid_r730-01.int.unixathome.org_2023-02-27:22:18:26-GMT00:00 (~ 10.0 GB) to new target filesystem:
10.3GiB 0:01:48 [97.9MiB/s] [=====================================================================] 103%            
INFO: Updating new target filesystem with incremental data01/jails/toiler@syncoid_r730-01.int.unixathome.org_2023-02-27:22:18:26-GMT00:00 ... syncoid_r730-03.int.unixathome.org_2024-02-27:15:10:47-GMT00:00 (~ 6.1 GB):
6.30GiB 0:01:22 [78.3MiB/s] [=====================================================================] 102%

Configuring the new jail

I copied the old jail.conf settings to a new clause and modified the IP addresses so they were unique.

I also disabled dhcpd within the rc.conf file before starting the jail.

After starting the jail

Now that the new jail is running, let’s stop named and install the new version:

[15:20 dns2 root /] # service named stop
Stopping named.
Waiting for PIDS: 95629.
[15:20 dns2 root /] # pkg install bind918
Updating local repository catalogue...
[dns2.int.unixathome.org] Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
[dns2.int.unixathome.org] Fetching packagesite.pkg: 100%  310 KiB 317.3kB/s    00:01    
Processing entries: 100%
local repository update completed. 1238 packages processed.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	bind918: 9.18.24

Number of packages to be installed: 1

The process will require 17 MiB more space.
7 MiB to be downloaded.

Proceed with this action? [y/N]: y
[dns2.int.unixathome.org] [1/1] Fetching bind918-9.18.24.pkg: 100%    7 MiB   7.0MB/s    00:01    
Checking integrity... done (1 conflicting)
  - bind918-9.18.24 conflicts with bind916-9.16.48 on /usr/local/bin/dnstap-read
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 3 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
	bind916: 9.16.48

New packages to be INSTALLED:
	bind918: 9.18.24

Installed packages to be REINSTALLED:
	pkg-1.20.9_1

Number of packages to be removed: 1
Number of packages to be installed: 1
Number of packages to be reinstalled: 1

The operation will free 14 MiB.

Proceed with this action? [y/N]: y
[dns2.int.unixathome.org] [1/3] Deinstalling bind916-9.16.48...
[dns2.int.unixathome.org] [1/3] Deleting files for bind916-9.16.48: 100%
[dns2.int.unixathome.org] [2/3] Installing bind918-9.18.24...
[dns2.int.unixathome.org] [2/3] Extracting bind918-9.18.24: 100%
[dns2.int.unixathome.org] [3/3] Reinstalling pkg-1.20.9_1...
[dns2.int.unixathome.org] [3/3] Extracting pkg-1.20.9_1: 100%
You may need to manually remove /usr/local/etc/namedb/named.conf if it is no longer needed.
=====
Message from bind918-9.18.24:

--
BIND requires configuration of rndc, including a "secret"
key.  The easiest, and most secure way to configure rndc is
to run 'rndc-confgen -a' to generate the proper conf file,
with a new random key, and appropriate file permissions.

The /usr/local/etc/rc.d/named script will do that for you.

If using syslog to log the BIND9 activity, and using a
chroot'ed installation, you will need to tell syslog to install
a log socket in the BIND9 chroot by running:

  # sysrc altlog_proglist+=named

And then restarting syslogd with: service syslogd restart

Checking the logs, this seems fine:

Feb 27 15:21:06 dns2 pkg[97212]: bind916-9.16.48 deinstalled
Feb 27 15:21:07 dns2 pkg[97212]: bind918-9.18.24 installed
Feb 27 15:21:07 dns2 pkg[97212]: pkg reinstalled: 1.20.9_1 -> 1.20.9_1 
Feb 27 15:22:03 dns2 named[97322]: starting BIND 9.18.24 (Extended Support Version) 
Feb 27 15:22:03 dns2 named[97322]: running on FreeBSD amd64 14.0-RELEASE-p5 FreeBSD 14.0-RELEASE-p5 #0: Tue Feb 13 23:37:36 UTC 2024     root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
Feb 27 15:22:03 dns2 named[97322]: built with  '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--enable-dnsrps' '--with-readline=libedit' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/share/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd14.0' 'build_alias=amd64-portbld-freebsd14.0' 'CC=cc' 'CFLAGS=-O2 -pipe  -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c  -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'PYTHON=/usr/local/bin/python3.9' 'READLINE_CFLAGS=-L/usr/local/lib'
Feb 27 15:22:03 dns2 named[97322]: running as: named -u bind -c /usr/local/etc/namedb/named.conf
Feb 27 15:22:03 dns2 named[97322]: compiled by CLANG FreeBSD Clang 16.0.6 (https://github.com/llvm/llvm-project.git llvmorg-16.0.6-0-g7cbf1a259152)
Feb 27 15:22:03 dns2 named[97322]: compiled with OpenSSL version: OpenSSL 3.0.12 24 Oct 2023
Feb 27 15:22:03 dns2 named[97322]: linked to OpenSSL version: OpenSSL 3.0.12 24 Oct 2023
Feb 27 15:22:03 dns2 named[97322]: compiled with libuv version: 1.48.0
Feb 27 15:22:03 dns2 named[97322]: linked to libuv version: 1.48.0
Feb 27 15:22:03 dns2 named[97322]: compiled with libxml2 version: 2.11.7
Feb 27 15:22:03 dns2 named[97322]: linked to libxml2 version: 21106
Feb 27 15:22:03 dns2 named[97322]: compiled with json-c version: 0.17
Feb 27 15:22:03 dns2 named[97322]: linked to json-c version: 0.17
Feb 27 15:22:03 dns2 named[97322]: compiled with zlib version: 1.3
Feb 27 15:22:03 dns2 named[97322]: linked to zlib version: 1.3
Feb 27 15:22:03 dns2 named[97322]: ----------------------------------------------------
Feb 27 15:22:03 dns2 named[97322]: BIND 9 is maintained by Internet Systems Consortium,
Feb 27 15:22:03 dns2 named[97322]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
Feb 27 15:22:03 dns2 named[97322]: corporation.  Support and training for BIND 9 are 
Feb 27 15:22:03 dns2 named[97322]: available at https://www.isc.org/support
Feb 27 15:22:03 dns2 named[97322]: ----------------------------------------------------
Feb 27 15:22:04 dns2 named[97322]: DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
Feb 27 15:22:04 dns2 named[97322]: DS algorithms: SHA-1 SHA-256 SHA-384
Feb 27 15:22:04 dns2 named[97322]: HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
Feb 27 15:22:04 dns2 named[97322]: TKEY mode 2 support (Diffie-Hellman): yes
Feb 27 15:22:04 dns2 named[97322]: TKEY mode 3 support (GSS-API): no
Feb 27 15:22:04 dns2 named[97322]: command channel listening on 127.0.0.1#953
Feb 27 15:22:04 dns2 named[97322]: command channel listening on ::1#953
[15:22 dns2 root /] #

Well, that seems OK.

Oh wait, I need to modify the listen addresses to match the jail.conf IP addresses.

After restarting, I see things to change.

Things to change

Looking in the logs, which may be in a different location for you, I see this:

*** /var/log/named/default.log ***
27-Feb-2024 16:04:25.577 managed-keys-zone: loaded serial 2948
27-Feb-2024 16:04:25.578 zone 0.in-addr.arpa/IN: loading from master file /usr/local/etc/namedb/master/empty.db failed: file not found
27-Feb-2024 16:04:25.578 zone 0.in-addr.arpa/IN: not loaded due to errors.
27-Feb-2024 16:04:25.578 zone 118.100.in-addr.arpa/IN: loading from master file /usr/local/etc/namedb/master/empty.db failed: file not found
27-Feb-2024 16:04:25.578 zone 118.100.in-addr.arpa/IN: not loaded due to errors.
27-Feb-2024 16:04:25.578 zone 0.219.10.in-addr.arpa/IN: loaded serial 2018020100

Ahh, this is the move to primary/secondary, away from master/slave. Got it.

I modified /usr/local/etc/namedb/named.conf and changed:

  • master -> primary
  • slave -> secondary

And restarted named. All good now. Very straight forward.

Conclusions

This went well. It’s ready for prime time.

What I did next:

  1. shutdown the old jail
  2. commented out the old jail in jail.conf
  3. shutdown the new jail
  4. adjusted the IP addresses to take over from the old jail
  5. started the new jail
  6. realized I also have to change the listen addresses in named.conf
  7. restart named
  8. profit

I’ll run this jail for a week or two, then update the dns1 jail to bind918.

EDIT: As of 2024-03-02 14:22 UTC, all my name servers were running on bind918.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top