JRDN
Jason Roysdon dot Net

Building BIND 9.6 on RHEL5 / CentOS5 for DNSSEC NSEC3 support

October 16th 2009 in Linux, Networking, Security

For those of us with the need for DNSSEC NSEC3 support (required for .GOV, .ORG and others) on RHEL5 / CentOS5, official support isn't coming until RHEL6 (RH BugID 504052). For now, though, we can use the source RPM from Fedora 11 (now Fedora 12) to compile it ourselves.

Install rpmbuild and other dependencies:

yum -y install make gcc rpm-build libtool autoconf openssl-devel libcap-devel libidn-devel libxml2-devel openldap-devel postgresql-devel sqlite-devel mysql-devel krb5-devel xmlto

Download the latest F11 bind and dnssec-conf src.rpm:

cd /usr/src/redhat/SRPMS
wget -c ftp://mirrors.kernel.org/pub/fedora/updates/11/SRPMS/bind-9.6.*.src.rpm
wget -c ftp://mirrors.kernel.org/pub/fedora/updates/11/SRPMS/dnssec-conf-*.src.rpm

Update: F12 has been released with the latest bind and dnssec-conf src.rpm:

cd /usr/src/redhat/SRPMS
wget -c ftp://mirrors.kernel.org/pub/fedora/updates/12/SRPMS/bind-9.6.*.src.rpm
wget -c ftp://mirrors.kernel.org/pub/fedora/releases/12/Fedora/source/SRPMS/dnssec-conf-*.src.rpm

Now install the SRPMs (the trick here is --nomd5 to stop signature verification which will fail due to Fedora's new sha1sum version in RPM):

rpm -ivh --nomd5 bind-9.6.*.src.rpm dnssec-conf-*.src.rpm

Build the RPMs:

cd /usr/src/redhat/SPECS
rpmbuild -ba ./bind.spec

The built bind RPM is now in /usr/src/redhat/RPMS/i386/ or /usr/src/redhat/RPMS/x86_64/ depending on your Arch.

rpmbuild --ba ./dnssec-conf.spec

The built dnssec-conf RPM is now in /usr/src/redhat/RPMS/noarch/

To install bind and dnssec-conf, you need curl and python-dns*(requires EPEL):

yum -y install curl python-dns

Then:

cd /usr/src/redhat/RPMS/*86*
rpm -Uvh bind-9.6.*.rpm bind-chroot-9.6.*.rpm bind-utils-9.6.*.rpm bind-libs-9.6.*.rpm ../noarch/dnssec-conf-1.21-*.noarch.rpm

A newer dnssec-conf is available via EPEL that is more up to date (ITAR, etc.) than the current F11 SRPM (F12 is current), so update it from there if this is allowed by your policy:

yum -y update dnssec-conf

Now you need to subscribe to Fedora bind updates so you can repeat as bug fixes are released. (I've written a detailed post describing how to do this).

--
Update Jun 1, 2010: RedHat has published a BIND 9.7 tech preview for RHEL5.6 per my request:
http://people.redhat.com/atkac/bind/5.6-test/.


7 comments to...
“Building BIND 9.6 on RHEL5 / CentOS5 for DNSSEC NSEC3 support”
vlader
wrote on October 29th, 2009

That's not needed:

> rpm -ivh –nomd5 bind-9.6.*.src.rpm dnssec-conf-*.src.rpm
> cd /usr/src/redhat/SPECS
> rpmbuild -ba ./bind.spec
> rpmbuild –ba ./dnssec-conf.spec

Just do:

rpmbuild --rebuild package_name.src.rpm

I downloaded dnssec-conf.src.rpm with correct MD5 sum from here:

http://centos.alt.ru/pub/dnssec-conf/RHEL/SRPMS/dnssec-conf-1.21-2.el5.src.rpm


Jason
wrote on October 29th, 2009

@vlader: This does not work as the MD5 sum will fail as RPM changed in Fedora:
rpmbuild --rebuild bind-9.6.1-6.P1.fc11.src.rpm
Installing bind-9.6.1-6.P1.fc11.src.rpm
warning: InstallSourcePackage: Header V3 RSA/SHA256 signature: NOKEY, key ID d22e77f2
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
error: unpacking of archive failed on file /usr/src/redhat/SOURCES/Copyright.caching-nameserver;4b0c31f4: cpio: MD5 sum mismatch
error: bind-9.6.1-6.P1.fc11.src.rpm cannot be installed


Ville Kummu
wrote on November 24th, 2009

This didn't work for me. I have a CentOS 5.3 x64_64 and i copy-pasted the instructions to my box and it fails during BIND rpm compilation. Any ideas?

...
/bin/sh /usr/src/redhat/BUILD/bind-9.6.1-P1/libtool --mode=compile gcc -I/usr/src/redhat/BUILD/bind-9.6.1-P1 -I./include -I./../pthreads/include -I../include -I./../include -I./.. -D_REENTRANT -DDIG_SIGCHASE -D_GNU_SOURCE -O2 -g -m64 -mtune=generic -I/usr/include/libxml2 -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c stdio.c
gcc -I/usr/src/redhat/BUILD/bind-9.6.1-P1 -I./include -I./../pthreads/include -I../include -I./../include -I./.. -D_REENTRANT -DDIG_SIGCHASE -D_GNU_SOURCE -O2 -g -m64 -mtune=generic -I/usr/include/libxml2 -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -c stdio.c -fPIC -DPIC -o .libs/stdio.o
stdio.c: In function 'isc_stdio_fgetc':
stdio.c:126: warning: passing argument 1 of 'fgets' from incompatible pointer type
stdio.c:126: error: too few arguments to function 'fgets'
make[3]: *** [stdio.lo] Error 1
make[3]: Leaving directory `/usr/src/redhat/BUILD/bind-9.6.1-P1/lib/isc/unix'
make[2]: *** [subdirs] Error 1
make[2]: Leaving directory `/usr/src/redhat/BUILD/bind-9.6.1-P1/lib/isc'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/usr/src/redhat/BUILD/bind-9.6.1-P1/lib'
make: *** [subdirs] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.24891 (%build)

RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.24891 (%build)


Jason
wrote on November 24th, 2009

@Ville Kummu: Tested this via a fresh VirtualBox CentOS 5.4 x86_64 install using bind-9.6.1-6.P1.fc11.src.rpm. No problems. I suggest doing a 'yum update' (to bring you up to CentOS5.4) and try again.


Ville Kummu
wrote on November 25th, 2009

Hi Jason! I updated to CentOS 5.4 and rebooted, tried again but with same result. I also tested the new fc12 sources by removing the old ones and starting from scratch. No help. i will try on another host tomorrow.


Following Fedora Package releases for RHEL/CentOS admins « ROYSDON
wrote on January 19th, 2010

[...] middle-ground is to use Fedora SRPMs on CentOS. I’ve already detailed how to do that in the last link, but now I’m going to detail how [...]


P Hess
wrote on August 10th, 2010

As a followup to Ville Kummu:
Check your config.log output for clues as to what went wrong during the configure stage. In my case, it was unable to find libxml2.so due to a missing "-devel" RPM. I found that because there were warnings when the configure script was checking for "getc_unlocked" and "flockfile". As a matter of fact, the error showed up during most, or all?, of the checks for functionality.




required



required - won't be displayed


Your Comment:

There are many different options to help you secure your PC. Good password protection, software protection, and network/dns protection.

Previous Entry

World of Goo! If you haven't tried this awesomely simple, but yet fun and complex and puzzling game, try the demo now, and then (by Oct 25th) you can pay whatever you think the game is worth to buy the full version (Windows, Mac, LINUX!).

Next Entry

Archives
Categories
Links