7.3.2. Configuring BIND and DNS

Most of the instructions in this guide reference the domain name that is used to configure the sample OpenShift Enterprise installation. Configure the $domain environment variable to simplify the process with the following command, replacing example.com with the domain name to suit your environment:
# domain=example.com
Configure the $keyfile environment variable so that it contains the file name for a new DNSSEC key for your domain, which is created in the subsequent step:
# keyfile=/var/named/$domain.key
Use the dnssec-keygen tool to generate the new DNSSEC key for the domain. Run the following commands to delete any old keys and generate a new key:
# rm -vf /var/named/K$domain*
# pushd /var/named
# dnssec-keygen -a HMAC-SHA256 -b 256 -n USER -r /dev/urandom $domain
# KEY="$(grep Key: K$domain*.private | cut -d ' ' -f 2)"
# popd


The $KEY environment variable has been set to hold the newly-generated key. This key is used in a later step.
Enabling Communication Between the Broker and BIND

Ensure that a key exists so that the broker can communicate with BIND. Use the rndc-confgen command to generate the appropriate configuration files for rndc, which is the tool that the broker uses to perform this communication:

# rndc-confgen -a -r /dev/urandom
Configuring Ownership, Permissions, and SELinux Context

Ensure that the ownership, permissions, and SELinux context are set appropriately for this new key:

# restorecon -v /etc/rndc.* /etc/named.*
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key Configuring Sub-Domain Host Name Resolution

Configure BIND to resolve host names under the domain used for your OpenShift Enterprise installation. To achieve this, create a database for the domain. The dns-nsupdate plug-in includes an example database, used in this example as a template.

Procedure 7.4. To Configure Sub-Domain Host Name Resolution:

  1. Delete and create the /var/named/dynamic directory:
    # rm -rvf /var/named/dynamic
    # mkdir -vp /var/named/dynamic
  2. Create an initial named database in a new file called /var/named/dynamic/$domain.db, replacing domain with your chosen domain. If the shell syntax is unfamiliar, see the BASH documentation at http://www.gnu.org/software/bash/manual/bashref.html#Here-Documents.
    # cat <<EOF > /var/named/dynamic/${domain}.db
    \$ORIGIN .
    \$TTL 1	; 1 seconds (for testing only)
    ${domain}               IN SOA  ns1.${domain}. hostmaster.${domain}. (
                                    2011112904 ; serial
                                    60         ; refresh (1 minute)
                                    15         ; retry (15 seconds)
                                    1800       ; expire (30 minutes)
                                    10         ; minimum (10 seconds)
                            NS      ns1.${domain}.
                            MX      10 mail.${domain}.
    \$ORIGIN ${domain}.
    ns1                     A

Procedure 7.5. To Install the DNSSEC Key for a Domain:

  1. Create the file /var/named/$domain.key, where domain is your chosen domain:
    # cat <<EOF > /var/named/$domain.key
    key $domain {
      algorithm HMAC-SHA256;
      secret "${KEY}";
  2. Set the permissions and SELinux context to the correct values:
    # chgrp named -R /var/named
    # chown named -R /var/named/dynamic
    # restorecon -rv /var/named
This configuration also requires a new /etc/named.conf file.

Procedure 7.6. To Configure a New /etc/named.conf File:

  1. Create the required file:
    # cat <<EOF > /etc/named.conf
    // named.conf
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    options {
      listen-on port 53 { any; };
      directory 	"/var/named";
      dump-file 	"/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
      allow-query     { any; };
      recursion no;
      /* Path to ISC DLV key */
      bindkeys-file "/etc/named.iscdlv.key";
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
    // use the default rndc key
    include "/etc/rndc.key";
    controls {
      inet port 953
      allow {; } keys { "rndc-key"; };
    include "/etc/named.rfc1912.zones";
    include "$domain.key";
    zone "$domain" IN {
      type master;
      file "dynamic/$domain.db";
      allow-update { key $domain ; } ;
  2. Set the permissions and SELinux context to the correct values:
    # chown -v root:named /etc/named.conf
    # restorecon /etc/named.conf