Freeware BIND/iX for HP e3000 MPE

1. What's New
2. Welcome
3. System Requirements
4. What is BIND and why should I care?
5. How to Obtain BIND/iX
6. The New bixby.org Freeware Distribution Architecture
7. Distribution Highlights
8. How to Compile BIND
9. How to Run BIND
10. MPE/iX Implementation Considerations
11. Known Bugs Under Investigation
12. To-Do List
13. Change History

---

What's New

• June 9, 2001
• Upgraded to the official 8.2.4 production release which compiles straight out of the box on MPE. This release includes various minor bug fixes and portability improvements.
• This release also includes fixes to the MPE-specific portion that are relevant if you are running the NAMED daemon and hosting slave zones. This bug was detected by using similar code in another port -- MPE BIND testing and real-life MPE BIND usage never uncovered this bug.
• February 4, 2001
• Upgraded to the official 8.2.3 production release which plugs a number of security holes (//cert.org/advisories/CA-2001-02.html). While these security holes are quite serious on Unix platforms, they are less serious on MPE and most likely will only result in denial-of-service attacks against the NAMED server daemon if the daemon is exposed to the Internet.
• The minor modifications required to get 8.2.3 running on MPE will be submitted back to the official BIND developers for inclusion into a subsequent release of BIND.
• For improved MPE security, freeware BIND/iX JNAMED runs as the non-PM user SERVER.BINDFW.
• A new bixby.org freeware distribution architecture makes its debut with BIND/iX 8.2.3. Even if you don't care about BIND, you should still read the details on this web page because this new architecture will be used for future distributions of other bixby.org software and perhaps also for HP CSY Internet & Interoperability products.
• This release now installs into the BINDFW account in order to not conflict with the HP-supplied software in the BIND account.
• November 15, 1999
• Upgraded to the official 8.2.2-P5 production release which compiles "straight out of the box" on MPE. This version addresses the following issues:
• Bug in named-xfer (from patchlevel 4).
• Portability to IPv6 versions of FreeBSD, OpenBSD, NetBSD.
• Portability improvements (A/UX, AIX, IRIX, NetBSD, SCO, MPE/IX, NT).
• "also-notify" option could cause memory allocation errors.
• IXFR improvements (though client-side is still disabled).
• Contributed software upgraded (including TIS's "dns_signer").
• Several latent denial-of-service bugs fixed (from audits, not abuse).
• New "make noesw" top-level target for removing encumbered components.
• November 11, 1999
• Upgraded to the official 8.2.2p3 production release (plus Patch 4) which compiles "straight out of the box" on MPE. This version fixes the vulnerabilities documented in CERT Advisory CA-99-14.
• The sample configuration files in /BIND/PUB/etc have all been renamed to xxx-sample in order to avoid stomping on existing files if you're upgrading from a previous release of BIND/iX.
• Man pages are now supplied in /BIND/PUB/man. You'll need to add /BIND/PUB/man to the MANPATH environment variable if you want the man command to be able to find the BIND/iX man pages.
• The INSTALL script has been enhanced to work around a number of tar bugs that could complicate upgrading a previous version of BIND/iX..

---

Welcome

I did this port because it is the foundation for other important packages such as sendmail.

Please send your comments, questions, and bug reports directly to me, Mark Bixby, by e-mailing to mark@bixby.org. Or just post them to HP3000-L.

The platform I'm using to do this port is an HP 3000 957RX running MPE/iX 6.0 and using the GNU gcc C compiler.

I would like to extend my sincere thanks to HP CSY for providing me with the resources and encouragement to do this port.

Please note that HP now bundles BIND/iX with MPE/iX 6.0 or later. The version of BIND/iX currently shipping with MPE/iX 6.0 is 8.1.1. HP provides official support for the bundled version of BIND/iX only and will properly disavow any knowledge of the unsupported freeware version you're reading about on this web page.

---

System Requirements

• Requires MPE/iX 5.5 or later.
• Requires Syslog/iX (or the Syslog/iX that comes bundled with MPE/iX 6.0 or later).

---

What is BIND and why should I care?

Prior to BIND/iX, an HP e3000 shop had to rely on some other machine to host their organization DNS information. Now you can host it locally on your HP e3000.

BIND/iX was intially ported from BIND 8.1 released in May 1997.

---

How to Obtain BIND/iX

1. Obtain and install Syslog/iX if you haven't already done so, or use the Syslog/iX that comes bundled with MPE/iX 6.0 or later..
2. Download BIND using either FTP.ARPA.SYS or some other client
3. Extract the installation script
4. Edit the installation script
5. Run the installation script

Download BIND using FTP.ARPA.SYS from your HP e3000 (the preferred method).....

:HELLO MANAGER.SYS
:XEQ FTP.ARPA.SYS
open ftp.bixby.org
anonymous
your@email.address
bytestream
cd /pub/mpe
get bind-8.2.3-mpe.tar.Z /tmp/bind.tar.Z
exit

.....Or download using some other generic web or ftp client (the alternate method)

• BIND from bind-8.2.3-mpe.tar.Z or bind-8.2.4-mpe.tar.Z

• /tmp/bind.tar.Z

Then extract the installation script (after both download methods)

:CHDIR /tmp
:XEQ TAR.HPBIN.SYS 'xvfopz /tmp/bind.tar.Z INSTALL'

Edit the installation script

:XEQ VI.HPBIN.SYS /tmp/INSTALL

Run the installation script

:XEQ SH.HPBIN.SYS /tmp/INSTALL

---

The New bixby.org Freeware Distribution Architecture

The Old Scheme

Users would need to customize various files such as job streams and configuration files residing in the same directories as unmodified bixby.org files. Segregating your own local modifications was sometimes difficult.

New releases would overlay the files from previous releases. If you had a problem and wanted to revert back to the previous version of the software, you would have to restore the entire account.

The New Scheme

The installation script will create a current version symlink named CURRENT that points to the active version-specific group, i.e.:

   cd /ACCOUNT
   ln -s Vvvuuffp CURRENT

   cd /ACCOUNT/PUB
   ln -s ../CURRENT/bin bin

The installation script is conservative when creating symlinks. If the intended name already exists as a symlink, the old symlink is removed, and the new symlink is created. If the intended name already exists as a non-symlink, the old object is renamed with a .bak extension, and the new symlink is created.

Finally, the installation script will create various files and directories below the PUB group that are intended for user customization. You should only modify or add files below the PUB group, and NEVER below the version-specific group! The version-specific group is intended to contain only unmodified files and directories as distributed by bixby.org. The PUB group is the proper place for user-customizations.

If you are performing an upgrade, the previous version-specific group IS NOT PURGED. If you encounter problems with the new version and want to backdate, simply purge the CURRENT symlink and recreate it so that it points to the previous version-specific group. If you are satisified with the new version, you will want to manually do a :PURGEGROUP on the previous version-specific group to remove it from your machine.

Key Benefits of the New Scheme

• Multiple versions can exist on the same machine in the same account, allowing for worry-free upgrading and backdating.
• User-customized data is kept segregated in the PUB group away from the bixby.org data in the version-specific group.

---

Distribution Highlights

/BINDFW/

The MPE account for the freeware version of BIND/iX.

CURRENT/

Symlink pointing to the V0802040/ version-specific group.

PUB/

MPE group containing user-customizable stuff.

NAMED

Symlink to ../CURRENT/NAMED.

bin/

Symlink to ../CURRENT/bin/.

etc/

Directory to contain your customized configuration and zone files.

include/

Symlink to ../CURRENT/include/.

lib/

Symlink to ../CURRENT/lib/.

man/

Symlink to ../CURRENT/man/.

public_html/

Symlink to ../CURRENT/doc/html/. If you have Apache running and configured to allow user directories and symlinks, you can access this documentation by browsing to //your.host.name/~MGR.BINDFW/.

sbin/

Symlink to ../CURRENT/sbin/.

V0802040/

V0802030/

MPE group containing files and directories distributed by bixby.org. DO NOT MODIFY ANYTHING IN THIS DIRECTORY TREE!

INSTALL

the one-time installation script you ran above

JNAMED.sample

Sample job stream for starting the NAMED server daemon.

NAMED

The server binary linked with CAP=PM.

README

what you're reading now

bin/

User clients such as nslookup, etc.

contrib/

Contributed odds and ends. Completely untried on MPE.

doc/

Massive quantities of documentation. Some current, some outdated.

html/

Current documentation about the new config file format.

man/

Current man page source files.

etc/

Sample configuration and zone files. You must copy these to /BINDFW/PUB/etc and perform various customizations.

named.conf-sample

The main configuration file. You *MUST* copy this to /BINDFW/PUB/etc/named.conf and then edit before running the server.

zone.*-sample

Various zone files. You *MUST* copy these files to /BINDFW/PUB/etc and then edit before running the server.

include/

Compile-time header files required if you're calling the BIND resolver library. Specify -I/BINDFW/PUB/include on your compiles.

lib/

The BIND resolver library. Specify -L/BINDFW/PUB/lib -lbind on your compiles.

man/

Man page documentation, suitable for adding to your MANPATH environment variable via /BINDFW/PUB/man.

mpebin/

Various scripts used to build BIND/iX from source on MPE.

sbin/

"System" binaries. Ignore the named that lives here. The named-xfer that lives here is the right one.

src-mpe/

Source tree.

---

How to Compile BIND

1. :HELLO MGR.BINDFW,V0802030
2. :XEQ SH.HPBIN.SYS -L
3. cd /BINDFW/CURRENT/src-mpe
4. make depend
5. take a short coffee break
6. make
7. take a long coffee break
8. make install
9. Execute /BINDFW/CURRENT/mpebin/relink to move /BINDFW/CURRENT/sbin/named to /BINDFW/CURRENT/NAMED and relink with CAP=PM.

---

How to Run BIND

1. :STREAM JSYSLOGD.PUB.SYSLOG
2. Copy /BINDFW/CURRENT/etc/*-sample to /BINDFW/PUB/etc and customize for your own environment.
3. Copy /BINDFW/CURRENT/JNAMED.sample to /BINDFW/PUB/JNAMED and customize for your own environment.
4. Add your server's IP address as the first nameserver entry in /etc/resolv.conf for all MPE and HPUX hosts that you wish to use this server for resolution queries. On MPE hosts, make sure that /etc/resolv.conf is actually a symlink pointing to the real data at RESLVCNF.NET.SYS. Also modify any PC and/or Mac DNS configurations.
5. :STREAM JNAMED.PUB.BINDFW
6. Stop BIND either by :ABORTJOB or "/BINDFW/PUB/sbin/ndc -p /BINDFW/PUB/etc/named.pid stop".

---

MPE/iX Implementation Considerations

• BIND/UX must be run as root to bind to ports 53. BIND/iX must call GETPRIVMODE() to bind to port 53, and thus requires PM capability on NAMED.
• The IRS library functions to manipulate /etc/passwd and /etc/group are unavailable because MPE lacks /etc/passwd and /etc/group.
• The NAMED -u and -g options to change the user and group identity that NAMED runs as are not supported on MPE. Edit JNAMED and alter the JOB statement instead.
• The NAMED -t option is not functional on MPE because MPE lacks chroot().

---

Known Bugs Under Investigation

• None.

---

To-Do List

• Port BIND9 to MPE.

---

Change History

• November 11, 1999
• Upgraded to the official 8.2.2p3 production release (plus Patch 4) which compiles "straight out of the box" on MPE. This version fixes the vulnerabilities documented in CERT Advisory CA-99-14.
• The sample configuration files in /BIND/PUB/etc have all been renamed to xxx-sample in order to avoid stomping on existing files if you're upgrading from a previous release of BIND/iX.
• Man pages are now supplied in /BIND/PUB/man. You'll need to add /BIND/PUB/man to the MANPATH environment variable if you want the man command to be able to find the BIND/iX man pages.
• The INSTALL script has been enhanced to work around a number of tar bugs that could complicate upgrading a previous version of BIND/iX.
• September 17, 1999
• Migrated from cccd.edu to bixby.org.
• July 1, 1999
• Upgraded to the official 8.2.1 production release which compiles "straight out of the box" on MPE. Please note that I never released the 8.2 version due to a number of serious non-MPE bugs. A summary of the changes since 8.1.2 from src/README:
• SECURITY NOTE:
• Solaris and other pre-4.4BSD kernels do not respect ownership or protections on UNIX-domain sockets. This means that the default path for the NDC control socket (/BIND/PUB/etc/ndc) is such that any user (root or other) on such systems can issue any NDC command except "start" and "restart". The short term fix for this is to override the default path and put such control sockets into root- owned directories which do not permit non-root to r/w/x through them. The medium term fix is for BIND to enforce this requirement internally. The long term fix is for all kernels to upgrade to 4.4BSD semantics.
• BIND 8.2.1 Highlights
• Bug fixes, especially to DNSSEC, TSIG, IXFR, and selective forwarding.
• Portability improvements and lint removal.
• Use best SOA rather than first-better when selecting an AXFR master.
• $TTL now accepts symbolic time values (such as "$TTL 1h30m").
• "ndc reload" now accepts a zone argument, for single-zone reloads.
• ndc is better behaved; is verbose or quiet when appropriate.
• event and error reporting improvements.
• BIND 8.2 Highlights
• RFC 2308 (Negative Caching)
• RFC 2181 (DNS Clarifications)
• RFC 2065 (DNS Security)
• TSIG (Transaction SIGnatures)
• support for multiple virtual name servers
• NDC uses a "control channel" now (no more signals)
• "Split DNS" via zone type "forward".
• Many bug fixes
• Documentation improvements
• Performance enhancements
• Tar is now used instead of MOVER to package the BIND/iX distribution. DEATH TO MOVER IN ALL OF ITS EVIL INCARNATIONS!!!
• May 14, 1998
• Upgraded to the official 8.1.2 production release which includes the MPE port and thus will compile "straight out of the box" on MPE.
• April 9, 1998
• Upgraded to 8.1.2-T3B. While this is technically a beta release, it is a production candidate, and I've been running 8.1.2 internally for a couple of months now without any problems. This release fixes a number of security bugs, so if you're running something earlier, you want to install 8.1.2-T3B (or else wait a week or two for the production release of 8.1.2).
• The MPE port has finally been incorporated into the official BIND source distribution. 8.1.2-T3B will compile "straight out of the box" on MPE.
• March 23, 1998
• Minor web page typo corrected for /etc/resolv.conf.
• March 12, 1998
• Fixed a bug in the INSTALL script where it was unconditionally using /TELESUP/PRVXL/MOVER to extract the archive. Now INSTALL will first try to use /tmp/mover55, and if that doesn't exist as an executable, then /TELESUP/PRVXL/MOVER will be used.
• HP announces support for BIND DNS/iX; beta testers wanted. See below.
• March 8, 1998
• Repackaged the distribution using my new standard installer script.
• January 8, 1998
• The previous release accidently contained an older version of BIND. This new fixer release contains the latest & greatest BIND 8.1.1.
• December 31, 1997
• Cleaned up various files in port/mpe/include to reflect compiling with a newer, cleaner GNU environment.
• Now compiled with -O instead of -g, resulting in much smaller binaries.
• Added files to /BIND/PUB/include to permit compiling external programs such as sendmail against -I/BIND/PUB/include and then linking with -L/BIND/PUB/lib -lbind.
• October 3, 1997
• Updated the BIND/iX home page gcc compiler link to point to the Interex Freeware tape. Added the System Requirements section.
• June 27, 1997
• Updated to the 8.1.1-REL production release which includes various fixes and enhancements. A particularly evil security bug has been fixed which will prevent malicious sites from corrupting your cache with bogus entries.
• An MPE-only workaround has been implemented in res_send() so that connect()-ing to a datagram socket (which is not supported by MPE) is no longer attempted.
• Dynamic Update has been tested and works if an external machine is trying to update BIND/iX; see Known Bugs.
• MPE's recvfrom() still returns 127.0.0.1 for packets received from the local host; see the Known Bugs section below for a long explanation of the ramifications. Despite this issue, BIND/iX should be usable in a production environment as long as you follow good DNS practices by always mirroring your data to one or more secondary name servers.
• June 12, 1997
• Updated to the 8.1.1-T2B public beta release which includes various fixes and enhancements. No new MPE-only changes.
• The MPE diffs have been submitted to the BIND developers, but there wasn't time to include them in the official T2B source distribution.
• June 6, 1997
• Updated to 8.1.1-T1A (a set of patches only made available to official bind-workers and applied on top of the 8.1 general public release). For details see src-mpe/CHANGES. Includes a fixed bin/dnsquery, new configuration options, bin/ndc relocated to sbin/ndc, and various bug fixes.
• Compiles with no integer pointer cast warnings.
• May 28, 1997
• Internal "#ifdef MPE" source cleanup.
• Wrote an mpe_bind() stub that zeros out the IP address and calls GETPRIVMODE()/GETUSERMODE() if the port is less than 1024.
• Fixed a problem in the lib/irs routines (i.e. gethostbyname() etc.) that prevented fall-back to flat files (/etc/hosts etc.) if DNS is unable to locate the requested information. The MPE port code was doing a global "#define fcntl sfcntl" because sockets require sfcntl(). The stuff in lib/irs needs to fcntl() against flat files, so I had to "#undef fcntl" for lib/irs only. DIE, sfcntl(), DIE!
• May 23, 1997
• Initial public release. Use at your own risk!
• April 1997
• Porting begins.