Re: Bind 9.3 rndc?

From: Doug Barton <DougB_at_FreeBSD.org>
Date: Sat, 22 Jan 2005 17:43:28 -0800 (PST)
On Wed, 19 Jan 2005 nikolay.nenchev_at_rbb-sofia.raiffeisen.at wrote:

> Hi,
> have installed FreeBSD 5.3 with Bind integrated in it. named is running in
> chroot, with user bind, so every file in /etc/namedb is owned by
> bind:wheel, exept rndc.key. (i have also rndc.conf with owner bind)

With the new structure for BIND in FreeBSD 5.3 and later, you don't need 
rndc.conf, and in fact, you probably shouldn't have one unless you have 
a super-compelling need. The rndc.key file is all you need for basic 
operation, and the rc.d/named file will create it for you.

> and it is impossible to start make rndc reload. if i change owner on
> rndc.key it is working but is it a security issue, user who is running
> named (bind) to have acceess to rndc.key.

Someone else already pointed out that it's necessary to have the 
rndc.key file owned by the same user as named, and it's not really a 
security threat.

> A another thing, if i make " sudo named stop/start" the own of my master
> folder is change to root:wheel (before bind:wheel)?

That's because the rc.d script runs mtree to make sure that the 
permissions are correct on the files in /var/named. This is actualy one 
area where the security issues are relevant, in the sense that if an 
attacker compromises the named user you don't want them to be able to 
alter your master zone files.

Hope this helps,

Doug

-- 

     This .signature sanitized for your protection
Received on Sun Jan 23 2005 - 00:43:30 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:26 UTC