Re: New BIND 9 chroot directories

From: Charles Swiger <cswiger_at_mac.com>
Date: Tue, 5 Oct 2004 02:31:11 -0400
On Oct 5, 2004, at 1:53 AM, Doug Barton wrote:
> On Mon, 4 Oct 2004, Charles Swiger wrote:
[ ... ]
> Please also keep in mind that I actually USED this configuration in 
> production on hundreds of name servers on a production enterprise 
> network for years with a variety of different kinds of name servers, 
> including authoritative, caching, forwarding, etc.

You bet.  It's worth noting that you've got a config that's heavily 
used in production.  That makes it a good candidate for FreeBSD's 
default values, as well as making you a good candidate to maintain 
named for FreeBSD.

> All that said, the defaults are just the defaults. The thing that 
> people really need to keep in mind is that if you want to change it, 
> you can.

Yes.

>> named_enable="YES"
>> named_flags="-u bind -g bind -c /etc/named.conf"
>>
>> ...in /etc/rc.conf and then do whatever you like under /var/named.
>
> Um, no. First off, the -g option never did what people thought it did, 
> and now does something entirely different in BIND 9.

The options I use now work fine under BIND 8, so it's unfortunate that 
somebody changed the meaning of that option, but the issue is probably 
moot now.

[ FWIW, I thought the -g flag controlled the group of the zone files 
created by a slave xfer, which is probably not significant in terms of 
security.  On the other hand, I always have a group associated with any 
user (that seems BSD convention now), and I don't see any harm in the 
notion. ]

> Also, if your config file is /etc/namedb/named.conf, it's pointless to 
> specify it in named_flags, as that is the compiled in default.

True.  /etc/named.conf is the location mentioned in the O'Reilly DNS & 
BIND books, and is a commonly used default location on other current 
systems today when not running chroot()ed, but I am quite happy to 
leave the layout of the chroot()ed config location of named.conf up to 
your judgement.  :-)

>> I suppose the situation could be improved by having some shell script 
>> which converts pre-chrooted named configs (at least the prior default 
>> config from 4.x) into the new layout, perhaps by creating symlinks 
>> from the current locations into the chroot tree under /var/named.
>
> If anyone wants to come up with something like that, I'm all ears, 
> however my guess is that the variety of input is so varied that such 
> an undertaking would be pointless.

You may be right.  One could turn the set of instructions in the 
20040928 UPDATING entry into a shell script, but it's probably safer to 
perform a manual series in order to note any errors or changes in path 
locations made by per-user customizations anyway.

-- 
-Chuck
Received on Tue Oct 05 2004 - 04:31:14 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:15 UTC