Alex Goncharov wrote: > There is no question about it: I think I've done adequate reading and > will likely take a look at the Guide again, to see if this situation > and your resolution are described there. By my recollection, it is > not (BIND FAQ discusses permissions for `sl' -- the slave directory, > but this is not the same as "master".) Do you think it is? Forget the FAQ. You should read the ARM (Administrator Reference Manual), especially the section on dynamic updates. Of course bind must be able to write to the "slave" and "dynamic" directory, so it is able to store slave zones and dynamic updates. There is no reason that bind needs write access to static master zone files, because, well, they're static. > Now, how does the argument that master zones should not be dynamically > updatable, and `bind' must not have write permissions over the > directory keeping the master zone files -- how does this live with > your resolution to my problem? I am quite happy to accept it (if down > the road nothing is going to "chown root dynamic") but I don't see > much sense in doing this trick -- my master zone files are as > vulnerable now as if they lived under `master' and the conceptual > structure of the system seems worse to me: after all, what now lives > under `dynamic' is a "master" zone (marked as such in `named.conf'). Yes, of course, there are static master zones and dynamic master zones. They all are really master zones, the only difference is that the dynamic ones have been enabled for dynamic updates. This is often used for dynamic clients in internal networks or VPNs. The static zones live in the "master" directory, and the dynamic ones live in the "dynamic" directory. Some people advise against serving both static (public) and dynamic (internal) master zones from the same server. That's precisely for the security reason you mentioned: If an external attacker could gain access to your named via an exploit, he could manipulate your dynamic zones (though not your static ones if permissions are configured correctly). Therefore it might be a good idea to serve static and dynamic zones from different named instances in separate jails that are bound to appropriate (public vs. internal) IP addresses. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Whatever happened to the days when hacking started at the cerebral cortex, and not at the keyboard?" -- Sid on userfriendly.org by Illiad, 2007-06-20Received on Mon Sep 01 2008 - 15:17:34 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:34 UTC