Alex Goncharov wrote: > Now, how does the argument that master zones should not be dynamically > updatable, and `bind' must not have write permissions over the > directory keeping the master zone files -- how does this live with > your resolution to my problem? The distinction between namedb/master and namedb/dynamic is somewhat artificial, and if I had it to do over from the beginning I would rename "master" to "static." However the master directory has been there since basically day 1, and I added the dynamic directory after severely tightening down the permissions in the etc/namedb directory when moving to the chroot defaults. Thus the confusion you are experiencing is related to the fact that zones which are dynamically updated are "master" zones, but because the bind user needs to write to them in our directory structure they need to live in etc/namedb/dynamic. As someone else pointed out drawing this distinction is a good thing, since you want the bind user to have write access to as little as possible for security reasons. > my master zone files are as vulnerable now as if they lived under `master' Yes, because you were previously chowning the master directory. If you have an environment where you have a mixture of static master zones and dynamic master zones the distinction is meaningful. hope this helps, Doug -- This .signature sanitized for your protectionReceived on Mon Sep 01 2008 - 17:49:56 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:34 UTC