From owner-freebsd-security  Fri Jun  5 00:42:54 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA28442
          for freebsd-security-outgoing; Fri, 5 Jun 1998 00:42:54 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA28434
          for <freebsd-security@FreeBSD.ORG>; Fri, 5 Jun 1998 00:42:40 -0700 (PDT)
          (envelope-from sthaug@nethelp.no)
From: sthaug@nethelp.no
Received: (qmail 23829 invoked by uid 1001); 5 Jun 1998 07:42:38 +0000 (GMT)
To: roberto@keltia.freenix.fr
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: /usr/sbin/named
In-Reply-To: Your message of "Mon, 1 Jun 1998 11:51:12 +0200"
References: <19980601115112.A10806@keltia.freenix.fr>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Fri, 05 Jun 1998 09:42:37 +0200
Message-ID: <23827.897032557@verdi.nethelp.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > Also... Is there any reason for this daemon to run as root, other than
> > binding to port 53? Would it be possible and reasonable to patch it to
> > give up root after binding to the port? 
> 
> Zone transferts are done by connecting tcp(53) to tcp(53). Name resolution
> between servers are using 53 too so you'll need to bind several times on
> that port.

Name resolution between servers (ie. a server sends a query to another
server) is done using port 53 in BIND-4.9.x (ie. the standard FreeBSD
setup). In BIND-8.1.x, queries from the server itself are *not* sent
from port 53 unless you specifically tell named to do so.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message