From owner-freebsd-net@FreeBSD.ORG Mon Aug 4 22:59:17 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28A521065686 for ; Mon, 4 Aug 2008 22:59:17 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id CDF7E8FC16 for ; Mon, 4 Aug 2008 22:59:16 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 31014 invoked by uid 399); 4 Aug 2008 22:59:15 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 4 Aug 2008 22:59:15 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <489789C1.1040509@FreeBSD.org> Date: Mon, 04 Aug 2008 15:59:13 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.16 (X11/20080726) MIME-Version: 1.0 To: Adrian Penisoara References: <4896A416.80602@FreeBSD.org> <78cb3d3f0808040630o7ad311a5r6da8f821d2bfe63a@mail.gmail.com> In-Reply-To: <78cb3d3f0808040630o7ad311a5r6da8f821d2bfe63a@mail.gmail.com> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Ian Smith Subject: Re: permissions on /etc/namedb X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2008 22:59:17 -0000 Adrian Penisoara wrote: > Hi, > > On Mon, Aug 4, 2008 at 12:57 PM, Ian Smith > wrote: > With the notable exception of making standard functions rndc trace and > querylog work, writing to the default file named.run, which named wants > to write in 'the working directory'. You'll have seen my solution to > that, touching named.run in case it doesn't exist then chown'ing it to > bind:wheel in /etc/rc.d/named, which I don't think endangers security. I think that is a reasonable solution for your situation, although I don't think it's appropriate to enable that by default. The default configuration is supposed to be a simple local resolver setup. Users who need more advanced features should be reading the docs. > I've not been able to find another solution, and there's no equivalent > of dump-file and statistics-file for the trace/querylog file (that I Query logging has its own log category, so you would do something like this: logging { channel queries_log { file "/var/log/queries.log"; severity debug; print-time yes; }; category queries { queries_log; }; }; The problem is that if you put that in your named.conf file it will log all queries when you start named. If there is interest I can add that to the default named.conf and add a knob to rc.conf to turn query logging on and off by default, but I'm hesitant to add that much complexity to something that is supposed to be simple but is already too complex. OTOH, one could argue that even for a local resolver there would be a non-trivial number of users who would want to enable logging of queries ... As for the equivalent functionality for the debug aspect of named.run, you're right, there is no equivalent. (FYI, the fact that queries are recorded in named.run when you bump the debug level is a side effect of the fact that queries are logged to the resolver category at debug level 1.) The problem is that the default_debug channel has a special property (only receives input when debug level is > 0) that cannot be reproduced with configuration options, and you cannot redefine the default logging channels. (but see below) > Quoting from a default distributed /etc/namedb/named.conf: > > options { > // Relative to the chroot directory, if any > directory "/etc/namedb"; > pid-file "/var/run/named/pid"; > dump-file "/var/dump/named_dump.db"; > statistics-file "/var/stats/named.stats"; > > You have to take into account that "directory" is used for any > non-absolute pathname specified in named.conf, including the "file" > clauses for master/slave zones. If you were to change it now then you > would break a lot of setups. Agreed. > I believe that the "working directory" and "root config directory" > concepts should have been dissociated. Also agreed. :) I plan to send some feature requests to the bind-users list based on the discussions in this thread. If you're interested in this topic I'd suggest that you follow the discussion on that list. I have an (unreviewed) patch to add a debug-only option at http://dougbarton.us/bind-debug-only-channel.diff if anyone wants to experiment with this. Using that patch I was able to do this: logging { channel our_debug { file "/var/log/named.run"; severity dynamic; print-time yes; debug-only yes; }; category default { default_syslog; our_debug; }; category unmatched { null; }; }; Which duplicates the default logging configuration except that you can now specify the location for the named.run file (or give it another file name, etc.). > Another idea would be to add a final "options { directory > "/var/run/named"; }; " statement at the end of the file -- from the BIND > sources it appears that there is a callback function which may pickup > this final statement in order to make it the current working directory > for the named process. The problem is that when you do a reconfig or a reload named won't be able to see its configuration file. > Oh, and in the idea that we should keep the default configuration as > simple as possible for the average user and for whatever scenario, here > is my proposal: > > dump-file "/var/run/named/named_dump.db"; > statistics-file "/var/run/named/named.stats"; This idea is not without merit, but I actually have them separated for a reason. The reason is sort of an "intermediate" level thing, but if you want to dump the db or the stats more than once and keep more than one version around it's more convenient to do this in a separate directory. Also the assumption is that /var/run is supposed to be cleaned out at each boot, and I wouldn't want to lose those files. > I'm not sure what happens when the user toggles tracing / query > logging (with rndc) -- where would these files go by default ? That depends on how you have syslog configured. If you have no other logging configured and you do 'rndc querylog' to toggle it on it will go to syslog with daemon.info. Unfortunately, FreeBSD's default configuration doesn't log that by default. One could argue that it should, but I really don't want to open that can of worms. If you want to give that a try you could change *.notice in syslog.conf for the /var/log/messages file to *.info, then /etc/rc.d/syslogd restart. (Or uncomment the all.log option, etc.) hth, Doug -- This .signature sanitized for your protection