Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 01 Sep 2008 12:21:52 -0700
From:      Doug Barton <dougb@FreeBSD.org>
To:        Alex Goncharov <alex-goncharov@comcast.net>
Cc:        freebsd-current@freebsd.org
Subject:   Re: named mystery -- error: dumping master file:	master/tmp-wTjhUzoix6
Message-ID:  <48BC40D0.6070107@FreeBSD.org>
In-Reply-To: <E1KaB6h-0006LK-Hu@daland.home>
References:  <200809011331.m81DV7pq094904@lurza.secnetix.de>	<E1Ka9v7-0007oh-Re@daland.home>	<597586F2-3D3E-4B16-8E20-C3D2B69D25BD@lassitu.de> <E1KaB6h-0006LK-Hu@daland.home>

next in thread | previous in thread | raw e-mail | index | archive | help
Alex Goncharov wrote:
> Now, how does the argument that master zones should not be dynamically
> updatable, and `bind' must not have write permissions over the
> directory keeping the master zone files -- how does this live with
> your resolution to my problem?

The distinction between namedb/master and namedb/dynamic is somewhat
artificial, and if I had it to do over from the beginning I would
rename "master" to "static." However the master directory has been
there since basically day 1, and I added the dynamic directory after
severely tightening down the permissions in the etc/namedb directory
when moving to the chroot defaults.

Thus the confusion you are experiencing is related to the fact that
zones which are dynamically updated are "master" zones, but because
the bind user needs to write to them in our directory structure they
need to live in etc/namedb/dynamic.

As someone else pointed out drawing this distinction is a good thing,
since you want the bind user to have write access to as little as
possible for security reasons.

> my master zone files are as vulnerable now as if they lived under `master'

Yes, because you were previously chowning the master directory. If you
have an environment where you have a mixture of static master zones
and dynamic master zones the distinction is meaningful.


hope this helps,

Doug

-- 

    This .signature sanitized for your protection




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BC40D0.6070107>