From owner-freebsd-stable  Thu Feb  1  9: 3:32 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from yertle.kciLink.com (yertle.kciLink.com [208.184.13.195])
	by hub.freebsd.org (Postfix) with ESMTP id 1203737B67D
	for <stable@freebsd.org>; Thu,  1 Feb 2001 09:03:12 -0800 (PST)
Received: from onceler.kciLink.com (onceler.kciLink.com [208.184.13.196])
	by yertle.kciLink.com (Postfix) with ESMTP id 4D72F2E440
	for <stable@freebsd.org>; Thu,  1 Feb 2001 12:03:11 -0500 (EST)
Received: (from khera@localhost)
	by onceler.kciLink.com (8.11.1/8.11.1) id f11H3Bk55571;
	Thu, 1 Feb 2001 12:03:11 -0500 (EST)
	(envelope-from khera)
From: Vivek Khera <khera@kciLink.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14969.38607.142726.115583@onceler.kciLink.com>
Date: Thu, 1 Feb 2001 12:03:11 -0500
To: FreeBSD Stable <stable@freebsd.org>
Subject: DNS security
X-Mailer: VM 6.90 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Given the recent insecurities in DNS, we decided to implement the
authentication features of bind.  With doing this, and also running
bind in a chroot environment (as user bind, group bind) we run into a
couple of snags.

1) the named.conf file needs to be non-world readable.  Simple fix is
   to make it group bind instead of wheel so that named can read it on
   a reload.  This seems like a good thing to do in any case.

2) bind tries to write temporary files into the CWD.  Unfortunately,
   /etc/namedb is root:wheel and not writable by the bind process
   owner.  There doesn't seem to be a parameter to bind to tell it
   where to write those files, but there is an environment variable,
   DSTKEYPATH, that can be used.

The problem I have is how to make FreeBSD 4.2-STABLE pass that
environment variable to bind during boot.  There doesn't seem to be a
good way to do that with the stock startup scripts.  For now, I'm just
going to start bind in /etc/rc.local and turn it off from rc.conf.

Does it seem like a good idea to be able to set the BIND environment
variables from the stock rc scripts?  If so, could someone add this?

Thanks.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                Khera Communications, Inc.
Internet: khera@kciLink.com       Rockville, MD       +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera   http://www.khera.org/~vivek/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message