From owner-freebsd-current@FreeBSD.ORG  Wed Jan 19 20:39:22 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3762D16A4CE
	for <freebsd-current@freebsd.org>;
	Wed, 19 Jan 2005 20:39:22 +0000 (GMT)
Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B7F7243D1F
	for <freebsd-current@freebsd.org>;
	Wed, 19 Jan 2005 20:39:21 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
	(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
	by postfix3-2.free.fr (Postfix) with ESMTP id 134B7C2BB;
	Wed, 19 Jan 2005 21:39:18 +0100 (CET)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id 122E9407C; Wed, 19 Jan 2005 21:39:10 +0100 (CET)
Date: Wed, 19 Jan 2005 21:39:10 +0100
From: Jeremie Le Hen <jeremie@le-hen.org>
To: nikolay.nenchev@rbb-sofia.raiffeisen.at
Message-ID: <20050119203910.GD36629@obiwan.tataz.chchile.org>
References: <OF1CBC4F89.03518929-ON42256F8E.002BE44A-42256F8E.002CA49C@mdcs.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <OF1CBC4F89.03518929-ON42256F8E.002BE44A-42256F8E.002CA49C@mdcs.at>
User-Agent: Mutt/1.5.6i
cc: freebsd-current@freebsd.org
Subject: Re: Bind 9.3 rndc?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jan 2005 20:39:22 -0000

You should use freebsd-net@ for this kind of questions I think.

> have installed FreeBSD 5.3 with Bind integrated in it. named is running in 
> chroot, with user bind, so every file in /etc/namedb is owned by 
> bind:wheel, exept rndc.key. (i have also rndc.conf with owner bind)
> and it is impossible to start make rndc reload. if i change owner on 
> rndc.key it is working but is it a security issue, user who is running 
> named (bind) to have acceess to rndc.key.

How does named(8) could know that the secret provided by rndc(8) is the
correct one if it does not have access to it ?  This is a shared secret.

Either user running named(8) and the one running rndc(8) must have access
to the secret.  Let's say you have named(8) running under user "bind" and
the rndc user running under user "rndc" and both belongs to group "bind".
Make rndc.key owned my "root:bind" and use the mode 0640.  Therefore only
root will be able to modify the key whereas named(8) and rndc(8) will be
able to read it.

Anyway, if your bind(8) is compromised, whether th attacker can read your
shared secret or not is pointless : you will have to change it anyway.

Best regards,
-- 
Jeremie Le Hen
jeremie@le-hen.org