From owner-freebsd-questions  Tue Nov  5  8:49:17 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8C9A937B404
	for <freebsd-questions@freebsd.org>; Tue,  5 Nov 2002 08:49:16 -0800 (PST)
Received: from yertle.kciLink.com (yertle.kcilink.com [216.194.193.105])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A274743E75
	for <freebsd-questions@freebsd.org>; Tue,  5 Nov 2002 08:49:15 -0800 (PST)
	(envelope-from khera@kciLink.com)
Received: from onceler.kciLink.com (onceler.kciLink.com [216.194.193.106])
	by yertle.kciLink.com (Postfix) with ESMTP id 05E942178C
	for <freebsd-questions@freebsd.org>; Tue,  5 Nov 2002 11:49:05 -0500 (EST)
Received: by onceler.kciLink.com (Postfix, from userid 100)
	id C7AD43D16; Tue,  5 Nov 2002 11:49:04 -0500 (EST)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From: Vivek Khera <khera@kcilink.com>
To: freebsd-questions@freebsd.org
Subject: Re: TSIG with BIND requires chmod+chgrp /etc/namedb
Newsgroups: ml.freebsd.questions
References: <3DC26134.27868.57480335@localhost>
X-Trace: lorax.kciLink.com 1036511676 83756 216.194.193.106 (5 Nov 2002 15:54:36 GMT)
X-Complaints-To: daemon@kciLink.com
X-Virus-Scanned: by amavisd-new amavisd-new-20020630 (@kci)
X-Razor-id: 9b72d64bb5a445345bb3ec7221268533eddee946
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

>>>>> "DL" == Dan Langille <dan@langille.org> writes:

DL> It appears that using TSIG with BIND for secondary domains requires a 
DL> chmod and chgrp of /etc/namedb.
 [ ... ]
DL> I don't really liked having to change the permission of /etc/namedb 
DL> especially as that will be necessary for people runnning secondary 
DL> DNS for me.

This looks like a re-run of a posting you made a while back, but what
I do is just tell named.conf that /etc/namedb/secondaries is my main
directory, and that directory has write permissions for bind already.
I then use "../master/foo.com" as the directory for any master zones I
host.

What this accomplishes is that the TSIG temp files are written in the
secondaries subdirectory, and no other directories can be written to
by bind, preserving the sandbox.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                Khera Communications, Inc.
Internet: khera@kciLink.com       Rockville, MD       +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera   http://www.khera.org/~vivek/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message