Date: Tue, 5 Oct 2004 02:31:11 -0400 From: Charles Swiger <cswiger@mac.com> To: Doug Barton <DougB@FreeBSD.org> Cc: freebsd-current@FreeBSD.org Subject: Re: New BIND 9 chroot directories Message-ID: <2610D786-1698-11D9-B1D0-003065A20588@mac.com> In-Reply-To: <20041004223818.I85445@ync.qbhto.arg> References: <200410041734.53316.freebsd@redesjm.local> <200410042343.19211.freebsd@redesjm.local> <20041004181933.H96420@bo.vpnaa.bet> <20041005114834Y.matusita@jp.FreeBSD.org> <2EC1F982-1680-11D9-B1D0-003065A20588@mac.com> <20041004223818.I85445@ync.qbhto.arg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 5, 2004, at 1:53 AM, Doug Barton wrote: > On Mon, 4 Oct 2004, Charles Swiger wrote: [ ... ] > Please also keep in mind that I actually USED this configuration in > production on hundreds of name servers on a production enterprise > network for years with a variety of different kinds of name servers, > including authoritative, caching, forwarding, etc. You bet. It's worth noting that you've got a config that's heavily used in production. That makes it a good candidate for FreeBSD's default values, as well as making you a good candidate to maintain named for FreeBSD. > All that said, the defaults are just the defaults. The thing that > people really need to keep in mind is that if you want to change it, > you can. Yes. >> named_enable="YES" >> named_flags="-u bind -g bind -c /etc/named.conf" >> >> ...in /etc/rc.conf and then do whatever you like under /var/named. > > Um, no. First off, the -g option never did what people thought it did, > and now does something entirely different in BIND 9. The options I use now work fine under BIND 8, so it's unfortunate that somebody changed the meaning of that option, but the issue is probably moot now. [ FWIW, I thought the -g flag controlled the group of the zone files created by a slave xfer, which is probably not significant in terms of security. On the other hand, I always have a group associated with any user (that seems BSD convention now), and I don't see any harm in the notion. ] > Also, if your config file is /etc/namedb/named.conf, it's pointless to > specify it in named_flags, as that is the compiled in default. True. /etc/named.conf is the location mentioned in the O'Reilly DNS & BIND books, and is a commonly used default location on other current systems today when not running chroot()ed, but I am quite happy to leave the layout of the chroot()ed config location of named.conf up to your judgement. :-) >> I suppose the situation could be improved by having some shell script >> which converts pre-chrooted named configs (at least the prior default >> config from 4.x) into the new layout, perhaps by creating symlinks >> from the current locations into the chroot tree under /var/named. > > If anyone wants to come up with something like that, I'm all ears, > however my guess is that the variety of input is so varied that such > an undertaking would be pointless. You may be right. One could turn the set of instructions in the 20040928 UPDATING entry into a shell script, but it's probably safer to perform a manual series in order to note any errors or changes in path locations made by per-user customizations anyway. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2610D786-1698-11D9-B1D0-003065A20588>