Date: Thu, 1 Feb 2001 12:03:11 -0500 From: Vivek Khera <khera@kciLink.com> To: FreeBSD Stable <stable@freebsd.org> Subject: DNS security Message-ID: <14969.38607.142726.115583@onceler.kciLink.com>
next in thread | raw e-mail | index | archive | help
Given the recent insecurities in DNS, we decided to implement the authentication features of bind. With doing this, and also running bind in a chroot environment (as user bind, group bind) we run into a couple of snags. 1) the named.conf file needs to be non-world readable. Simple fix is to make it group bind instead of wheel so that named can read it on a reload. This seems like a good thing to do in any case. 2) bind tries to write temporary files into the CWD. Unfortunately, /etc/namedb is root:wheel and not writable by the bind process owner. There doesn't seem to be a parameter to bind to tell it where to write those files, but there is an environment variable, DSTKEYPATH, that can be used. The problem I have is how to make FreeBSD 4.2-STABLE pass that environment variable to bind during boot. There doesn't seem to be a good way to do that with the stock startup scripts. For now, I'm just going to start bind in /etc/rc.local and turn it off from rc.conf. Does it seem like a good idea to be able to set the BIND environment variables from the stock rc scripts? If so, could someone add this? Thanks. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D. Khera Communications, Inc. Internet: khera@kciLink.com Rockville, MD +1-240-453-8497 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14969.38607.142726.115583>