On 10.05.2016 18:57, Александр Кириллов wrote:
this seems to be relevant in chroot environments;
as I noticed when configuring the DDNS-feature, that this is a little bit weired, when running in a chroot environment; I saw the recommendation not to use a chroot in the man-page and removed bind-chroot and then the zone updates worked perfekt;
so this file /etc/named.root.key isn't really used; or am I missing something?
These files are included in both my /etc/named.conf and /usr/share/doc/bind-x.x.x/named.conf.default which I probably used as a template years ago. I'm no dns expert but you'd probably need these files when accessing root servers directly without use of forwarders.
I'm also using ddns and have my zone files in /var/named/chroot/var/named/dynamic.
are you using DDNS in DualStack (IPv4 and IPv6 together) or do you have only DHCP or DHCPv6 and not both?
Selinux is enabled and I don't see any additional bind-related rules in my local policy or /etc/selinux/targeted/contexts/files/file_contexts.local.
the manpage shows this:
"NOTES Red Hat SELinux BIND Security Profile:
By default, Red Hat ships BIND with the most secure SELinux policy that will not prevent normal BIND operation and will prevent exploitation of all known BIND security vulnerabilities . See the selinux(8) man page for information about SElinux.
It is not necessary to run named in a chroot environment if the Red Hat SELinux policy for named is enabled. When enabled, this policy is far more secure than a chroot environment. Users are recommended to enable SELinux and remove the bind-chroot package.
With this extra security comes some restrictions:
By default, the SELinux policy does not allow named to write any master zone database files. Only the root user may create files in the $ROOTDIR/var/named zone database file directory (the options { "directory" } option), where $ROOTDIR is set in /etc/sysconfig/named.
The "named" group must be granted read privelege to these files in order for named to be enabled to read them.
Any file created in the zone database file directory is automatically assigned the SELinux file context named_zone_t .
By default, SELinux prevents any role from modifying named_zone_t files; this means that files in the zone database directory cannot be modified by dynamic DNS (DDNS) updates or zone transfers.
The Red Hat BIND distribution and SELinux policy creates three directories where named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic /var/named/data. By placing files you want named to modify, such as slave or DDNS updateable zone files and database / statistics dump files in these directories, named will work normally and no further operator action is required. Files in these directories are automatically assigned the ’named_cache_t’ file context, which SELinux allows named to write."