Walter H. wrote:
On 10.05.2016 18:57, Александр Кириллов wrote:
this seems to be relevant in chroot environments;
as I noticed when configuring the DDNS-feature, that this is a little bit weired, when running in a chroot environment; I saw the recommendation not to use a chroot in the man-page and removed bind-chroot and then the zone updates worked perfekt;
so this file /etc/named.root.key isn't really used; or am I missing something?
These files are included in both my /etc/named.conf and /usr/share/doc/bind-x.x.x/named.conf.default which I probably used as a template years ago. I'm no dns expert but you'd probably need these files when accessing root servers directly without use of forwarders.
I'm also using ddns and have my zone files in /var/named/chroot/var/named/dynamic.
are you using DDNS in DualStack (IPv4 and IPv6 together) or do you have only DHCP or DHCPv6 and not both?
Selinux is enabled and I don't see any additional bind-related rules in my local policy or /etc/selinux/targeted/contexts/files/file_contexts.local.
the manpage shows this:
"NOTES Red Hat SELinux BIND Security Profile:
By default, Red Hat ships BIND with the most secure SELinuxpolicy that will not prevent normal BIND operation and will prevent exploitation of all known BIND security vulnerabilities . See the
<snip> Which assumes that setting selinux to enforcing doesn't break your websites, or the locally-created root directories that have been created before an actual sysadmin came onboard, or....
mark