On 10.05.2016 18:57, Александр Кириллов wrote:
>> this seems to be relevant in chroot environments;
>>
>> as I noticed when configuring the DDNS-feature, that this is a little
>> bit
>> weired, when running in a chroot environment; I saw the
>> recommendation not
>> to use a chroot in the man-page and removed bind-chroot and then the
>> zone
>> updates worked perfekt;
>>
>> so this file /etc/named.root.key isn't really used; or am I missing
>> something?
>
> These files are included in both my /etc/named.conf and
> /usr/share/doc/bind-x.x.x/named.conf.default which I probably used as
> a template years ago. I'm no dns expert but you'd probably need these
> files when accessing root servers directly without use of forwarders.
>
> I'm also using ddns and have my zone files in
> /var/named/chroot/var/named/dynamic.
are you using DDNS in DualStack (IPv4 and IPv6 together) or do you have
only DHCP or DHCPv6 and not both?
> Selinux is enabled and I don't see any additional bind-related rules
> in my local policy or
> /etc/selinux/targeted/contexts/files/file_contexts.local.
>
the manpage shows this:
"NOTES
Red Hat SELinux BIND Security Profile:
By default, Red Hat ships BIND with the most secure SELinux
policy that
will not prevent normal BIND operation and will prevent
exploitation of
all known BIND security vulnerabilities . See the selinux(8) man
page
for information about SElinux.
It is not necessary to run named in a chroot environment if the
Red Hat
SELinux policy for named is enabled. When enabled, this policy
is far
more secure than a chroot environment. Users are recommended to
enable
SELinux and remove the bind-chroot package.
With this extra security comes some restrictions:
By default, the SELinux policy does not allow named to write any
master
zone database files. Only the root user may create files in the
$ROOTDIR/var/named zone database file directory (the options {
"directory" } option), where $ROOTDIR is set in
/etc/sysconfig/named.
The "named" group must be granted read privelege to these files in
order for named to be enabled to read them.
Any file created in the zone database file directory is
automatically
assigned the SELinux file context named_zone_t .
By default, SELinux prevents any role from modifying named_zone_t
files; this means that files in the zone database directory
cannot be
modified by dynamic DNS (DDNS) updates or zone transfers.
The Red Hat BIND distribution and SELinux policy creates three
directories where named is allowed to create and modify files:
/var/named/slaves, /var/named/dynamic /var/named/data. By
placing files
you want named to modify, such as slave or DDNS updateable zone
files
and database / statistics dump files in these directories, named
will
work normally and no further operator action is required. Files in
these directories are automatically assigned the ’named_cache_t’
file
context, which SELinux allows named to write."