Walter H. wrote: > On 10.05.2016 18:57, Александр Кириллов wrote: >>> this seems to be relevant in chroot environments; >>> >>> as I noticed when configuring the DDNS-feature, that this is a little >>> bit weired, when running in a chroot environment; I saw the >>> recommendation not >>> to use a chroot in the man-page and removed bind-chroot and then the >>> zone updates worked perfekt; >>> >>> so this file /etc/named.root.key isn't really used; or am I missing >>> something? >> >> These files are included in both my /etc/named.conf and >> /usr/share/doc/bind-x.x.x/named.conf.default which I probably used as >> a template years ago. I'm no dns expert but you'd probably need these >> files when accessing root servers directly without use of forwarders. >> >> I'm also using ddns and have my zone files in >> /var/named/chroot/var/named/dynamic. > are you using DDNS in DualStack (IPv4 and IPv6 together) or do you have > only DHCP or DHCPv6 and not both? >> Selinux is enabled and I don't see any additional bind-related rules >> in my local policy or >> /etc/selinux/targeted/contexts/files/file_contexts.local. >> > > the manpage shows this: > > "NOTES > Red Hat SELinux BIND Security Profile: > > By default, Red Hat ships BIND with the most secure SELinux > policy that will not prevent normal BIND operation and will prevent > exploitation of all known BIND security vulnerabilities . See the <snip> Which assumes that setting selinux to enforcing doesn't break your websites, or the locally-created root directories that have been created before an actual sysadmin came onboard, or.... mark