[CentOS] CentOS 6 as DNS-Server

Tue May 10 18:55:52 UTC 2016
Walter H. <Walter.H at mathemainzel.info>

On 10.05.2016 18:57, Александр Кириллов wrote:
>> this seems to be relevant in chroot environments;
>> as I noticed when configuring the DDNS-feature, that this is a little 
>> bit
>> weired, when running in a chroot environment; I saw the 
>> recommendation not
>> to use a chroot in the man-page and removed bind-chroot and then the 
>> zone
>> updates worked perfekt;
>> so this file /etc/named.root.key isn't really used; or am I missing
>> something?
> These files are included in both my /etc/named.conf and 
> /usr/share/doc/bind-x.x.x/named.conf.default which I probably used as 
> a template years ago. I'm no dns expert but you'd probably need these 
> files when accessing root servers directly without use of forwarders.
> I'm also using ddns and have my zone files in 
> /var/named/chroot/var/named/dynamic.
are you using DDNS in DualStack (IPv4 and IPv6 together) or do you have 
only DHCP or DHCPv6 and not both?
> Selinux is enabled and I don't see any additional bind-related rules 
> in my local policy or 
> /etc/selinux/targeted/contexts/files/file_contexts.local.

the manpage shows this:

        Red Hat SELinux BIND Security Profile:

        By default, Red Hat ships BIND with the most secure SELinux 
policy that
        will not prevent normal BIND operation and will prevent 
exploitation of
        all known BIND security vulnerabilities . See the selinux(8) man 
        for information about SElinux.

        It is not necessary to run named in a chroot environment if the 
Red Hat
        SELinux policy for named is enabled. When enabled, this policy 
is far
        more secure than a chroot environment. Users are recommended to 
        SELinux and remove the bind-chroot package.

        With this extra security comes some restrictions:

        By default, the SELinux policy does not allow named to write any 
        zone database files. Only the root user may create files in the
        $ROOTDIR/var/named zone database file directory (the options {
        "directory" } option), where $ROOTDIR is set in 

        The "named" group must be granted read privelege to these files in
        order for named to be enabled to read them.

        Any file created in the zone database file directory is 
        assigned the SELinux file context named_zone_t .

        By default, SELinux prevents any role from modifying named_zone_t
        files; this means that files in the zone database directory 
cannot be
        modified by dynamic DNS (DDNS) updates or zone transfers.

        The Red Hat BIND distribution and SELinux policy creates three
        directories where named is allowed to create and modify files:
        /var/named/slaves, /var/named/dynamic /var/named/data. By 
placing files
        you want named to modify, such as slave or DDNS updateable zone 
        and database / statistics dump files in these directories, named 
        work normally and no further operator action is required. Files in
        these directories are automatically assigned the ’named_cache_t’ 
        context, which SELinux allows named to write."