[CentOS] bind vs. bind-chroot

Thu Apr 13 10:15:57 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>

On 04/13/2017 04:23 AM, Alice Wonder wrote:
> On 04/13/2017 01:05 AM, Nicolas Kovacs wrote:
>> Le 13/04/2017 à 04:27, Robert Moskowitz a écrit :
>>> But make sure to have SELinux enabled if you do not run it chrooted.
>>> I have mine running that way.
>> I bluntly admit not using SELinux, because until now, I mainly used more
>> bone-headed systems that didn't implement it. Maybe this is the right
>> time to get started.
>> I understand there's a wealth of information about SELinux. Any
>> recommendations for a newbie-friendly primer? I don't mind to RTFM, even
>> extensive documentation, but I prefer stuff that's well-written.
>> Cheers,
>> Niki
> I don't use SELinux because it gets in my way far more than it every 
> actually protects me from anything.
> I'm sure there are systems where it absolutely is necessary, but I 
> don't like to have stuff fail because I used mv instead of cp to 
> install a certificate, for example.

I need to do DNSSEC next; got to bother Mark Andrew over at ISC, did not 
get to sit down with him on this at IETF.  So I don't know what certs I 
will need as yet.  For my mailserver, I am using self-signed, and see my 
Apache setup, towards the end, how I create a set of certs:


I had some help on this from the OpenSSL list.

> For authoritative DNS I also do not use chroot but authoritative DNS 
> is all those servers do, and I use zones signed externally via DNSSEC 
> (no private keys on the server)

Something to consider, but I would do it on one of my internal systems.  
Not a third party; why should I trust them?  Unless they are providing a 
full DNS PKI service.