Walter H. wrote:
> On 10.05.2016 18:57, Александр Кириллов wrote:
>>> this seems to be relevant in chroot environments;
>>>
>>> as I noticed when configuring the DDNS-feature, that this is a little
>>> bit weired, when running in a chroot environment; I saw the
>>> recommendation not
>>> to use a chroot in the man-page and removed bind-chroot and then the
>>> zone updates worked perfekt;
>>>
>>> so this file /etc/named.root.key isn't really used; or am I missing
>>> something?
>>
>> These files are included in both my /etc/named.conf and
>> /usr/share/doc/bind-x.x.x/named.conf.default which I probably used as
>> a template years ago. I'm no dns expert but you'd probably need these
>> files when accessing root servers directly without use of forwarders.
>>
>> I'm also using ddns and have my zone files in
>> /var/named/chroot/var/named/dynamic.
> are you using DDNS in DualStack (IPv4 and IPv6 together) or do you have
> only DHCP or DHCPv6 and not both?
>> Selinux is enabled and I don't see any additional bind-related rules
>> in my local policy or
>> /etc/selinux/targeted/contexts/files/file_contexts.local.
>>
>
> the manpage shows this:
>
> "NOTES
> Red Hat SELinux BIND Security Profile:
>
> By default, Red Hat ships BIND with the most secure SELinux
> policy that will not prevent normal BIND operation and will prevent
> exploitation of all known BIND security vulnerabilities . See the
<snip>
Which assumes that setting selinux to enforcing doesn't break your
websites, or the locally-created root directories that have been created
before an actual sysadmin came onboard, or....
mark
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
