Re: bind vs. bind-chroot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 04/13/2017 03:15 AM, Robert Moskowitz wrote:



On 04/13/2017 04:23 AM, Alice Wonder wrote:

On 04/13/2017 01:05 AM, Nicolas Kovacs wrote:

Le 13/04/2017 à 04:27, Robert Moskowitz a écrit :

But make sure to have SELinux enabled if you do not run it chrooted.

I have mine running that way.


I bluntly admit not using SELinux, because until now, I mainly used more
bone-headed systems that didn't implement it. Maybe this is the right
time to get started.

I understand there's a wealth of information about SELinux. Any
recommendations for a newbie-friendly primer? I don't mind to RTFM, even
extensive documentation, but I prefer stuff that's well-written.

Cheers,

Niki



I don't use SELinux because it gets in my way far more than it every
actually protects me from anything.

I'm sure there are systems where it absolutely is necessary, but I
don't like to have stuff fail because I used mv instead of cp to
install a certificate, for example.


I need to do DNSSEC next; got to bother Mark Andrew over at ISC, did not
get to sit down with him on this at IETF.  So I don't know what certs I
will need as yet.  For my mailserver, I am using self-signed, and see my
Apache setup, towards the end, how I create a set of certs:

http://medon.htt-consult.com/Centos7-mailserver.html#Setting%20up%20Apache

I had some help on this from the OpenSSL list.



For authoritative DNS I also do not use chroot but authoritative DNS
is all those servers do, and I use zones signed externally via DNSSEC
(no private keys on the server)


Something to consider, but I would do it on one of my internal systems.
Not a third party; why should I trust them?  Unless they are providing a
full DNS PKI service.




I meant DNSSEC signing is done externally to the authoritative DNS.
I do the signing myself. Point being if someone hacked my authoritative DNS server, they could not alter my zone files in a way DNSSEC enforcing resolvers would accept because the signing keys are not there. 
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux