On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
> i am doing reloads of named with "killall -HUP named" just because
> i disabled rndc completly for security reasons and configurations
> are generated with own software only needs named to reload
Hmm, rndc is securable. You don't have to open it to the Internet;
typically you'd just bind it on 127.0.0.1. Then your rndc key will
further secure it against system users. Your OS can probably give
extra protective layers by firewalling it, such as this Linux
example:
iptables -vA OUTPUT -p tcp --dport 953 -m owner \
\! --gid-owner wheel -j REJECT
(This forces root and other wheel members to "chgrp wheel" before
they can use rndc, as an extra inconvenience.)
Another option is to use a UNIX domain socket, which, of course
avoids the network altogether.[1]
You're losing a lot of new features without rndc. This is a
"throwing out the baby with the bathwater" sort of solution. Sure,
this is what you are familiar with and what works for you, but to
disable rndc isn't good advice for readers of this list. ISC is
moving on.
See Bv9ARM.ch06.html#controls_statement_definition_and_usage and
rndc-confgen(8).
[1] Unfortunately it is not clear to me how to access the socket
with rndc. The one time I tried it, I gave up and stuck with
that with which I am familiar. ISC moved on, but if the
documentation did, I don't see it. :)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
