Am 31.07.2014 um 17:41 schrieb /dev/rob0: > On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: >> i am doing reloads of named with "killall -HUP named" just because >> i disabled rndc completly for security reasons and configurations >> are generated with own software only needs named to reload > > Hmm, rndc is securable. You don't have to open it to the Internet; > typically you'd just bind it on 127.0.0.1. Then your rndc key will > further secure it against system users. Your OS can probably give > extra protective layers by firewalling it, such as this Linux > example: > > iptables -vA OUTPUT -p tcp --dport 953 -m owner \ > \! --gid-owner wheel -j REJECT > > (This forces root and other wheel members to "chgrp wheel" before > they can use rndc, as an extra inconvenience.) > > Another option is to use a UNIX domain socket, which, of course > avoids the network altogether.[1] > > You're losing a lot of new features without rndc. This is a > "throwing out the baby with the bathwater" sort of solution. Sure, > this is what you are familiar with and what works for you, but to > disable rndc isn't good advice for readers of this list. ISC is > moving on
don't get me wrong but if someone creates *any* bind configuration and zone-files with self developed software there are no features rndc could provide and so disable something you don't use is the way to go instead make is secure with other switches
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users