On 7/31/2014 11:56 AM, Reindl Harald wrote:
Am 31.07.2014 um 17:41 schrieb /dev/rob0:
On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
i am doing reloads of named with "killall -HUP named" just because
i disabled rndc completly for security reasons and configurations
are generated with own software only needs named to reload
Hmm, rndc is securable. You don't have to open it to the Internet;
typically you'd just bind it on 127.0.0.1. Then your rndc key will
further secure it against system users. Your OS can probably give
extra protective layers by firewalling it, such as this Linux
example:
iptables -vA OUTPUT -p tcp --dport 953 -m owner \
\! --gid-owner wheel -j REJECT
(This forces root and other wheel members to "chgrp wheel" before
they can use rndc, as an extra inconvenience.)
Another option is to use a UNIX domain socket, which, of course
avoids the network altogether.[1]
You're losing a lot of new features without rndc. This is a
"throwing out the baby with the bathwater" sort of solution. Sure,
this is what you are familiar with and what works for you, but to
disable rndc isn't good advice for readers of this list. ISC is
moving on
don't get me wrong but if someone creates *any* bind configuration
and zone-files with self developed software there are no features
rndc could provide and so disable something you don't use is the
way to go instead make is secure with other switches
This thread started with "I need a way to force named to re-scan for
interfaces". Since that *is* a "feature[] that rndc could provide" it
seems like enabling rndc in a secure way is a good fit for the
requirement that was raised.
kill -HUP is way more disruptive than necessary for a mere interface
scan. It's overkill.
- Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users