First, thank you a lot everybody, I didn't think to have several detailed e-mails like that. I need now to merge all of your ideas and a propose a new version of the config file.
However, I answer first to Tony, because I have a remark below: 2018-01-15 19:15 GMT+01:00 Tony Finch <d...@dotat.at>: > Ludovic Gasc <gml...@gmail.com> wrote: > > > > 1. The list of minimal capabilities needed for bind to run correctly: > > http://man7.org/linux/man-pages/man7/capabilities.7.html > > named already drops capabilities - have a look at the code around here: > https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a= > blob;f=bin/named/unix/os.c;hb=v9_11_2#l234 > > Note that it's a bit clever - the privileges are dropped in two stages, > right at the start, and after the server has been configured. > One of motivation behind systemd is to have all daemonization features (start in root and drop rights to run with a normal user, chroot, background processes...) outside the daemon itself to reduce the security risk, share the same code for daemonization and reduce the complexity of each daemon. In the specific case of bind, it already has these features and bind runs on OS where you don't have systemd. As you said, I don't think it hurts if it's done two times, I don't yet, I will experiment. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h > punycode > Southeast Iceland: Westerly 6 to gale 8, veering northwesterly 4 or 5 > later, > occasionally severe gale 9 at first in south. Very rough in north, > otherwise > high, occasionally very high in far south. Snow showers. Good occasionally > poor. >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
