On 6/26/19 10:46 AM, Lefteris Tsintjelis via bind-users wrote:
Yes, exactly this. That is the reason I changed the actual zone disk file permissions to root thinking that files would not be modifiable, but bind surprised me there. I did not expect to change the file ownership from root to bind!
I'm surprised at the ownership change too. It may be dependent on your OS init scripts, perhaps they are changing them.The only way that I see that BIND, running as something other than root, could change them is if the user it's running as has write on the directory and deletes & recreates new zone files as itself. But that would surprise me too.
The problem started with ACME actually as it always messes up my disk zone files and have to always restore them.
Is the ACME client modifying the zone file(s) directly? Or is it using dynamic DNS (possibly via nsupdate) to request that BIND update the zone(s)?
I would still like to use something like that in small DDNS zones also, serving just a few IPs only. Non disk writable/modifiable zones could perhaps add a small layer of extra security as well.
I'd be surprised if BIND supported a zone that was not persistent somewhere. Maybe it can have an in-memory copy of something it gets via zone transfer. But I have my doubts about that.
I also question the value of such a zone. What is the use of it? -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
