On Thu, 2 Jan 2003, Ed Wilts wrote: > On Thu, Jan 02, 2003 at 01:28:24PM -0600, Gary wrote: > > On Thu, Jan 02, 2003 at 11:52:08AM -0700 or thereabouts, Craig Cameron wrote: > > > Hi all, my machine is a Pentium 2/400 running Redhat Linux 7.2, with minimal > > > install(networking and DNS & Bind). I've got the DNS configured and it > > > starts and runs perfectly, but after a certain number of hours(sometime 2 > > > hours, sometimes 8) it shuts down. In the log file there is the following > > > error: > > > > I can only offer dumping BIND, and using djbdns. It runs under > > daemontools, not xinet.d and is not subject to going down. It *never* goes > > down by the way it is designed. If you lose power, etc... it just restarts > > automatically when you are running again. Djbdns is also easier to > > config, more secure, etc.. > > What makes you think bind runs under xinetd? It does not. Properly > configured, bind does not crash. Restarting after power-loss has > nothing to do with djbdns or bind - all servers should start when the > system starts. As for security, I have yet to see any evidence that > bind9 is any more or less secure than djbdns. > > .../Ed
I think what he ment was that Dan Bernstein does not have the history of security issues that the ISC does. Then again, this might partically be a result of the age of the ISC and the larger number of people inspecting the ISC software for security holes. What bothers me is that the RH default hasn't choosen to take advantage of all the security features that ISC has added to BIND9. While RH has taken the time to libcap their NTP daemon and chroot'ing postfix into /var/spool/postfix, they still leave BIND running with little more than demoting to a normal user as the only sandboxing. To run BIND9 the way it should be run, you should see: http://www.linuxsecurity.com/docs/LDP/Chroot-BIND-HOWTO.html Sections 3.0-4.1 (inclusive) can be skipped by changing the Init script references to /usr/sbin/named instead of /usr/local/sbin/named Btw, what is the "Community Ambassador Program" in your sig?? -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
