Restarting bind remotly

Dickon Newman dnewman at skylan.net
Thu Nov 6 13:49:07 UTC 2003


Damn....you're right.  I stopped named completely, and then restarted, and
now ndc is owned as root again!  The mod looks like 600 so only root can use
it?  I'm sure this has security benefits, but it doesn't appear to help me
in this situation.  Arg...

Is there some way to control the access rights on ndc when named starts?

Dickon...

----- Original Message ----- 
From: "Dave Spenceley" <ds at dspen.com>
To: "Dickon Newman" <dnewman at skylan.net>
Sent: Thursday, November 06, 2003 8:43 AM
Subject: Re: Restarting bind remotly


> /var/run/ndc is created whenever named is started.....
>
> Check that restarting named doesnt break your strategy....
>
> Better to ensure named is started as named user/group & add
> your ssh user to named group.
>
> HTH, Dave
>
> On Thursday 06 November 2003 1:38 pm, Dickon Newman wrote:
> > I thank you all for your input.  The solution has been
> > found.  I had already set an ssh tunnel (of sorts) from
> > the one name server to the other three before redoing
> > this sync setup.
> >
> > All I did was change it from a stop/start approach to
> > using the ndc reload. It is much nicer.
> >
> > The only thing I had to do was change the ownership for
> > /var/run/ndc so that my non-root user could use it.
> >
> > Dickon...
> >
> > ----- Original Message -----
> > From: "Kevin Darcy" <kcd at daimlerchrysler.com>
> > To: <bind-users at isc.org>
> > Sent: Wednesday, November 05, 2003 5:45 PM
> > Subject: Re: Restarting bind remotly
> >
> > > Mark_Andrews at isc.org wrote:
> > > >>BIND 8's "ndc" command supports "reload" and "reload
> > > >> <zone>". Unlike "rndc", you can't run it directly
> > > >> from another box, but there's always ssh...
> > > >
> > > > Actually you can run ndc remotely.  It is just not
> > > > the default configuration.
> > >
> > > True, but I've never even considered that option, since
> > > source-address-based authentication is pretty weak. I
> > > suppose if you're using IPSEC or whatever...
> > >
> > >
> > >                                              - Kevin
> > >
> > > >>Or, as I suggested before, just use a standard
> > > >> master/slave arrangement (optionally supplemented
> > > >> with "also-notify" if you need faster propagation of
> > > >> changes).
> > > >>
> > > >>
> > > >>                                             - Kevin
> > > >>
> > > >>Dickon Newman wrote:
> > > >>>What's the best solution if we assume that I am
> > > >>> restricted to using
> >
> > BIND
> >
> > > >>>version 8.3.6?
> > > >>>
> > > >>>Dickon...
> > > >>>
> > > >>>----- Original Message -----
> > > >>>From: "Kevin Darcy" <kcd at daimlerchrysler.com>
> > > >>>To: <bind-users at isc.org>
> > > >>>Sent: Wednesday, November 05, 2003 2:44 PM
> > > >>>Subject: Re: Restarting bind remotly
> > > >>>
> > > >>>>If you have many zones, then that's an even
> > > >>>> *stronger* reason to avoid full reloads -- do you
> > > >>>> really want your nameserver tied up reloading
> > > >>>> unchanged zones?
> > > >>>>
> > > >>>>I would expect that your master knows which zones
> > > >>>> have changed and
> >
> > which
> >
> > > >>>>have not, so why not have it issue the "rndc reload
> > > >>>> <zone>"s right
> >
> > after
> >
> > > >>>>the rsync?
> > > >>>>
> > > >>>>Or, even better, why not just use regular,
> > > >>>> DNS-standards-defined zone transfers? rsync isn't
> > > >>>> necessarily the best solution for  *every*
> > > >>>> data-propagation requirement...
> > > >>>>
> > > >>>>
> > > >>>>                                               -
> > > >>>> Kevin
> > > >>>>
> > > >>>>Dickon Newman wrote:
> > > >>>>>Well...we host many zones (please forgive my
> > > >>>>> newb-ness)...wouldn't
> >
> > this
> >
> > > >>>be a
> > > >>>
> > > >>>>>pain to have a script recognize which zone had
> > > >>>>> changed and initiate a
> > > >>>
> > > >>>zone
> > > >>>
> > > >>>>>change for that particular zone?
> > > >>>>>
> > > >>>>>Please keep in mind that I want to make this as
> > > >>>>> simple as possible
> >
> > for my
> >
> > > >>>>>co-workers who make quite a few dns changes each
> > > >>>>> day.
> > > >>>>>
> > > >>>>>Dickon...
> > > >>>>>
> > > >>>>>----- Original Message -----
> > > >>>>>From: "Kevin Darcy" <kcd at daimlerchrysler.com>
> > > >>>>>To: <bind-users at isc.org>
> > > >>>>>Sent: Wednesday, November 05, 2003 2:16 PM
> > > >>>>>Subject: Re: Restarting bind remotly
> > > >>>>>
> > > >>>>>>Dickon Newman wrote:
> > > >>>>>>>Dear List,
> > > >>>>>>>I've tried searching online for a resolution to
> > > >>>>>>> save having to bug
> > > >>>
> > > >>>you..
> > > >>>
> > > >>>>>However, I haven't had much luck.
> > > >>>>>
> > > >>>>>>>I have 4 primary DNS servers in various
> > > >>>>>>> locations.  They are
> >
> > FreeBSD
> >
> > > >>>>>based with Bind 8.3.6.
> > > >>>>>
> > > >>>>>>>What I want to be able to do is make dns changes
> > > >>>>>>> on one box, then
> >
> > run a
> >
> > > >>>>>script to make the changes active on all 4 boxes.
> > > >>>>>
> > > >>>>>>>I WAS using rsync to copy this files, which is
> > > >>>>>>> no problem.  But I
> >
> > don't
> >
> > > >>>>>know the best way to restart named.  I WAS
> > > >>>>> stopping, and then
> >
> > restarting
> >
> > > >>>the
> > > >>>
> > > >>>>>process.  I don't want to do this anymore.
> > > >>>>>
> > > >>>>>>>Can anyone please offer some insight on what I
> > > >>>>>>> should do?
> > > >>>>>>
> > > >>>>>>Why do you need to do a full restart? Generally
> > > >>>>>> "reload <zone>" for
> >
> > each
> >
> > > >>>>>>changed zone is sufficient. You can do that
> > > >>>>>> remotely by upgrading to BIND 9 and using the
> > > >>>>>> "rndc" utility.
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>                                        - Kevin
> > > >
> > > >--
> > > >Mark Andrews, Internet Software Consortium
> > > >1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > >PHONE: +61 2 9871 4742                 INTERNET:
> > > > Mark.Andrews at isc.org
>
>



More information about the bind-users mailing list