rndc (was: Re: Reload BIND ...)

/dev/rob0 rob0 at gmx.co.uk
Thu Jul 31 15:41:30 UTC 2014


On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
> i am doing reloads of named with "killall -HUP named" just because 
> i disabled rndc completly for security reasons and configurations 
> are generated with own software only needs named to reload

Hmm, rndc is securable.  You don't have to open it to the Internet; 
typically you'd just bind it on 127.0.0.1.  Then your rndc key will 
further secure it against system users.  Your OS can probably give 
extra protective layers by firewalling it, such as this Linux 
example:

iptables -vA OUTPUT -p tcp --dport 953 -m owner \
	\! --gid-owner wheel -j REJECT

(This forces root and other wheel members to "chgrp wheel" before 
they can use rndc, as an extra inconvenience.)

Another option is to use a UNIX domain socket, which, of course 
avoids the network altogether.[1]

You're losing a lot of new features without rndc.  This is a 
"throwing out the baby with the bathwater" sort of solution. Sure, 
this is what you are familiar with and what works for you, but to
disable rndc isn't good advice for readers of this list.  ISC is 
moving on.

See Bv9ARM.ch06.html#controls_statement_definition_and_usage and
rndc-confgen(8).


[1] Unfortunately it is not clear to me how to access the socket
    with rndc.  The one time I tried it, I gave up and stuck with
    that with which I am familiar.  ISC moved on, but if the
    documentation did, I don't see it. :)
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:


More information about the bind-users mailing list