rndc

[Reindl Harald]

Am 31.07.2014 um 17:41 schrieb /dev/rob0:
> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
>> i am doing reloads of named with "killall -HUP named" just because 
>> i disabled rndc completly for security reasons and configurations 
>> are generated with own software only needs named to reload
> 
> Hmm, rndc is securable. You don't have to open it to the Internet; 
> typically you'd just bind it on 127.0.0.1. Then your rndc key will 
> further secure it against system users.  Your OS can probably give 
> extra protective layers by firewalling it, such as this Linux 
> example:
> 
> iptables -vA OUTPUT -p tcp --dport 953 -m owner \
> 	\! --gid-owner wheel -j REJECT
> 
> (This forces root and other wheel members to "chgrp wheel" before 
> they can use rndc, as an extra inconvenience.)
> 
> Another option is to use a UNIX domain socket, which, of course 
> avoids the network altogether.[1]
> 
> You're losing a lot of new features without rndc. This is a 
> "throwing out the baby with the bathwater" sort of solution. Sure, 
> this is what you are familiar with and what works for you, but to
> disable rndc isn't good advice for readers of this list.  ISC is 
> moving on

don't get me wrong but if someone creates *any* bind configuration
and zone-files with self developed software there are no features
rndc could provide and so disable something you don't use is the
way to go instead make is secure with other switches

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140731/45b1c349/attachment.bin>