rndc

Kevin Darcy kcd at chrysler.com
Thu Jul 31 16:11:40 UTC 2014


On 7/31/2014 11:56 AM, Reindl Harald wrote:
>
> Am 31.07.2014 um 17:41 schrieb /dev/rob0:
>> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
>>> i am doing reloads of named with "killall -HUP named" just because
>>> i disabled rndc completly for security reasons and configurations
>>> are generated with own software only needs named to reload
>> Hmm, rndc is securable. You don't have to open it to the Internet;
>> typically you'd just bind it on 127.0.0.1. Then your rndc key will
>> further secure it against system users.  Your OS can probably give
>> extra protective layers by firewalling it, such as this Linux
>> example:
>>
>> iptables -vA OUTPUT -p tcp --dport 953 -m owner \
>> 	\! --gid-owner wheel -j REJECT
>>
>> (This forces root and other wheel members to "chgrp wheel" before
>> they can use rndc, as an extra inconvenience.)
>>
>> Another option is to use a UNIX domain socket, which, of course
>> avoids the network altogether.[1]
>>
>> You're losing a lot of new features without rndc. This is a
>> "throwing out the baby with the bathwater" sort of solution. Sure,
>> this is what you are familiar with and what works for you, but to
>> disable rndc isn't good advice for readers of this list.  ISC is
>> moving on
> don't get me wrong but if someone creates *any* bind configuration
> and zone-files with self developed software there are no features
> rndc could provide and so disable something you don't use is the
> way to go instead make is secure with other switches
This thread started with "I need a way to force named to re-scan for 
interfaces". Since that *is* a "feature[] that rndc could provide" it 
seems like enabling rndc in a secure way is a good fit for the 
requirement that was raised.

kill -HUP is way more disruptive than necessary for a mere interface 
scan. It's overkill.

                                                         - Kevin


More information about the bind-users mailing list