Enable systemd hardening options for named
dot at dotat.at
Tue Jan 16 10:46:50 UTC 2018
Robert Edmonds <edmonds at mycre.ws> wrote:
> I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE
> during the process runtime permits open-ended reloading of the config at
> runtime (e.g., binding to a new IP address on port 53 without needing to
> restart the daemon).
BIND since 9.10 listens on the routing socket so it can spot network
interfaces coming and going automatically, without needing an explicit
`rndc reconfig` or `rndc scan`. This works very nicely with `keepalived` -
I use it for failover in my production resolver cluster.
(I avoid systemd: journald makes it so difficult to get logs out that I
get angry every time I encounter it, and systemd has a habit of believing
that a service is working when it isn't. I've had enough pain in test
environments that I don't want to use it in production.)
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Portland: West 7 to severe gale 9. Rough or very rough, becoming high in
southwest. Squally showers. Good, occasionally moderate.
More information about the bind-users