Enable systemd hardening options for named

Reindl Harald h.reindl at thelounge.net
Tue Jan 16 10:58:39 UTC 2018

Am 16.01.2018 um 11:46 schrieb Tony Finch:
> Robert Edmonds <edmonds at mycre.ws> wrote:
>> I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE
>> during the process runtime permits open-ended reloading of the config at
>> runtime (e.g., binding to a new IP address on port 53 without needing to
>> restart the daemon).
> BIND since 9.10 listens on the routing socket so it can spot network
> interfaces coming and going automatically, without needing an explicit
> `rndc reconfig` or `rndc scan`. This works very nicely with `keepalived` -
> I use it for failover in my production resolver cluster.
> (I avoid systemd: journald makes it so difficult to get logs out that I
> get angry every time I encounter it, and systemd has a habit of believing
> that a service is working when it isn't. I've had enough pain in test
> environments that I don't want to use it in production.)

well, complete infrastructure running from 2011 until now with systemd

especially the journald problem is nonsense - just configure rsyslog as 
all the years before but with less hidden messages because you have 
eraly boot from second one and stdout/stderr of services also relieable 

[root at srv-rhsoft:~]$ cat /etc/systemd/journald.conf

[root at srv-rhsoft:~]$ cat rsyslog.conf
#### MODULES ####
$ModLoad imjournal
$MainMsgQueueSize 100000
$WorkDirectory /var/lib/rsyslog
$IMJournalStateFile imjournal.state

More information about the bind-users mailing list