Allow only temporary zone updates without making them permanent
Grant Taylor
gtaylor at tnetconsulting.net
Wed Jun 26 17:25:55 UTC 2019
On 6/26/19 10:46 AM, Lefteris Tsintjelis via bind-users wrote:
> Yes, exactly this. That is the reason I changed the actual zone disk
> file permissions to root thinking that files would not be modifiable,
> but bind surprised me there. I did not expect to change the file
> ownership from root to bind!
I'm surprised at the ownership change too.
It may be dependent on your OS init scripts, perhaps they are changing them.
The only way that I see that BIND, running as something other than root,
could change them is if the user it's running as has write on the
directory and deletes & recreates new zone files as itself. But that
would surprise me too.
> The problem started with ACME actually as it always messes up my disk
> zone files and have to always restore them.
Is the ACME client modifying the zone file(s) directly? Or is it using
dynamic DNS (possibly via nsupdate) to request that BIND update the zone(s)?
> I would still like to use something like that in small DDNS zones also,
> serving just a few IPs only. Non disk writable/modifiable zones could
> perhaps add a small layer of extra security as well.
I'd be surprised if BIND supported a zone that was not persistent
somewhere. Maybe it can have an in-memory copy of something it gets via
zone transfer. But I have my doubts about that.
I also question the value of such a zone. What is the use of it?
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190626/bfabbd01/attachment.bin>
More information about the bind-users
mailing list