-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Jeu 1 février 2007 22:56, Stuart Sears a écrit :

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

François Patte wrote:

...

Bonjour,

I (lazily) move my fc4 config for bind to my fresh fc6 install and.... it doesn't work.... (log message is : /etc:named.conf not found) I have a /etc/named.conf....

Where can I find some bind-fc6 how-to?

your bind nameserver is probably running in a chrooted environment on FC6.

to find out if it is:

1. see if bind-chroot is installed

# rpm -q bind-chroot

2. also check the content of /etc/sysconfig/named

if you see ROOTDIR=/var/named/chroot then bind is definitely running in a chroot.

in this case your configs and database files will be looked for relative to the ROOTDIR directory (/var/named/chroot by default) i.e. /var/named/chroot/etc/named.conf /var/named/chroot/var/named/example.com.zone (and other zone db files) /var/named/chroot/...

Thanks a lot! This worked perfectly!

BTW, I am not an expert, what are the advantages to "chroot" bind config? If everybody knows that bind is chrooted and where is the location of the new config files....

- -- François Patte Ecole française d'Extrême-Orient Université Paris 5 http://www.math-info.univ-paris5.fr/~patte

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Tim wrote:

The idea is that if someone manages to exploit BIND, it can't mess up the rest of your system, as it's locked in a jail. It's not about protecting BIND from something else.

NB: It's not 100% locked up, people do find ways to break out of chroot jails.

True but AFAIK you need root privileges to do this and named drops these as soon as it is chrooted.

The other thing protecting bind by default on FC6 is the SELinux policy. even if an attacker managed to exploit named and break out of the chroot this will constrain what he/she is able to do.

regards

Stuart - -- Stuart Sears RHCA RHCSS RHCX PEBKAC STFU "Quit worrying about your health. It'll go away." - - Robert Orben