BIND less restrictive modes and policy

[Andrew Farris]

Enrico Scholz wrote:
> Adam Tkac <atkac at redhat.com> writes:
> 
>> Also complete /var/named/* subtree will be writable by named
> 
> This is bad. Only the slaves/ and data/ (for DDNS) dirs must be writable.
> pz/ and the other parts of the chroot filesystem must be read-only for
> named.

And why exactly is that?  Any reference or reason?  What becomes exploitable if 
that is changed?

-- 
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
  gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----