End of bind-chroot-admin script
Paul Wouters
paul at xelerance.com
Fri Nov 7 23:52:10 UTC 2008
On Fri, 7 Nov 2008, David Woodhouse wrote:
> On Fri, 2008-11-07 at 13:09 +0100, Adam Tkac wrote:
>> bind-chroot-admin script should sync BIND configuration files to
>> chroot() directory. It was written with good intention but it has
>> never worked correctly in all situations. There is long history with
>> many broken configurations and urgent severity bugs.
>>
>> I'm going to remove this script from Fedora 11 (it is part of Fedora/RHEL
>> only, no other distro uses it). After removal, "standard" chroot
>> structure will be created when you install bind-chroot package. It
>> will contain all needed files for running named in chroot but admin
>> shall move needed configuration files to chroot manually. Do you have
>> any comments?
I'd rather see something replace it. For unbound, another caching resolver
with chroot (which got pushed in the repository a few days ago), the
same problem is solved by copying/linking/mounting files in the
chroot via the init script.
Updating the chroot becomes important for shipping DNSSEC keys via a package.
I am putting in a review request today for a new package 'dnssec-keys'
that allows people to easily enable/disable DNSSEC and preload the proper
keys for active TLD's. Things should get easier once the root is signed.
I was about to look at bind, since the DNSSEC key format for unbound and
bind is the same, so I am using one include file that will work on both
nameservers, once they copy it into their chroot environment.
Have a look at the unbound method, and see if that is something that could
also work for named?
Paul
More information about the devel
mailing list