Re: Proper way to run bind9
From: Doug Barton (DougB_at_FreeBSD.org)
Date: 09/25/04
- Previous message: Hannes Mehnert: "5.3 IPSEC broken"
- In reply to: Sean McNeil: "Re: Proper way to run bind9"
- Next in thread: Sean McNeil: "Re: Proper way to run bind9"
- Reply: Sean McNeil: "Re: Proper way to run bind9"
- Reply: Juha Saarinen: "Re: Proper way to run bind9"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 25 Sep 2004 00:44:35 +0100 (BST) To: Sean McNeil <sean@mcneil.com>
On Fri, 24 Sep 2004, Sean McNeil wrote:
> On Fri, 2004-09-24 at 14:27, Doug Barton wrote:
>> On Fri, 24 Sep 2004, Dag-Erling Smørgrav wrote:
>>
>>> Grover Lines <grover@ceribus.net> writes:
>>>> named_pidfile="/var/run/named/pid" # Must set this in named.conf as well
>>> ^^^^^^^^^^^^^^^^^^
>>> should be /var/run/named.pid, fixed in CVS.
>>>
>>> DES
>>>
>>
>> It's actually not named.pid in our structure. As explained in the note
>> behind the variable, we set the pid-file variable in named.conf so that
>> named running wit h -u bind (but not chrooted) will still be able to
>> drop a pid file in /var/run/named, which is chowned to user bind.
>
> This is currently not correct in some files (i.e.
> /etc/defaults/rc.conf).
DES made an honest mistake in rc.conf. I was waiting for him to back it
out himself, but apparently he's off having a life or something. :) I
went ahead and fixed it a bit ago.
You mentioned "some files," do you know of anywhere else that it is not
correct?
> Also, the /etc/rc.d/named script will do an
>
> ln -fs "${named_chrootdir}${pidfile}" ${pidfile}
>
> if named_symlink_enable is set (which is by default). Please protect
> this with
>
> if [ -n "$named_chrootdir" ]; then
On my system this fails harmlessly, but you're right, it shouldn't be
run if there is no chroot. I'll commit a fix for this in a second.
> for those who do not have a chrootdir. Otherwise we end up with a
> recursive link.
Actually the final result of this situation depends on the configuration
options. But you're right, this bullet should be removed from the
foot-shooting gun.
>> To answer Grover's question, it really depends on what you want to use
>> it for. The system named.conf will run fine for bind 9 as a resolver,
>> now that the /etc/rc.d/named script has been updated to create an
>> rndc.key file if one doesn't exist.
>
> This is broken too. If named_chrootdir isn't set, then confgen_chroot
> doesn't get set and it messes up the invokation of rndc-confgen. I
> think taking the "" off of the ${confgen_chroot} will solve this but I'm
> not sure.
Only broken for the non-chroot case. :) You're right about the fix
though, I committed the wrong version when I was testing it last night.
Thanks for the bug report.
>> If all you want to do is start up named as a resolver,
>> named_enable="yes" is all you need. You don't need to specify the conf
>> file to run the system's version of bind, that path is defined in.
>>
>> I'm currently working on a setup so that named can be started chrooted
>> by default. Not sure if that will get in before 5.3-RELEASE or not, but
>> I'm hoping it will.
>
> It would be nice to have it all working while you make these changes.
That is the goal, yes.
Thanks again,
Doug
--
This .signature sanitized for your protection
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
- Previous message: Hannes Mehnert: "5.3 IPSEC broken"
- In reply to: Sean McNeil: "Re: Proper way to run bind9"
- Next in thread: Sean McNeil: "Re: Proper way to run bind9"
- Reply: Sean McNeil: "Re: Proper way to run bind9"
- Reply: Juha Saarinen: "Re: Proper way to run bind9"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
