Re: chroot bind?
We could harden the default configuration with the following directives:
options {
version 'Not available';
allow-transfer { none; };
allow-recursion { localnets; };
allow-query { localnets; };
}
We could allow the configuration of these directives via debconf, which
will ask questions like: "Allow zone-transfers from which hosts?",
Allow recursive queries from which sources?" and so forth.
A more desirable structure will be exhibited by a script called add-zone,
which will create a zone skeleton. This skeleton will be configured with
security in mind.
Also, the package should generate a key for use with tsig and add the
appropriate statements to /etc/bind/named.conf
I see there are plenty of volunteers for this task, but I am willing to
provide any assistance you may require.
Regards, Yotam Rubin
On Sat, Apr 21, 2001 at 01:16:08PM -0400, Jaldhar H. Vyas wrote:
> On Sat, 21 Apr 2001, Dennis Schoen wrote:
>
> > As said before in this thread i'm also interested in having a
> > chrooted bind in Debian. I just set up 3 chrooted bind Debian boxes
> > so if there's anything were i can help...
> >
>
> Take a look at the package and let Nicholas and me know if anything is
> awry.
>
> > I've also a running init script that copies the needed files at
> > startup into the jail so that it's always up-to-date. Just mail me
> > privatly if you want to look at it.
> >
> > Dennis
> >
>
> What exactly would be the point of that? Are the needed files likely to
> change that often? And wouldn't this require keeping a copy of the
> standard bind package around as well?
>
> --
> Jaldhar H. Vyas <jaldhar@debian.org>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: