> My plan is to have two remote, authoritative name servers > (master and slave) for my owned domains. I would like to use rndc > to control them from my local host. > > A couple of questions:
Tom, I have a slightly unorthodox view on this which may even offer a bit more security. The answers are listed below inline. > > 1. Does named need to be running on the local host? No, in fact you don't even need rndc installed locally or a machine necessarily capable of running rndc. You can invoke rndc via ssh using ssh keys and best of all the rndc control port does not need to be exposed to the world. An example use would be: #> ssh user@secrethost rndc reconfig Which would invoke the 'rndc reconfig' command remotely. A point of note would be the rndc *version* would also always be in perfect synchronization with the local version of the server further lowering the overall LOE (maintenance) for the remote client. > > 2. Can I use rndc from my local host which doesn't have a fixed > ip address? With this configuration it would not matter the source IP (apart from ssh configuration). I would also highly recommend some type of "role account" to further increase security and minimize risk of unintentionally allowing elevated privileges. Most of all, as with any security tool if you are not at least familiar with ssh and any risks associated, please step cautiously and minimally familiarize yourself with it or avoid it. Better safe than sorry. Regards, John > > Thanks. > > Best regards, > > -Tom > -- THESE ARE THE DROIDS TO WHOM I REFER: This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users