On Thu, 3 Dec 2009 15:30:15 -0500, Mark Romer <[email protected]> wrote: > All, thanks for the responses so far. > > I work for the Fed and we have to setup a dns sec bind server on our end. > I > was just reading some of their "advice" on setting up the server... > > 2. Mount BIND's chroot filesystem with the noexec,nosuid,nodev options.
Errrr, BIND is chrooted to /var/named. Which is to say, on a standard OpenBSD install with 'reasonable' partitions, you would mount /var noexec,nosuid,nodev - but it defaults to nosuid,nodev, and you'd have to make your own determination as to whether binaries in /var are okay or not (I *think* /var/www/bin is the only thing you'd have to look at, but you can do the digging on that). -- Matthew Weigel hacker unique & idempot . ent
