Re: chroot/etc/named/ directory?
On Wed, Feb 13, 2013 at 02:18:20PM -0500, Robert Moskowitz wrote: > > On 02/13/2013 01:44 PM, Lightner, Jeff wrote: > >Haven't done it on RHEL/CentOS 6.x yet but in RHEL5 with the bind-chroot > >installed I've always had: > >/var/named/chroot as the jail for BIND. > >/var/named/chroot/etc = Location of global config files such as named.conf > >/var/named/chroot/var/named = Location of the zone files. > > These I am use to and have used them for years. > > >I don't see a /var/named/chroot/etc/named in RHEL5 but then again that is > >based on BIND 9.3. RHEL6 is almost certainly based on a higher upstream > >version. Since CentOS is built from RHEL source it would have that higher > >version as well. > > Yes. I am going from Centos (RHEL) 5.5 to 6.3, so the new directory > just has me wondering. I found it also as /etc/named/ so it is part > of their base bind rpm, but no documentation on what they expected > to be place there. Just here is something new and I want to know why > so that I am not supprised. Hi, the directory is intended for configuration files included by named.conf via "include" directive. After that the directory is mounted via `mount --bind` into chroot so you can just put files into /etc/named/, include them into named.conf and chrooted configuration will work for you out of the box (i.e. you don't have to create symlinks for files included by named.conf etc...) Regards, Adam -- Adam Tkac, Red Hat, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot/etc/named/ directory?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-02-13 at 14:15 -0500, Robert Moskowitz wrote: > I am not up to building on my own and the few extra repos I work with > (EPEL and rpmfusion) do not have a newer version all ready for Centos > 6.3. You might try http://www.five-ten-sg.com/util/bind-9.9.2-0.3.P1.fc18.src.rpm which builds on centos 6.3 - that is what I am using. It is plain ISC 9.9.2, packaged for fedora/redhat/centos. EL6: rpmbuild --rebuild --define 'dist .el6' \ bind-9.9.2-0.3.P1.fc18.src.rpm Or I can provide binary rpms if you don't want to do the build from source. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlEcRQoACgkQL6j7milTFsFn7gCfVY8susLbv64oVchrBdbZgqOT koUAn3iPIBnq06I0YJK/9844siBbKcB1 =kxns -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot/etc/named/ directory?
On 02/13/2013 03:40 PM, Mike Hoskins (michoski) wrote: -Original Message- From: Robert Moskowitz Date: Wednesday, February 13, 2013 2:15 PM To: Mike Hoskins Cc: "bind-users@lists.isc.org" Subject: Re: chroot/etc/named/ directory? Having said all that, you might search the archives (SRPMS have been provided by community members) or other sources for a newer BIND while you're at it...9.8.2 isn't ancient, but also not technically "up to date" now. I am not up to building on my own and the few extra repos I work with (EPEL and rpmfusion) do not have a newer version all ready for Centos 6.3. How bad is it? :) That's for you to decide: https://www.isc.org/software/bind/security/matrix So not SOOO bad, just Badenough (said the Moose to Rocky). Of course RHEL/CentOS make it somewhat hard to know what "9.8.2" means without reading change logs. They tend to select stable software versions at release time, then backport fixes with their own version numbering. So "Red Hat's 9.8.2" likely has fixes for a lot of the "ISC 9.8.2" issues...but you might want to confirm vs assume that. There is that. Just a check shows that #49 is fixed in what I have installed: https://rhn.redhat.com/errata/RHSA-2012-1268.html And #50: https://rhn.redhat.com/errata/RHSA-2012-1363.html So I would ASSuME that I can work with keeping my install current and will stay on top of things. At least for a while. And getting back to the start of this thread, until something shows up, I will just ignore that ~/etc/named/ directory thanks I would want to find it already in an rpm. Once on the build it yourself carousel you are set there and I have other things I am suppose to be doing. Understood. Happily, running secure DNS infra is one of the things that pays my mortgage. :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot/etc/named/ directory?
-Original Message- From: Robert Moskowitz Date: Wednesday, February 13, 2013 2:15 PM To: Mike Hoskins Cc: "bind-users@lists.isc.org" Subject: Re: chroot/etc/named/ directory? >>Having said all that, you might search the archives (SRPMS have been >> provided by community members) or other sources for a newer BIND while >> you're at it...9.8.2 isn't ancient, but also not technically "up to >>date" >> now. > >I am not up to building on my own and the few extra repos I work with >(EPEL and rpmfusion) do not have a newer version all ready for Centos 6.3. > >How bad is it? :) That's for you to decide: https://www.isc.org/software/bind/security/matrix Of course RHEL/CentOS make it somewhat hard to know what "9.8.2" means without reading change logs. They tend to select stable software versions at release time, then backport fixes with their own version numbering. So "Red Hat's 9.8.2" likely has fixes for a lot of the "ISC 9.8.2" issues...but you might want to confirm vs assume that. >I would want to find it already in an rpm. Once on the build it yourself >carousel you are set there and I have other things I am suppose to be >doing. Understood. Happily, running secure DNS infra is one of the things that pays my mortgage. :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot/etc/named/ directory?
On 02/13/2013 01:44 PM, Lightner, Jeff wrote: Haven't done it on RHEL/CentOS 6.x yet but in RHEL5 with the bind-chroot installed I've always had: /var/named/chroot as the jail for BIND. /var/named/chroot/etc = Location of global config files such as named.conf /var/named/chroot/var/named = Location of the zone files. These I am use to and have used them for years. I don't see a /var/named/chroot/etc/named in RHEL5 but then again that is based on BIND 9.3. RHEL6 is almost certainly based on a higher upstream version. Since CentOS is built from RHEL source it would have that higher version as well. Yes. I am going from Centos (RHEL) 5.5 to 6.3, so the new directory just has me wondering. I found it also as /etc/named/ so it is part of their base bind rpm, but no documentation on what they expected to be place there. Just here is something new and I want to know why so that I am not supprised. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mike Hoskins (michoski) Sent: Wednesday, February 13, 2013 12:44 PM To: bind-users@lists.isc.org Subject: Re: chroot/etc/named/ directory? -Original Message- From: Robert Moskowitz Date: Wednesday, February 13, 2013 10:53 AM To: "bind-users@lists.isc.org" Subject: chroot/etc/named/ directory? I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in Centos 6.3. I have and will run bind chrooted and on my test setup I noticed a 'new' subdirectory in the chroot tree: /var/named/chroot/etc/named/ I cannot find any documentation as what is indended to be placed in this subdirectory. my includes for named.conf? I am assuming the pki subdirectory is for DNSSEC related files, but I have not found any documentation indicating so. But then I have not plowed through DNSSEC documention in depth yet. If you installed bind*-chroot, it will populate the /var/named/chroot hierarchy. It's not strictly required (though I would suggest it), but if you intend to run BIND chrooted "/var/named/chroot" is essentially "/". You'll have to place the usual things BIND needs to operate under that directory -- configs, zones, etc. Assuming this came from the chroot RPM, you'll already have other essential pieces for chroot such as your null/random/zero devices. Since you mention CentOS, you'll likely also want to pay attention to things like ROOTDIR in /etc/sysconfig/named. Having said all that, you might search the archives (SRPMS have been provided by community members) or other sources for a newer BIND while you're at it...9.8.2 isn't ancient, but also not technically "up to date" now. I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1 probably makes sense for you today. This won't affect your chroot setup, just something worth considering since you're upgrading. ___ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot/etc/named/ directory?
On 02/13/2013 12:43 PM, Mike Hoskins (michoski) wrote: -Original Message- From: Robert Moskowitz Date: Wednesday, February 13, 2013 10:53 AM To: "bind-users@lists.isc.org" Subject: chroot/etc/named/ directory? I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in Centos 6.3. I have and will run bind chrooted and on my test setup I noticed a 'new' subdirectory in the chroot tree: /var/named/chroot/etc/named/ I cannot find any documentation as what is indended to be placed in this subdirectory. my includes for named.conf? I am assuming the pki subdirectory is for DNSSEC related files, but I have not found any documentation indicating so. But then I have not plowed through DNSSEC documention in depth yet. If you installed bind*-chroot, it will populate the /var/named/chroot hierarchy. I have been running chrooted since. Well probably when I switched from NT to Linux in '98. At first it was Whitehat, then Centos. I installed bind-chroot and though it built the /var/named/chroot tree, the only file is ~/etc/localtime, nothing else prepopulated. Well I DO have all my files from my current server to rsync over (over SSH so I don't have to actually run rsyncd), so it is no loss, just a question of "where is everything". I seem to recall this tree in previous attempts to not be empty. Maybe they learned it is better for someone working here to do it all themselves... There are 'standard bind' files under /etc/nam* and /var/named to copy over if I choose (and find them more current than what I have from 2 years ago). It's not strictly required (though I would suggest it), but if you intend to run BIND chrooted "/var/named/chroot" is essentially "/". Learned that some years ago. Familiar with how the tree is mounted. You'll have to place the usual things BIND needs to operate under that directory -- configs, zones, etc. Just seems that prior rpms came with a FEW files preset, like named.rfc1912.zones. But that was years ago and me brain is probably a little weak in the memory department. Assuming this came from the chroot RPM, you'll already have other essential pieces for chroot such as your null/random/zero devices. Yes. And there are a few under ~/dev/ Since you mention CentOS, you'll likely also want to pay attention to things like ROOTDIR in /etc/sysconfig/named. Came preset. I am assuming handled by the bind-chroot rpm. Having said all that, you might search the archives (SRPMS have been provided by community members) or other sources for a newer BIND while you're at it...9.8.2 isn't ancient, but also not technically "up to date" now. I am not up to building on my own and the few extra repos I work with (EPEL and rpmfusion) do not have a newer version all ready for Centos 6.3. How bad is it? :) I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1 probably makes sense for you today. This won't affect your chroot setup, just something worth considering since you're upgrading. I would want to find it already in an rpm. Once on the build it yourself carousel you are set there and I have other things I am suppose to be doing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: chroot/etc/named/ directory?
Haven't done it on RHEL/CentOS 6.x yet but in RHEL5 with the bind-chroot installed I've always had: /var/named/chroot as the jail for BIND. /var/named/chroot/etc = Location of global config files such as named.conf /var/named/chroot/var/named = Location of the zone files. I don't see a /var/named/chroot/etc/named in RHEL5 but then again that is based on BIND 9.3. RHEL6 is almost certainly based on a higher upstream version. Since CentOS is built from RHEL source it would have that higher version as well. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mike Hoskins (michoski) Sent: Wednesday, February 13, 2013 12:44 PM To: bind-users@lists.isc.org Subject: Re: chroot/etc/named/ directory? -Original Message- From: Robert Moskowitz Date: Wednesday, February 13, 2013 10:53 AM To: "bind-users@lists.isc.org" Subject: chroot/etc/named/ directory? >I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in >Centos 6.3. > >I have and will run bind chrooted and on my test setup I noticed a 'new' >subdirectory in the chroot tree: > >/var/named/chroot/etc/named/ > >I cannot find any documentation as what is indended to be placed in >this subdirectory. my includes for named.conf? > >I am assuming the pki subdirectory is for DNSSEC related files, but I >have not found any documentation indicating so. But then I have not >plowed through DNSSEC documention in depth yet. If you installed bind*-chroot, it will populate the /var/named/chroot hierarchy. It's not strictly required (though I would suggest it), but if you intend to run BIND chrooted "/var/named/chroot" is essentially "/". You'll have to place the usual things BIND needs to operate under that directory -- configs, zones, etc. Assuming this came from the chroot RPM, you'll already have other essential pieces for chroot such as your null/random/zero devices. Since you mention CentOS, you'll likely also want to pay attention to things like ROOTDIR in /etc/sysconfig/named. Having said all that, you might search the archives (SRPMS have been provided by community members) or other sources for a newer BIND while you're at it...9.8.2 isn't ancient, but also not technically "up to date" now. I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1 probably makes sense for you today. This won't affect your chroot setup, just something worth considering since you're upgrading. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot/etc/named/ directory?
-Original Message- From: Robert Moskowitz Date: Wednesday, February 13, 2013 10:53 AM To: "bind-users@lists.isc.org" Subject: chroot/etc/named/ directory? >I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in >Centos 6.3. > >I have and will run bind chrooted and on my test setup I noticed a 'new' >subdirectory in the chroot tree: > >/var/named/chroot/etc/named/ > >I cannot find any documentation as what is indended to be placed in this >subdirectory. my includes for named.conf? > >I am assuming the pki subdirectory is for DNSSEC related files, but I >have not found any documentation indicating so. But then I have not >plowed through DNSSEC documention in depth yet. If you installed bind*-chroot, it will populate the /var/named/chroot hierarchy. It's not strictly required (though I would suggest it), but if you intend to run BIND chrooted "/var/named/chroot" is essentially "/". You'll have to place the usual things BIND needs to operate under that directory -- configs, zones, etc. Assuming this came from the chroot RPM, you'll already have other essential pieces for chroot such as your null/random/zero devices. Since you mention CentOS, you'll likely also want to pay attention to things like ROOTDIR in /etc/sysconfig/named. Having said all that, you might search the archives (SRPMS have been provided by community members) or other sources for a newer BIND while you're at it...9.8.2 isn't ancient, but also not technically "up to date" now. I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1 probably makes sense for you today. This won't affect your chroot setup, just something worth considering since you're upgrading. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
chroot/etc/named/ directory?
I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in Centos 6.3. I have and will run bind chrooted and on my test setup I noticed a 'new' subdirectory in the chroot tree: /var/named/chroot/etc/named/ I cannot find any documentation as what is indended to be placed in this subdirectory. my includes for named.conf? I am assuming the pki subdirectory is for DNSSEC related files, but I have not found any documentation indicating so. But then I have not plowed through DNSSEC documention in depth yet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
