On Wed, Aug 25, 2010 at 09:56:03AM +0200, Jakob Schlyter wrote:
> hi,
>
> I'd like some advice how to set the default configuration for NSD in OpenBSD.
> Some background information:
>
> - NSD stores all zone data in a database, nsd.db. This file is opened
> read-only by nsd(8), while running chrooted in /var/nsd.
> - Incoming zone transfers are written to ixfr.db by nsd(8), then processed
> into the text-based zone files and nsd.db by nsd-patch(8).
> - Local (master) zones are written compiled into nsd.db by nsd-zonec(8).
> - nsd(8) also keeps some internal state in the xfrd.state file, as well as a
> pid-file.
>
> Where do we store these files? And what user should we to access them.
> Currently, nsd(8) runs as user _nsd, and nsd-{patch,zonec}(8) usually run as
> root. All files are stored in /var/nsd.
>
> I could thing of various setups here, like putting all files that nsd(8) needs
> to write to in a separate subdir of /var/nsd. One can run nsd-{patch,zonec}(8)
> as _nsd, root or a separate user.
>
>
> How complex do we want (and need) this to be? What level of separation seems
> like a reasonable default?
>
>
I normaly have nsd.pid, nsd.db, ixfr.db and xfrd.state in one directory.
Plus I prefer to store zones in places depending on master and slave.
Maybe it would be better to store the nsd.db in a directory that is not
writeable by user _nsd.
What confuses me is that the config file is outside of the chroot by
default and that when the config changes (e.g. adding new slave zones) you
need to restart nsd (at least that's the way I figured out works).
But the interaction of update, patch, rebuild, reload, restart is still
unclear to me.
--
:wq Claudio
