[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: End of bind-chroot-admin script



On Fri, 7 Nov 2008, David Woodhouse wrote:

On Fri, 2008-11-07 at 13:09 +0100, Adam Tkac wrote:
bind-chroot-admin script should sync BIND configuration files to
chroot() directory. It was written with good intention but it has
never worked correctly in all situations. There is long history with
many broken configurations and urgent severity bugs.

I'm going to remove this script from Fedora 11 (it is part of Fedora/RHEL
only, no other distro uses it). After removal, "standard" chroot
structure will be created when you install bind-chroot package. It
will contain all needed files for running named in chroot but admin
shall move needed configuration files to chroot manually. Do you have
any comments?

I'd rather see something replace it. For unbound, another caching resolver
with chroot (which got pushed in the repository a few days ago), the
same problem is solved by copying/linking/mounting files in the
chroot via the init script.

Updating the chroot becomes important for shipping DNSSEC keys via a package.
I am putting in a review request today for a new package 'dnssec-keys'
that allows people to easily enable/disable DNSSEC and preload the proper
keys for active TLD's. Things should get easier once the root is signed.

I was about to look at bind, since the DNSSEC key format for unbound and
bind is the same, so I am using one include file that will work on both
nameservers, once they copy it into their chroot environment.

Have a look at the unbound method, and see if that is something that could
also work for named?

Paul


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]