permissions on /etc/namedb

Doug Barton dougb at FreeBSD.org
Mon Aug 4 22:59:17 UTC 2008 

Adrian Penisoara wrote:
> Hi,
> 
> On Mon, Aug 4, 2008 at 12:57 PM, Ian Smith <smithi at nimnet.asn.au 
> <mailto:smithi at nimnet.asn.au>> wrote:
>     With the notable exception of making standard functions rndc trace and
>     querylog work, writing to the default file named.run, which named wants
>     to write in 'the working directory'.  You'll have seen my solution to
>     that, touching named.run in case it doesn't exist then chown'ing it to
>     bind:wheel in /etc/rc.d/named, which I don't think endangers security.

I think that is a reasonable solution for your situation, although I 
don't think it's appropriate to enable that by default. The default 
configuration is supposed to be a simple local resolver setup. Users 
who need more advanced features should be reading the docs.

>     I've not been able to find another solution, and there's no equivalent
>     of dump-file and statistics-file for the trace/querylog file (that I

Query logging has its own log category, so you would do something like 
this:

logging {
	channel queries_log {
		file "/var/log/queries.log";
		severity debug; print-time yes;
	};
	category queries        { queries_log; };
};

The problem is that if you put that in your named.conf file it will 
log all queries when you start named. If there is interest I can add 
that to the default named.conf and add a knob to rc.conf to turn query 
logging on and off by default, but I'm hesitant to add that much 
complexity to something that is supposed to be simple but is already 
too complex. OTOH, one could argue that even for a local resolver 
there would be a non-trivial number of users who would want to enable 
logging of queries ...

As for the equivalent functionality for the debug aspect of named.run, 
you're right, there is no equivalent. (FYI, the fact that queries are 
recorded in named.run when you bump the debug level is a side effect 
of the fact that queries are logged to the resolver category at debug 
level 1.) The problem is that the default_debug channel has a special 
property (only receives input when debug level is > 0) that cannot be 
reproduced with configuration options, and you cannot redefine the 
default logging channels. (but see below)

> Quoting from a default distributed /etc/namedb/named.conf:
> 
> options {
>         // Relative to the chroot directory, if any
>         directory       "/etc/namedb";
>         pid-file        "/var/run/named/pid";
>         dump-file       "/var/dump/named_dump.db";
>         statistics-file "/var/stats/named.stats";
> 
>  You have to take into account that "directory" is used for any 
> non-absolute pathname specified in named.conf, including the "file" 
> clauses for master/slave zones. If you were to change it now then you 
> would break a lot of setups.

Agreed.

>   I believe that the "working directory" and "root config directory" 
> concepts should have been dissociated.

Also agreed. :)  I plan to send some feature requests to the 
bind-users list based on the discussions in this thread. If you're 
interested in this topic I'd suggest that you follow the discussion on 
that list.

I have an (unreviewed) patch to add a debug-only option at 
http://dougbarton.us/bind-debug-only-channel.diff if anyone wants to 
experiment with this. Using that patch I was able to do this:

logging {
         channel our_debug {
                 file "/var/log/named.run";
                 severity dynamic;
                 print-time yes;
                 debug-only yes;
         };
         category default { default_syslog; our_debug; };
         category unmatched { null; };
};

Which duplicates the default logging configuration except that you can 
now specify the location for the named.run file (or give it another 
file name, etc.).

>  Another idea would be to add a final "options { directory 
> "/var/run/named"; }; " statement at the end of the file -- from the BIND 
> sources it appears that there is a callback function which may pickup 
> this final statement in order to make it the current working directory 
> for the named process.

The problem is that when you do a reconfig or a reload named won't be 
able to see its configuration file.

>  Oh, and in the idea that we should keep the default configuration as 
> simple as possible for the average user and for whatever scenario, here 
> is my proposal:
> 
>         dump-file       "/var/run/named/named_dump.db";
>         statistics-file "/var/run/named/named.stats";

This idea is not without merit, but I actually have them separated for 
a reason. The reason is sort of an "intermediate" level thing, but if 
you want to dump the db or the stats more than once and keep more than 
one version around it's more convenient to do this in a separate 
directory. Also the assumption is that /var/run is supposed to be 
cleaned out at each boot, and I wouldn't want to lose those files.

>   I'm not sure what happens when the user toggles tracing / query 
> logging (with rndc) -- where would these files go by default ?

That depends on how you have syslog configured. If you have no other 
logging configured and you do 'rndc querylog' to toggle it on it will 
go to syslog with daemon.info. Unfortunately, FreeBSD's default 
configuration doesn't log that by default. One could argue that it 
should, but I really don't want to open that can of worms. If you want 
to give that a try you could change *.notice in syslog.conf for the 
/var/log/messages file to *.info, then /etc/rc.d/syslogd restart. (Or 
uncomment the all.log option, etc.)


hth,

Doug

-- 

     This .signature sanitized for your protection

More information about the freebsd-net mailing list