permissions on /etc/namedb
Adrian Penisoara
ady at freebsd.ady.ro
Tue Aug 5 00:22:27 UTC 2008
Hi,
On Tue, Aug 5, 2008 at 12:59 AM, Doug Barton <dougb at freebsd.org> wrote:
>
> Adrian Penisoara wrote:
>>
>> Quoting from a default distributed /etc/namedb/named.conf:
>>
>> options {
>> // Relative to the chroot directory, if any
>> directory "/etc/namedb";
>> pid-file "/var/run/named/pid";
>> dump-file "/var/dump/named_dump.db";
>> statistics-file "/var/stats/named.stats";
>>
>> You have to take into account that "directory" is used for any non-absolute pathname specified in named.conf, including the "file" clauses for master/slave zones. If you were to change it now then you would break a lot of setups.
>
> Agreed.
>
>> I believe that the "working directory" and "root config directory" concepts should have been dissociated.
>
> Also agreed. :) I plan to send some feature requests to the bind-users list based on the discussions in this thread. If you're interested in this topic I'd suggest that you follow the discussion on that list.
I will try to :).
>
> I have an (unreviewed) patch to add a debug-only option at http://dougbarton.us/bind-debug-only-channel.diff if anyone wants to experiment with this. Using that patch I was able to do this:
>
> logging {
> channel our_debug {
> file "/var/log/named.run";
> severity dynamic;
> print-time yes;
> debug-only yes;
> };
> category default { default_syslog; our_debug; };
> category unmatched { null; };
> };
>
> Which duplicates the default logging configuration except that you can now specify the location for the named.run file (or give it another file name, etc.).
>
>> Another idea would be to add a final "options { directory "/var/run/named"; }; " statement at the end of the file -- from the BIND sources it appears that there is a callback function which may pickup this final statement in order to make it the current working directory for the named process.
>
> The problem is that when you do a reconfig or a reload named won't be able to see its configuration file.
>
>> Oh, and in the idea that we should keep the default configuration as simple as possible for the average user and for whatever scenario, here is my proposal:
>>
>> dump-file "/var/run/named/named_dump.db";
>> statistics-file "/var/run/named/named.stats";
>
> This idea is not without merit, but I actually have them separated for a reason. The reason is sort of an "intermediate" level thing, but if you want to dump the db or the stats more than once and keep more than one version around it's more convenient to do this in a separate directory. Also the assumption is that /var/run is supposed to be cleaned out at each boot, and I wouldn't want to lose those files.
Yep, you've got a point here.
>
>> I'm not sure what happens when the user toggles tracing / query logging (with rndc) -- where would these files go by default ?
>
> That depends on how you have syslog configured. If you have no other logging configured and you do 'rndc querylog' to toggle it on it will go to syslog with daemon.info. Unfortunately, FreeBSD's default configuration doesn't log that by default. One could argue that it should, but I really don't want to open that can of worms. If you want to give that a try you could change *.notice in syslog.conf for the /var/log/messages file to *.info, then /etc/rc.d/syslogd restart. (Or uncomment the all.log option, etc.)
Umm, I'd rather add something along the following to /etc/syslog.conf
(I usually do it for my nameservers):
!named
*.* /var/log/named.log
And of course, one would accompany this with the following line in
/etc/newsyslog.conf:
/var/log/named.log 644 7 100 * J
Regards,
Adrian.
More information about the freebsd-net
mailing list