Bv9ARM.ch07.html revision 95d0bdf2b427478c4a8ed8e06f9e316c7880140e
cd348e325366620fe047edcc849e3c9424828599Peter Bray - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco - Copyright (C) 2000-2003 Internet Software Consortium.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - Permission to use, copy, modify, and/or distribute this software for any
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - purpose with or without fee is hereby granted, provided that the above
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - copyright notice and this permission notice appear in all copies.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray - PERFORMANCE OF THIS SOFTWARE.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<!-- $Id$ -->
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<title>Chapter�7.�BIND 9 Security Considerations</title>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
d6ee3934a24d8ccc0e4bb478405d8e5f6a35825dLubos Kosco<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
d70dc22c6dce3f498251b0873638d1fea0e644a3Lubos Kosco<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray<div class="titlepage"><div><div><h2 class="title">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2606871"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2607020">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2607080">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<div class="titlepage"><div><div><h2 class="title" style="clear: both">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
cd348e325366620fe047edcc849e3c9424828599Peter Bray Access Control Lists (ACLs) are address match lists that
cd348e325366620fe047edcc849e3c9424828599Peter Bray you can set up and nickname for future use in
cd348e325366620fe047edcc849e3c9424828599Peter Bray <span><strong class="command">allow-notify</strong></span>, <span><strong class="command">allow-query</strong></span>,
cd348e325366620fe047edcc849e3c9424828599Peter Bray <span><strong class="command">allow-query-on</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
cd348e325366620fe047edcc849e3c9424828599Peter Bray <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray <span><strong class="command">match-clients</strong></span>, etc.
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco Using ACLs allows you to have finer control over who can access
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray your name server, without cluttering up your config files with huge
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray lists of IP addresses.
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco control access to your server. Limiting access to your server by
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco outside parties can help prevent spoofing and denial of service
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray (DoS) attacks against your server.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray ACLs match clients on the basis of up to three characteristics:
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray 1) The client's IP address; 2) the TSIG or SIG(0) key that was
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray used to sign the request, if any; and 3) an address prefix
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray encoded in an EDNS Client Subnet option, if any.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray Here is an example of ACLs based on client addresses:
cd348e325366620fe047edcc849e3c9424828599Peter Bray// Set up an ACL named "bogusnets" that will block
cd348e325366620fe047edcc849e3c9424828599Peter Bray// RFC1918 space and some reserved space, which is
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray// commonly used in spoofing attacks.
cd348e325366620fe047edcc849e3c9424828599Peter Brayacl bogusnets {
cd348e325366620fe047edcc849e3c9424828599Peter Bray// Set up an ACL called our-nets. Replace this with the
cd348e325366620fe047edcc849e3c9424828599Peter Bray// real IP numbers.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray allow-query { our-nets; };
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco allow-recursion { our-nets; };
5762c9f28c2246777be0e9d49cb29d9c0f49146dLubos Kosco blackhole { bogusnets; };
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray type master;
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray allow-query { any; };
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray This allows authoritative queries for "example.com" from any
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray address, but recursive queries only from the networks specified
5e6c91d7e77062129cd0b6ac8aaa546dff216419Lubos Kosco in "our-nets", and no queries at all from the networks
5e6c91d7e77062129cd0b6ac8aaa546dff216419Lubos Kosco specified in "bogusnets".
cd348e325366620fe047edcc849e3c9424828599Peter Bray In addition to network addresses and prefixes, which are
cd348e325366620fe047edcc849e3c9424828599Peter Bray matched against the source address of the DNS request, ACLs
cd348e325366620fe047edcc849e3c9424828599Peter Bray may include <code class="option">key</code> elements, which specify the
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
cd348e325366620fe047edcc849e3c9424828599Peter Bray elements, which specify a network prefix but are only matched
cd348e325366620fe047edcc849e3c9424828599Peter Bray if that prefix matches an EDNS client subnet option included
cd348e325366620fe047edcc849e3c9424828599Peter Bray in the request.
cd348e325366620fe047edcc849e3c9424828599Peter Bray The EDNS Client Subnet (ECS) option is used by a recursive
cd348e325366620fe047edcc849e3c9424828599Peter Bray resolver to inform an authoritative name server of the network
cd348e325366620fe047edcc849e3c9424828599Peter Bray address block from which the original query was received, enabling
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray authoritative servers to give different answers to the same
cd348e325366620fe047edcc849e3c9424828599Peter Bray resolver for different resolver clients. An ACL containing
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray an element of the form
cd348e325366620fe047edcc849e3c9424828599Peter Bray <span><strong class="command">ecs <em class="replaceable"><code>prefix</code></em></strong></span>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray will match if a request arrives in containing an ECS option
cd348e325366620fe047edcc849e3c9424828599Peter Bray encoding an address within that prefix. If the request has no
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco ECS option, then "ecs" elements are simply ignored. Addresses
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco in ACLs that are not prefixed with "ecs" are matched only
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco against the source address.
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco ACLs can also be used for geographic access restrictions.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray This is done by specifying an ACL element of the form:
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray <span><strong class="command">geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray The <em class="replaceable"><code>field</code></em> indicates which field
3aa0947feb67d3e8292d84776638be98dd97fdc3Lubos Kosco to search for a match. Available fields are "country",
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray "region", "city", "continent", "postal" (postal code),
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray "metro" (metro code), "area" (area code), "tz" (timezone),
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray "isp", "org", "asnum", "domain" and "netspeed".
cd348e325366620fe047edcc849e3c9424828599Peter Bray <em class="replaceable"><code>value</code></em> is the value to search
cd348e325366620fe047edcc849e3c9424828599Peter Bray for within the database. A string may be quoted if it
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray contains spaces or other special characters. If this is
cd348e325366620fe047edcc849e3c9424828599Peter Bray an "asnum" search, then the leading "ASNNNN" string can be
cd348e325366620fe047edcc849e3c9424828599Peter Bray used, otherwise the full description must be used (e.g.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray "ASNNNN Example Company Name"). If this is a "country"
cd348e325366620fe047edcc849e3c9424828599Peter Bray search and the string is two characters long, then it must
cd348e325366620fe047edcc849e3c9424828599Peter Bray be a standard ISO-3166-1 two-letter country code, and if it
cd348e325366620fe047edcc849e3c9424828599Peter Bray is three characters long then it must be an ISO-3166-1
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray three-letter country code; otherwise it is the full name
cd348e325366620fe047edcc849e3c9424828599Peter Bray of the country. Similarly, if this is a "region" search
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco and the string is two characters long, then it must be a
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco standard two-letter state or province abbreviation;
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco otherwise it is the full name of the state or province.
5762c9f28c2246777be0e9d49cb29d9c0f49146dLubos Kosco The <em class="replaceable"><code>database</code></em> field indicates which
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray GeoIP database to search for a match. In most cases this is
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray unnecessary, because most search fields can only be found in
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray a single database. However, searches for country can be
5762c9f28c2246777be0e9d49cb29d9c0f49146dLubos Kosco answered from the "city", "region", or "country" databases,
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray and searches for region (i.e., state or province) can be
d6ee3934a24d8ccc0e4bb478405d8e5f6a35825dLubos Kosco answered from the "city" or "region" databases. For these
477c09a2656e6a2c1075425ad81e61d594164fa9Lubos Kosco search types, specifying a <em class="replaceable"><code>database</code></em>
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco will force the query to be answered from that database and no
d6ee3934a24d8ccc0e4bb478405d8e5f6a35825dLubos Kosco other. If <em class="replaceable"><code>database</code></em> is not
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco specified, then these queries will be answered from the "city",
cd348e325366620fe047edcc849e3c9424828599Peter Bray database if it is installed, or the "region" database if it is
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray installed, or the "country" database, in that order.
477c09a2656e6a2c1075425ad81e61d594164fa9Lubos Kosco By default, if a DNS query includes an EDNS Client Subnet (ECS)
8f8c3f4555e5aa3160f03f2e9c55ddbd3381357bLubos Kosco option which encodes a non-zero address prefix, then GeoIP ACLs
d6ee3934a24d8ccc0e4bb478405d8e5f6a35825dLubos Kosco will be matched against that address prefix. Otherwise, they
8f8c3f4555e5aa3160f03f2e9c55ddbd3381357bLubos Kosco are matched against the source address of the query. To
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray prevent GeoIP ACLs from matching against ECS options, set
d70dc22c6dce3f498251b0873638d1fea0e644a3Lubos Kosco the <span><strong class="command">geoip-use-ecs</strong></span> to <code class="literal">no</code>.
d70dc22c6dce3f498251b0873638d1fea0e644a3Lubos Kosco Some example GeoIP ACLs:
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Braygeoip country JAP;
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Koscogeoip db country country Canada;
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Koscogeoip db region region WA;
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Koscogeoip city "San Francisco";
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Koscogeoip region Oklahoma;
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Koscogeoip postal 95062;
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Braygeoip org "Internet Systems Consortium";
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray ACLs use a "first-match" logic rather than "best-match":
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray if an address prefix matches an ACL element, then that ACL
5762c9f28c2246777be0e9d49cb29d9c0f49146dLubos Kosco is considered to have matched even if a later element would
e87f836e908f8279021f79c8f7bcef98e99d126eLubos Kosco have matched more specifically. For example, the ACL
e87f836e908f8279021f79c8f7bcef98e99d126eLubos Kosco <span><strong class="command"> { 10/8; !10.0.0.1; }</strong></span> would actually
e87f836e908f8279021f79c8f7bcef98e99d126eLubos Kosco match a query from 10.0.0.1, because the first element
e87f836e908f8279021f79c8f7bcef98e99d126eLubos Kosco indicated that the query should be accepted, and the second
e87f836e908f8279021f79c8f7bcef98e99d126eLubos Kosco element is ignored.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray When using "nested" ACLs (that is, ACLs included or referenced
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray within other ACLs), a negative match of a nested ACL will
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray the containing ACL to continue looking for matches. This
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray enables complex ACLs to be constructed, in which multiple
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray client characteristics can be checked at the same time. For
ba2e31d47682cf0d28fe7a33f5c0d226a21aee17Lubos Kosco example, to construct an ACL which allows queries only when
ba2e31d47682cf0d28fe7a33f5c0d226a21aee17Lubos Kosco it originates from a particular network <span class="emphasis"><em>and</em></span>
5762c9f28c2246777be0e9d49cb29d9c0f49146dLubos Kosco only when it is signed with a particular key, use:
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Brayallow-query { !{ !10/8; any; }; key example; };
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco Within the nested ACL, any address that is
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco be rejected, and this will terminate processing of the
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco ACL. Any address that <span class="emphasis"><em>is</em></span> in the 10/8
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco network prefix will be accepted, but this causes a negative
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco match of the nested ACL, so the containing ACL continues
cd348e325366620fe047edcc849e3c9424828599Peter Bray processing. The query will then be accepted if it is signed
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray by the key "example", and rejected otherwise. The ACL, then,
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray will only matches when <span class="emphasis"><em>both</em></span> conditions
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco<div class="titlepage"><div><div><h2 class="title" style="clear: both">
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco<a name="id2606871"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray in a <span class="emphasis"><em>chrooted</em></span> environment (using
cd348e325366620fe047edcc849e3c9424828599Peter Bray the <span><strong class="command">chroot()</strong></span> function) by specifying
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray This can help improve system security by placing
4e854c69a0484765dcd27b0e837898c8b6969beaTrond Norbye <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray the damage done if a server is compromised.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
477c09a2656e6a2c1075425ad81e61d594164fa9Lubos Kosco ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
477c09a2656e6a2c1075425ad81e61d594164fa9Lubos Kosco We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
cd348e325366620fe047edcc849e3c9424828599Peter Bray Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
cd348e325366620fe047edcc849e3c9424828599Peter Bray <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
cd348e325366620fe047edcc849e3c9424828599Peter Bray <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<div class="titlepage"><div><div><h3 class="title">
cd348e325366620fe047edcc849e3c9424828599Peter Bray<a name="id2607020"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
cd348e325366620fe047edcc849e3c9424828599Peter Bray In order for a <span><strong class="command">chroot</strong></span> environment
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray work properly in a particular directory
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray (for example, <code class="filename">/var/named</code>),
477c09a2656e6a2c1075425ad81e61d594164fa9Lubos Kosco you will need to set up an environment that includes everything
4e854c69a0484765dcd27b0e837898c8b6969beaTrond Norbye <acronym class="acronym">BIND</acronym> needs to run.
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray the root of the filesystem. You will need to adjust the values of
8f8c3f4555e5aa3160f03f2e9c55ddbd3381357bLubos Kosco options like
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
3a5046f0538ba9fb3a9429199544a9f4b93d9a4dLubos Kosco Unlike with earlier versions of BIND, you typically will
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
cd348e325366620fe047edcc849e3c9424828599Peter Bray statically nor install shared libraries under the new root.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray However, depending on your operating system, you may need
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray to set up things like
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<div class="titlepage"><div><div><h3 class="title">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a name="id2607080"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray Prior to running the <span><strong class="command">named</strong></span> daemon,
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray the <span><strong class="command">touch</strong></span> utility (to change file
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco modification times) or the <span><strong class="command">chown</strong></span>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray to which you want <acronym class="acronym">BIND</acronym>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray Note that if the <span><strong class="command">named</strong></span> daemon is running as an
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray unprivileged user, it will not be able to bind to new restricted
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray ports if the server is reloaded.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<div class="titlepage"><div><div><h2 class="title" style="clear: both">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray Access to the dynamic
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray update facility should be strictly limited. In earlier versions of
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray <acronym class="acronym">BIND</acronym>, the only way to do this was
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco based on the IP
cd348e325366620fe047edcc849e3c9424828599Peter Bray address of the host requesting the update, by listing an IP address
cd348e325366620fe047edcc849e3c9424828599Peter Bray network prefix in the <span><strong class="command">allow-update</strong></span>
cd348e325366620fe047edcc849e3c9424828599Peter Bray zone option.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray This method is insecure since the source address of the update UDP
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray is easily forged. Also note that if the IP addresses allowed by the
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray <span><strong class="command">allow-update</strong></span> option include the
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray address of a slave
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray server which performs forwarding of dynamic updates, the master can
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray trivially attacked by sending the update to the slave, which will
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray forward it to the master with its own source IP address causing the
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray master to approve it without question.
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye For these reasons, we strongly recommend that updates be
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye cryptographically authenticated by means of transaction signatures
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye option should
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye list only TSIG key names, not IP addresses or network
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye option can be used.
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye Some sites choose to keep all dynamically-updated DNS data
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye in a subdomain and delegate that subdomain to a separate zone. This
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye way, the top-level zone containing critical data such as the IP
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray of public web and mail servers need not allow dynamic update at
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
d0767114e1a949e4a42358f5aeaa08590b87cd80Trond Norbye<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<p style="text-align: center;">BIND Version 9.11</p>