Bv9ARM.ch07.html revision d758d223c902f7541538ad0ddf64b058d2b088d8
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - Copyright (C) 2000-2003 Internet Software Consortium.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - Permission to use, copy, modify, and/or distribute this software for any
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - purpose with or without fee is hereby granted, provided that the above
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - copyright notice and this permission notice appear in all copies.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - PERFORMANCE OF THIS SOFTWARE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<!-- $Id$ -->
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego<table width="100%" summary="Navigation header">
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2609143"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2609292">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2609352">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
7b59d02d2a384be9a08087b14defadd214b3c1ddjb<div class="titlepage"><div><div><h2 class="title" style="clear: both">
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb Access Control Lists (ACLs) are address match lists that
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw you can set up and nickname for future use in
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego <span><strong class="command">allow-notify</strong></span>, <span><strong class="command">allow-query</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-query-on</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">match-clients</strong></span>, etc.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb Using ACLs allows you to have finer control over who can access
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw your name server, without cluttering up your config files with huge
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego lists of IP addresses.
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb control access to your server. Limiting access to your server by
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb outside parties can help prevent spoofing and denial of service
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb (DoS) attacks against your server.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb ACLs match clients on the basis of up to three characteristics:
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb 1) The client's IP address; 2) the TSIG or SIG(0) key that was
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb used to sign the request, if any; and 3) an address prefix
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb encoded in an EDNS Client Subnet option, if any.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb Here is an example of ACLs based on client addresses:
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb// Set up an ACL named "bogusnets" that will block
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb// RFC1918 space and some reserved space, which is
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb// commonly used in spoofing attacks.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jbacl bogusnets {
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb// Set up an ACL called our-nets. Replace this with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw// real IP numbers.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw allow-query { our-nets; };
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw allow-recursion { our-nets; };
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States blackhole { bogusnets; };
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as type master;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw allow-query { any; };
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego This allows authoritative queries for "example.com" from any
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw address, but recursive queries only from the networks specified
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb in "our-nets", and no queries at all from the networks
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw specified in "bogusnets".
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw In addition to network addresses and prefixes, which are
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw matched against the source address of the DNS request, ACLs
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw may include <code class="option">key</code> elements, which specify the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw elements, which specify a network prefix but are only matched
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if that prefix matches an EDNS client subnet option included
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw in the request.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw The EDNS Client Subnet (ECS) option is used by a recursive
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw resolver to inform an authoritative name server of the network
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw address block from which the original query was received, enabling
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw authoritative servers to give different answers to the same
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw resolver for different resolver clients. An ACL containing
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw an element of the form
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">ecs <em class="replaceable"><code>prefix</code></em></strong></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw will match if a request arrives in containing an ECS option
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw encoding an address within that prefix. If the request has no
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw ECS option, then "ecs" elements are simply ignored. Addresses
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw in ACLs that are not prefixed with "ecs" are matched only
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw against the source address.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb ACLs can also be used for geographic access restrictions.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw This is done by specifying an ACL element of the form:
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego <span><strong class="command">geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw The <em class="replaceable"><code>field</code></em> indicates which field
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb to search for a match. Available fields are "country",
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb "region", "city", "continent", "postal" (postal code),
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw "metro" (metro code), "area" (area code), "tz" (timezone),
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw "isp", "org", "asnum", "domain" and "netspeed".
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb <em class="replaceable"><code>value</code></em> is the value to search
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego for within the database. A string may be quoted if it
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb contains spaces or other special characters. If this is
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb an "asnum" search, then the leading "ASNNNN" string can be
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb used, otherwise the full description must be used (e.g.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb "ASNNNN Example Company Name"). If this is a "country"
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb search and the string is two characters long, then it must
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb be a standard ISO-3166-1 two-letter country code, and if it
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb is three characters long then it must be an ISO-3166-1
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb three-letter country code; otherwise it is the full name
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb of the country. Similarly, if this is a "region" search
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb and the string is two characters long, then it must be a
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb standard two-letter state or province abbreviation;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb otherwise it is the full name of the state or province.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb The <em class="replaceable"><code>database</code></em> field indicates which
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb GeoIP database to search for a match. In most cases this is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw unnecessary, because most search fields can only be found in
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb a single database. However, searches for country can be
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb answered from the "city", "region", or "country" databases,
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb and searches for region (i.e., state or province) can be
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb answered from the "city" or "region" databases. For these
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb search types, specifying a <em class="replaceable"><code>database</code></em>
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego will force the query to be answered from that database and no
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb other. If <em class="replaceable"><code>database</code></em> is not
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb specified, then these queries will be answered from the "city",
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb database if it is installed, or the "region" database if it is
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb installed, or the "country" database, in that order.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw By default, if a DNS query includes an EDNS Client Subnet (ECS)
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego option which encodes a non-zero address prefix, then GeoIP ACLs
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw will be matched against that address prefix. Otherwise, they
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as are matched against the source address of the query. To
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb prevent GeoIP ACLs from matching against ECS options, set
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw the <span><strong class="command">geoip-use-ecs</strong></span> to <code class="literal">no</code>.
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States Some example GeoIP ACLs:
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borregogeoip country JAP;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jbgeoip db country country Canada;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jbgeoip db region region WA;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jbgeoip city "San Francisco";
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwgeoip region Oklahoma;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwgeoip postal 95062;
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borregogeoip org "Internet Systems Consortium";
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as ACLs use a "first-match" logic rather than "best-match":
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb if an address prefix matches an ACL element, then that ACL
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw is considered to have matched even if a later element would
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw have matched more specifically. For example, the ACL
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego <span><strong class="command"> { 10/8; !10.0.0.1; }</strong></span> would actually
7b59d02d2a384be9a08087b14defadd214b3c1ddjb match a query from 10.0.0.1, because the first element
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego indicated that the query should be accepted, and the second
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw element is ignored.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw When using "nested" ACLs (that is, ACLs included or referenced
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw within other ACLs), a negative match of a nested ACL will
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw the containing ACL to continue looking for matches. This
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw enables complex ACLs to be constructed, in which multiple
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw client characteristics can be checked at the same time. For
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw example, to construct an ACL which allows queries only when
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw it originates from a particular network <span class="emphasis"><em>and</em></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw only when it is signed with a particular key, use:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwallow-query { !{ !10/8; any; }; key example; };
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Within the nested ACL, any address that is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw be rejected, and this will terminate processing of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw ACL. Any address that <span class="emphasis"><em>is</em></span> in the 10/8
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw network prefix will be accepted, but this causes a negative
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw match of the nested ACL, so the containing ACL continues
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw processing. The query will then be accepted if it is signed
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego by the key "example", and rejected otherwise. The ACL, then,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw will only matches when <span class="emphasis"><em>both</em></span> conditions
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb<div class="titlepage"><div><div><h2 class="title" style="clear: both">
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb<a name="id2609143"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb in a <span class="emphasis"><em>chrooted</em></span> environment (using
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw the <span><strong class="command">chroot()</strong></span> function) by specifying
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb the <code class="option">-t</code> option for <span><strong class="command">named</strong></span>.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb This can help improve system security by placing
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb the damage done if a server is compromised.
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb<a name="id2609292"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego In order for a <span><strong class="command">chroot</strong></span> environment
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw work properly in a particular directory
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb you will need to set up an environment that includes everything
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego the root of the filesystem. You will need to adjust the values of
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego options like
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego Unlike with earlier versions of BIND, you typically will
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego statically nor install shared libraries under the new root.
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego However, depending on your operating system, you may need
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego to set up things like
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb<a name="id2609352"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb Prior to running the <span><strong class="command">named</strong></span> daemon,
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb the <span><strong class="command">touch</strong></span> utility (to change file
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb access and
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb modification times) or the <span><strong class="command">chown</strong></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw to which you want <acronym class="acronym">BIND</acronym>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Note that if the <span><strong class="command">named</strong></span> daemon is running as an
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw unprivileged user, it will not be able to bind to new restricted
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw ports if the server is reloaded.
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego<div class="titlepage"><div><div><h2 class="title" style="clear: both">
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Access to the dynamic
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw update facility should be strictly limited. In earlier versions of
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <acronym class="acronym">BIND</acronym>, the only way to do this was
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw based on the IP
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb address of the host requesting the update, by listing an IP address
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb network prefix in the <span><strong class="command">allow-update</strong></span>
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego zone option.
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego This method is insecure since the source address of the update UDP
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb is easily forged. Also note that if the IP addresses allowed by the
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States <span><strong class="command">allow-update</strong></span> option include the
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States address of a slave
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego server which performs forwarding of dynamic updates, the master can
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb trivially attacked by sending the update to the slave, which will
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego forward it to the master with its own source IP address causing the
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb master to approve it without question.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb For these reasons, we strongly recommend that updates be
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb cryptographically authenticated by means of transaction signatures
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb option should
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb list only TSIG key names, not IP addresses or network
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw option can be used.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Some sites choose to keep all dynamically-updated DNS data
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw in a subdomain and delegate that subdomain to a separate zone. This
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego way, the top-level zone containing critical data such as the IP
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego of public web and mail servers need not allow dynamic update at
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego<p style="text-align: center;">BIND 9.11.0pre-alpha</p>