rndc reconfig causing long timeouts
Dave Clark
bind-users at dollardns.net
Tue Oct 4 13:49:08 UTC 2005
The security is confirmed by rndc.key or rndc.conf. Nobody would be allowed
to execute 'rndc stop' for example cause rndc wouldn't be able to read those
files to communicate with BIND. Same security is applied to custom paths on
rndc reconfig/reload. If I'm missing the point on where it is insecure,
please go into detail.
The "rndc reconfig" without a path is part of what we're trying to avoid.
It processes the entire configuration which may be extensive and take more
time than a selective reconfig on systems with a massive config. The rsync
or ftp would also advantage from the trick I'm proposing. You do not have
to transfer the entire configuration to the slave servers. You only need to
transfer one of the distributed configuration files and have BIND reload
that specific part of the configuration, which will of course need to be
included by named.conf so that the configuration is persistent beyond a
server restart.
Dave
----- Original Message -----
From: "Brad Knowles" <brad at stop.mail-abuse.org>
To: "Dave Clark" <bind-users at dollardns.net>
Cc: <bind-users at isc.org>
Sent: Monday, October 03, 2005 7:50 PM
Subject: Re: rndc reconfig causing long timeouts
> At 6:32 PM -0400 2005-10-03, Dave Clark wrote:
>
> > Ya know, I think I've thought of something. Perhaps a rndc command may
be
> > given to read a specific named configuration file.
>
> There is already "rndc reconfig", which will cause BIND to
> re-read the configuration file it has confirmed is secure. You're
> done.
>
> The real trick is getting changes made to that configuration
> file, without having to resort to tricks like rsync or ftp. And no,
> specifying a path within the rndc command is not going to work.
> That's just not secure.
>
> --
> Brad Knowles, <brad at stop.mail-abuse.org>
>
> "Those who would give up essential Liberty, to purchase a little
> temporary Safety, deserve neither Liberty nor Safety."
>
> -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
> Assembly to the Governor, November 11, 1755
>
> SAGE member since 1995. See <http://www.sage.org/> for more info.
>
>
>
More information about the bind-users
mailing list