rndc (and now nsupdate too)

[/dev/rob0]

On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote:
> Am 31.07.2014 um 17:41 schrieb /dev/rob0:
> > On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
> >> i am doing reloads of named with "killall -HUP named" just 
> >> because i disabled rndc completly for security reasons and 
> >> configurations are generated with own software only needs
> >> named to reload
> > 
> > Hmm, rndc is securable. You don't have to open it to the
snip
> > You're losing a lot of new features without rndc. This is a 
> > "throwing out the baby with the bathwater" sort of solution. 
> > Sure, this is what you are familiar with and what works for
> > you, but to disable rndc isn't good advice for readers of
> > this list.  ISC is moving on
> 
> don't get me wrong but if someone creates *any* bind
> configuration and zone-files with self developed software

... that someone is almost surely doing it wrong.  "Zone files"?

> there are no features rndc could provide and so disable
> something you don't use is the way to go instead make is
> secure with other switches

The proper tool to manage named configuration and operation, and 
which in the best Unix ethic is well suited for automation, is 
rndc(8).

The proper tool to manage zone data is nsupdate(8).  Likewise well 
suited for automation.

Unfortunately, it seems that no one with an adequate understanding of 
BIND has written and released a good management frontend.  Too many 
of them are still wallowing around in zone file editing rather than 
nsupdate and (as it seems from this thread) sending of signals rather 
than rndc.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: