#43006 closed enhancement (fixed)
bind9 portfile improvements
| Reported by: | jul_bsd@… | Owned by: | danielluke (Daniel J. Luke) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.2.1 |
| Keywords: | haspatch | Cc: | |
| Port: | bind9 |
Description
- create and use dedicated user
- include in notes a reminder to generate rdnc key for administration
- url for documentation to secure bind
- livecheck
Attachments (2)
Change History (13)
Changed 10 years ago by jul_bsd@…
| Attachment: | patch-bind9-Portfile.diff added |
|---|
comment:1 Changed 10 years ago by danielluke (Daniel J. Luke)
| Owner: | changed from macports-tickets@… to dluke@… |
|---|---|
| Status: | new → assigned |
Changed 10 years ago by jul_bsd@…
| Attachment: | patch-bind9-Portfile.2.diff added |
|---|
comment:3 Changed 10 years ago by danielluke (Daniel J. Luke)
| Status: | assigned → new |
|---|
I'm unlikely to integrate the WS changes, but adding a dedicated user for bind9 is a good idea.
comment:4 Changed 10 years ago by danielluke (Daniel J. Luke)
| Status: | new → assigned |
|---|
comment:5 Changed 10 years ago by danielluke (Daniel J. Luke)
| Cc: | dluke@… removed |
|---|
comment:6 Changed 10 years ago by danielluke (Daniel J. Luke)
Are you running with this config? I would think some of the files/paths would need to be owned by the new user/group in order for this to actually work.
comment:7 Changed 10 years ago by jul_bsd@…
- what do you mean by WS changes?
- I have some bind9 warnings about permissions: /opt/local/var/run/named.pid /opt/local/var/run/named/session.key. it does not seem possible to specify a pid path at run to use a named-owned dir, need to review that, maybe at configure
- it runs on a desktop client. it was mostly for my cif setup (#43011) but other things are blocking my test currently
comment:8 Changed 10 years ago by danielluke (Daniel J. Luke)
- WS = whitespace
- we probably need to put the pid into something like $prefix/var/run/named/named.pid where $prefix/var/run/named is owned by the new named user. I imagine $prefix/var/named needs to be installed owned by named as well (especially for anyone doing auto-dnssec). We could probably put the pid in $prefix/var/named otherwise too...
- for a local caching resolver, I would honestly probably recommend that people run unbound instead of bind9
comment:9 Changed 10 years ago by jul_bsd@…
- tab to whitespace seems the "norm" defined by 'port lint --nitpick' after, I don't mind other. depends on macport policy
- yeah, I agree about pid, just need to check where we defined the path. doesn't seem to be at run (nothing in man), so maybe in config file (pid-file, it seems)
- unbound is lighter and probably more secure for a default local resolver after, it depends on the requirements of other software... as for cif, it seems mostly for cache+forwarder, so probably possible with unbound
comment:10 Changed 10 years ago by danielluke (Daniel J. Luke)
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
- use add_users to add new user/group
- use new user as owner of some installed files
- include the extra notes text you recommended
- move pidfile to where I meant to move it
- add live check
- actually tell startupitem.executable to use the new named user
Note: See
TracTickets for help on using
tickets.