/etc/bind.keys in a chrooted environment

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

/etc/bind.keys in a chrooted environment

Josef Moellers
Hi,
named complains about the missing file /etc/bind.keys if run chrooted:
unable to open '/etc/bind.keys' using built-in keys

What is the preferred way around this? Add "/etc/bind-keys" to
NAMED_CONF_INCLUDE_FILES?

Thanks,

Josef

--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Anand Buddhdev
On 22/07/2020 15:06, Josef Moellers wrote:

Hi Josef,

> named complains about the missing file /etc/bind.keys if run chrooted:
> unable to open '/etc/bind.keys' using built-in keys
>
> What is the preferred way around this? Add "/etc/bind-keys" to
> NAMED_CONF_INCLUDE_FILES?

Or just ignore the warning, and let BIND use its built-in keys.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Josef Moellers
On 22.07.20 15:28, Anand Buddhdev wrote:

> On 22/07/2020 15:06, Josef Moellers wrote:
>
> Hi Josef,
>
>> named complains about the missing file /etc/bind.keys if run chrooted:
>> unable to open '/etc/bind.keys' using built-in keys
>>
>> What is the preferred way around this? Add "/etc/bind-keys" to
>> NAMED_CONF_INCLUDE_FILES?
>
> Or just ignore the warning, and let BIND use its built-in keys.

If /etc/bind.keys contains some additional keys, this will not work ;-)

Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Anand Buddhdev
On 22/07/2020 15:30, Josef Moellers wrote:

>> Or just ignore the warning, and let BIND use its built-in keys.
>
> If /etc/bind.keys contains some additional keys, this will not work ;-)

Sure, but what additional keys do you expect this file to contain? Are
you serving an alternate signed root zone?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Josef Moellers
On 22.07.20 16:41, Anand Buddhdev wrote:
> On 22/07/2020 15:30, Josef Moellers wrote:
>
>>> Or just ignore the warning, and let BIND use its built-in keys.
>>
>> If /etc/bind.keys contains some additional keys, this will not work ;-)
>
> Sure, but what additional keys do you expect this file to contain? Are
> you serving an alternate signed root zone?

I'm not really sure what the partner wants to add, I have the slight
feeling that the remark about manually added keys was made by a third
person assuming ...

It turns out that it is mainly the warning the partner is irritade about.

So, let me put the question the other way round: what would happen if we
*always* copied /etc/bind.keys to the chroot environment? If there would
be no harm, I could easily add that to eg /etc/init.d/named or the
systemd service file. But the question now is: does it do any harm?

Thanks,

Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Anand Buddhdev
On 22/07/2020 16:51, Josef Moellers wrote:

> It turns out that it is mainly the warning the partner is irritade about.
>
> So, let me put the question the other way round: what would happen if we
> *always* copied /etc/bind.keys to the chroot environment? If there would
> be no harm, I could easily add that to eg /etc/init.d/named or the
> systemd service file. But the question now is: does it do any harm?

There is no harm in copying the file into the chroot. It will get rid of
the warning.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Bind-Users forum mailing list
On Wed, Jul 22, 2020 at 11:05 AM Anand Buddhdev <[hidden email]> wrote:
> There is no harm in copying the file into the chroot. It will get rid of
> the warning.

With the caveat that you have to be sure that if you keep the original
copy outside of the chroot, you have to be sure updates get reflected
inside the chroot.

NAMED_CONF_INCLUDE_FILES mentioned in the OP seems to be a SuSE-ism
and I didn't dig into whatever bearing it might have for maintenance
of the chroot.
--
tale
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Tony Finch
In reply to this post by Anand Buddhdev
Anand Buddhdev <[hidden email]> wrote:
> On 22/07/2020 15:06, Josef Moellers wrote:
>
> > named complains about the missing file /etc/bind.keys if run chrooted:
> > unable to open '/etc/bind.keys' using built-in keys
> >
> > What is the preferred way around this? Add "/etc/bind-keys" to
> > NAMED_CONF_INCLUDE_FILES?
>
> Or just ignore the warning, and let BIND use its built-in keys.

Yes, I recommend this.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Mull of Kintyre to Ardnamurchan Point: Southwest veering west 3 or 4,
occasionally 5 at first. Slight or moderate. Occasional rain, fog patches.
Moderate or poor, occasionally very poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Josef Moellers
In reply to this post by Anand Buddhdev
On 22.07.20 17:05, Anand Buddhdev wrote:

> On 22/07/2020 16:51, Josef Moellers wrote:
>
>> It turns out that it is mainly the warning the partner is irritade about.
>>
>> So, let me put the question the other way round: what would happen if we
>> *always* copied /etc/bind.keys to the chroot environment? If there would
>> be no harm, I could easily add that to eg /etc/init.d/named or the
>> systemd service file. But the question now is: does it do any harm?
>
> There is no harm in copying the file into the chroot. It will get rid of
> the warning.

Thanks and ... stay healthy!

Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: /etc/bind.keys in a chrooted environment

Evan Hunt
In reply to this post by Josef Moellers
On Wed, Jul 22, 2020 at 03:30:28PM +0200, Josef Moellers wrote:
> If /etc/bind.keys contains some additional keys, this will not work ;-)

I see the question has already been answered, but I thought it might be
worth mentioning that /etc/bind.keys can *only* be used for the root zone;
any other domains listed there will be ignored. So, this would already not
work.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users