Re: BIND 9 questions

[Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>]

Another option is to create a /JAIL partition for chrooted
things.  Bad to do in stock OpenBSD (you can presume there
will be a var, and even a var partition, but not a non-standard
partition like /JAIL).

I use /JAIL to keep chrooted binaries and such, it's mounted
WITH dev allowed, but it's mounted readonly.

/JAIL/named/namedb/  is a loopback that contains the zones.
                     On a secondary only appliance, it's an MFS
	     that's seeded on boot from an RO partition.
/JAIL/named/etc/     is part of /JAIL/ and contains keys,
	     config files etc.

Are you expecting a lot of CH and HS queries that must be stopped?

Quoting Mark D Robinson (mrobinso_(_at_)_fpkc_(_dot_)_com):
> > /var is mount'ed nodev by default ( mount | grep /var ) ...
> 
> Ah, I did not know that. Thanks, I'll have to remember that. I'll just use the file then.

> > Well, you just said named is chrooted by default to /var/named.  So you
> > will need to chop that to 'file "named.log";'.
I don't recall if it does openlog before or after the chroot...

> Using 'file "named.log"' yields the same "permission denied" as 'file "/named
.log"', which makes sense, I think. Anyway, I guess I was confused by the fact 
that file "/var/named/named.log" gave me a "file not found" error, but now I'm 
realizing that it was unable to find /var/named relative to the chroot as oppos
ed to the actual named.log file itself (which should be created when not found)
.
> 
> I didn't want to change the default permissions on the /var/named directory i
tself, so I created a /var/named/log directory with write permissions for the n
amed group and that seems to do the trick.