Red Hat Summit4.7. BIND
There are several major changes in BIND configuration:
- Default ACL configuration
- In Red Hat Enterprise Linux 5, the default ACL configuration allowed queries and offered recursion for all hosts. By default in Red Hat Enterprise Linux 6, all hosts can make queries for authoritative data but only hosts from the local network can make recursive queries.
- New
allow-query-cacheoption - The
allow-recursionoption has been deprecated in favor of this option. It is used to control access to server caches, which include all non-authoritative data (like recursive lookups and root nameserver hints). - Chroot environment management
- The
bind-chroot-adminscript, which was used to create symlinks from a non-chroot environment to a chroot environment, is deprecated and no longer exists. Instead, configuration can be managed directly in a non-chroot environment and init scripts automatically mount needed files to the chroot environment duringnamedstartup in the case that files are not already present in the chroot. /var/nameddirectory permissions- The
/var/nameddirectory is no longer writable. All zone files that need to be writable (such as dynamic DNS zones, DDNS) must be placed in the new writable directory:/var/named/dynamic. dnssec [yes|no]option removed- The global
dnssec [yes|no]options have been split into two new options:dnssec-enableanddnssec-validation. Thednssec-enableoption enables DNSSEC support. Thednssec-validationoption enables DNSSEC validation. Note that settingdnssec-enableto "no" on recursive server means that it cannot be used as a forwarder by another server that performs DNSSEC validation. Both options are set to yes by default. controlsstatement not required- You no longer need to specify the
controlsstatement in/etc/named.confif you use therndcmanagement utility. Thenamedservice automatically allows control connections using the loopback device and bothnamedandrndcuse the same secret key generated during installation (located in/etc/rndc.key).
In a default installation, BIND is installed with DNSSEC validation enabled, and uses the ISC DLV register. This means all signed domains (such as gov., se., cz.), that have their key in the ISC DLV register, are cryptographically validated on the recursive server. If validation fails due to attempts at cache poisoning, then the end user will not be given this forged/spoofed data. DNSSEC deployment is fully supported in Red Hat Enterprise Linux 6. DNSSEC is an important step in making the Internet more secure for end users, and is widely implemented. As previously mentioned, DNSSEC validation is controlled with the
dnssec-validation option in /etc/named.conf.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}