commit
6ded9b0c76
@ -0,0 +1 @@
|
|||||||
|
e202ef1583ef39f1af0d3a9cb1e6f6adbc4a2314 SOURCES/bind-9.18.21.tar.xz
|
@ -0,0 +1 @@
|
|||||||
|
SOURCES/bind-9.18.21.tar.xz
|
@ -0,0 +1,66 @@
|
|||||||
|
From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Wed, 17 Jun 2020 23:17:13 +0200
|
||||||
|
Subject: [PATCH] Update man named with Red Hat specifics
|
||||||
|
|
||||||
|
This is almost unmodified text and requires revalidation. Some of those
|
||||||
|
statements are no longer correct.
|
||||||
|
---
|
||||||
|
bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 41 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/bin/named/named.rst b/bin/named/named.rst
|
||||||
|
index ea440b2..fa51984 100644
|
||||||
|
--- a/bin/named/named.rst
|
||||||
|
+++ b/bin/named/named.rst
|
||||||
|
@@ -212,6 +212,47 @@ Files
|
||||||
|
|named_pid|
|
||||||
|
The default process-id file.
|
||||||
|
|
||||||
|
+Notes
|
||||||
|
+~~~~~
|
||||||
|
+
|
||||||
|
+**Red Hat SELinux BIND Security Profile:**
|
||||||
|
+
|
||||||
|
+By default, Red Hat ships BIND with the most secure SELinux policy
|
||||||
|
+that will not prevent normal BIND operation and will prevent exploitation
|
||||||
|
+of all known BIND security vulnerabilities . See the selinux(8) man page
|
||||||
|
+for information about SElinux.
|
||||||
|
+
|
||||||
|
+It is not necessary to run named in a chroot environment if the Red Hat
|
||||||
|
+SELinux policy for named is enabled. When enabled, this policy is far
|
||||||
|
+more secure than a chroot environment. Users are recommended to enable
|
||||||
|
+SELinux and remove the bind-chroot package.
|
||||||
|
+
|
||||||
|
+*With this extra security comes some restrictions:*
|
||||||
|
+
|
||||||
|
+By default, the SELinux policy does not allow named to write any master
|
||||||
|
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
|
||||||
|
+zone database file directory (the options { "directory" } option), where
|
||||||
|
+$ROOTDIR is set in /etc/sysconfig/named.
|
||||||
|
+
|
||||||
|
+The "named" group must be granted read privelege to
|
||||||
|
+these files in order for named to be enabled to read them.
|
||||||
|
+
|
||||||
|
+Any file created in the zone database file directory is automatically assigned
|
||||||
|
+the SELinux file context *named_zone_t* .
|
||||||
|
+
|
||||||
|
+By default, SELinux prevents any role from modifying *named_zone_t* files; this
|
||||||
|
+means that files in the zone database directory cannot be modified by dynamic
|
||||||
|
+DNS (DDNS) updates or zone transfers.
|
||||||
|
+
|
||||||
|
+The Red Hat BIND distribution and SELinux policy creates three directories where
|
||||||
|
+named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
|
||||||
|
+*/var/named/data*. By placing files you want named to modify, such as
|
||||||
|
+slave or DDNS updateable zone files and database / statistics dump files in
|
||||||
|
+these directories, named will work normally and no further operator action is
|
||||||
|
+required. Files in these directories are automatically assigned the '*named_cache_t*'
|
||||||
|
+file context, which SELinux allows named to write.
|
||||||
|
+
|
||||||
|
+
|
||||||
|
See Also
|
||||||
|
~~~~~~~~
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,75 @@
|
|||||||
|
From 0f3a398fe813189c5dd56b0367a72c7b3f19504b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Wed, 14 Sep 2022 13:06:24 +0200
|
||||||
|
Subject: [PATCH] Disable some often failing tests
|
||||||
|
|
||||||
|
Make those tests skipped in default build, when CI=true environment is
|
||||||
|
set. It is not clear why they fail mostly on COPR, but they do fail
|
||||||
|
often.
|
||||||
|
---
|
||||||
|
tests/isc/netmgr_test.c | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/isc/netmgr_test.c b/tests/isc/netmgr_test.c
|
||||||
|
index 94e4bf7..7f9629c 100644
|
||||||
|
--- a/tests/isc/netmgr_test.c
|
||||||
|
+++ b/tests/isc/netmgr_test.c
|
||||||
|
@@ -1567,13 +1567,13 @@ stream_half_recv_half_send(void **state __attribute__((unused))) {
|
||||||
|
/* TCP */
|
||||||
|
ISC_RUN_TEST_IMPL(tcp_noop) { stream_noop(state); }
|
||||||
|
|
||||||
|
-ISC_RUN_TEST_IMPL(tcp_noresponse) { stream_noresponse(state); }
|
||||||
|
+ISC_RUN_TEST_IMPL(tcp_noresponse) { SKIP_IN_CI; stream_noresponse(state); }
|
||||||
|
|
||||||
|
ISC_RUN_TEST_IMPL(tcp_timeout_recovery) { stream_timeout_recovery(state); }
|
||||||
|
|
||||||
|
ISC_RUN_TEST_IMPL(tcp_recv_one) { stream_recv_one(state); }
|
||||||
|
|
||||||
|
-ISC_RUN_TEST_IMPL(tcp_recv_two) { stream_recv_two(state); }
|
||||||
|
+ISC_RUN_TEST_IMPL(tcp_recv_two) { SKIP_IN_CI; stream_recv_two(state); }
|
||||||
|
|
||||||
|
ISC_RUN_TEST_IMPL(tcp_recv_send) {
|
||||||
|
SKIP_IN_CI;
|
||||||
|
@@ -1623,6 +1623,7 @@ ISC_RUN_TEST_IMPL(tcp_recv_one_quota) {
|
||||||
|
}
|
||||||
|
|
||||||
|
ISC_RUN_TEST_IMPL(tcp_recv_two_quota) {
|
||||||
|
+ SKIP_IN_CI;
|
||||||
|
atomic_store(&check_listener_quota, true);
|
||||||
|
stream_recv_two(state);
|
||||||
|
}
|
||||||
|
@@ -1836,6 +1837,7 @@ ISC_RUN_TEST_IMPL(tcpdns_recv_two) {
|
||||||
|
isc_result_t result = ISC_R_SUCCESS;
|
||||||
|
isc_nmsocket_t *listen_sock = NULL;
|
||||||
|
|
||||||
|
+ SKIP_IN_CI;
|
||||||
|
atomic_store(&nsends, 2);
|
||||||
|
|
||||||
|
result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
|
||||||
|
@@ -2095,6 +2097,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one) {
|
||||||
|
}
|
||||||
|
|
||||||
|
ISC_RUN_TEST_IMPL(tls_recv_two) {
|
||||||
|
+ SKIP_IN_CI;
|
||||||
|
stream_use_TLS = true;
|
||||||
|
stream_recv_two(state);
|
||||||
|
}
|
||||||
|
@@ -2160,6 +2163,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one_quota) {
|
||||||
|
}
|
||||||
|
|
||||||
|
ISC_RUN_TEST_IMPL(tls_recv_two_quota) {
|
||||||
|
+ SKIP_IN_CI;
|
||||||
|
stream_use_TLS = true;
|
||||||
|
atomic_store(&check_listener_quota, true);
|
||||||
|
stream_recv_two(state);
|
||||||
|
@@ -2395,6 +2399,7 @@ ISC_RUN_TEST_IMPL(tlsdns_recv_two) {
|
||||||
|
isc_result_t result = ISC_R_SUCCESS;
|
||||||
|
isc_nmsocket_t *listen_sock = NULL;
|
||||||
|
|
||||||
|
+ SKIP_IN_CI;
|
||||||
|
atomic_store(&nsends, 2);
|
||||||
|
|
||||||
|
result = isc_nm_listentlsdns(listen_nm, &tcp_listen_addr,
|
||||||
|
--
|
||||||
|
2.37.2
|
||||||
|
|
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmV3BGsACgkQUQpkKgbF
|
||||||
|
LOwu9w/+JciqKqT0JieUDwPzEhhulBCWEhbZFrHK6dFM5UkPHkaV79QkZAQEhnq1
|
||||||
|
FXVEF99ZuTbz5s79wNAZ9I4AiU0al5RK1P5MwMBbjsQrfnkhmKnPIU1jx3FSVrCP
|
||||||
|
tC9l1xEjkLNi2vf28ZQ9KED2hUdqsgTZqDvgewEnrq1NtZ0K7ozz9nHQLfooDSJT
|
||||||
|
L5U9HDp3vf5BJWONjnKAPjJJdeRf7HPqokJVSjQcVxrT06VsMNUFFmyCbEJ0UTJm
|
||||||
|
mqDrRuEXhkAKf40DwMr0qGqiq5Q4m960yADEK1Aju/9cEf6Ag4FYyy70iyICe7Tj
|
||||||
|
T8qjVzzwboUJao3m/152+6qvzGXJKdUUZqCnNcCc2wmirmg/ES4DLLFyYYXBflj7
|
||||||
|
hWCOLXeghF/785te4fmiH3gqcEZBEVcc0wl1HCL5m3q9kGutGgLJVOZgM5D6zf2T
|
||||||
|
0Sa60qIr5r+cKCS9OYowTH1+NqEsW4XhCVIe/RYEuXa3FFczIUbdGlUQ5t9ILBxi
|
||||||
|
zbZ04Tj0tecqUVkhoEYZfQzhHEa43LzxATdQ4Zc01USaxhbSFSoyG1+WP1tPD+PL
|
||||||
|
wqZA9tEuvKtngr/UP+BeLG0lWv5zbtShzM1V1cEg7JuoiI2onWstaN7NYXShiUMZ
|
||||||
|
oVYXIBbmNbXVmm2TYzt4mw9TotGWHkSNjPZGvvAYw/0mtcw6NXs=
|
||||||
|
=bzR1
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -0,0 +1,17 @@
|
|||||||
|
diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
|
||||||
|
index 57a023b..085f2f7 100644
|
||||||
|
--- a/bin/named/Makefile.am
|
||||||
|
+++ b/bin/named/Makefile.am
|
||||||
|
@@ -32,9 +32,12 @@ AM_CPPFLAGS += \
|
||||||
|
endif HAVE_LIBXML2
|
||||||
|
|
||||||
|
AM_CPPFLAGS += \
|
||||||
|
+ -fpie \
|
||||||
|
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
|
||||||
|
-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
|
||||||
|
|
||||||
|
+AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
|
||||||
|
+
|
||||||
|
sbin_PROGRAMS = named
|
||||||
|
|
||||||
|
nodist_named_SOURCES = xsl.c
|
@ -0,0 +1 @@
|
|||||||
|
d /run/named 0755 named named -
|
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ -r /etc/rc.d/init.d/functions ]; then
|
||||||
|
. /etc/rc.d/init.d/functions
|
||||||
|
else
|
||||||
|
success() {
|
||||||
|
echo $" OK "
|
||||||
|
}
|
||||||
|
|
||||||
|
failure() {
|
||||||
|
echo -n " "
|
||||||
|
echo $"FAILED"
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
|
||||||
|
|
||||||
|
if [ ! -s /etc/rndc.key ] && [ ! -s /etc/rndc.conf ]; then
|
||||||
|
echo -n $"Generating /etc/rndc.key:"
|
||||||
|
if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
|
||||||
|
then
|
||||||
|
chmod 640 /etc/rndc.key
|
||||||
|
chown root:named /etc/rndc.key
|
||||||
|
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
|
||||||
|
success $"/etc/rndc.key generation"
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
rc=$?
|
||||||
|
failure $"/etc/rndc.key generation"
|
||||||
|
echo
|
||||||
|
exit $rc
|
||||||
|
fi
|
||||||
|
fi
|
@ -0,0 +1,175 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBGNjen4BEADDHiUVNbkFtiKPaMWjKxbKmF1nmv7XKjDhwSww6WFiGPbQyxNM
|
||||||
|
r8EHlEJx5kMT67rx0IYMhTLiXm/9C4dGYyUfFWc35CGetuzstzCNkwJs7vZAhEyk
|
||||||
|
+06CX4GFiHPOmWIupGCxFkNz1Qopz3ZePMlZRslVCHzW4dbg5NKLI0ojXlNaTDU5
|
||||||
|
mgUXpsPi/6l6QE6q3ouvmWPF4u71cZ1+W4UkIRAXOlbVsDzGaMaoHjJd8cOM8DrZ
|
||||||
|
gKHACNPjzqOvEujXDC2vyKw6XpxR+pHz0QcrRtlKnVhPNiKcDfw2mJJ5zxi9uSDc
|
||||||
|
dh5FomMn9sS4gy2Tub2urELnPf9xnURftRGG3VO6nZc81ufQB4s1BNT2ny0Uhx5V
|
||||||
|
mXUJwefMypMBfAvWCWBCeyWYtBeo7LT3NmtLq3oVGPfl7+a0ToFAYeghspK8/nOX
|
||||||
|
6/fqF1MEtzvWjXljz6K7FSDYSY9AoaESLHGwCo6dtff5S7f1+l6PCUNo6aM/B5Ke
|
||||||
|
SIAN9Lm6z2iVuy9Lukw+5IRoRKHHV4rJauPtDeYoWnNiSd7Q4vFtotUIjRpDARpm
|
||||||
|
xWS711Q2T+knHFLEiU8QzxjLhOnTzh4n9dDLHCkOY5WM5krldVeL5EuTyPKinuSn
|
||||||
|
oE01A7I4IGJp753CshibxjNYDiEOVeK93R38Y543edlIrYxnfyMVsiqPkwARAQAB
|
||||||
|
tDRNaWNoYcWCIEvEmXBpZcWEIChDb2RlLVNpZ25pbmcgS2V5KSA8bWljaGFsQGlz
|
||||||
|
Yy5vcmc+iQJOBBMBCgA4FiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmNjen4CGwMF
|
||||||
|
CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQUQpkKgbFLOwiLxAAjYuI4JQ8mPq7
|
||||||
|
YrV9m4tu+jOKvoKfpjct2Rh02n/X3ChOgrdcXU898eH56tRk8Mv/E+cBTPN9zQn6
|
||||||
|
rLprbYR2t2R+zgvuUZWA8In7aewoPIJw8OdlG0gTK9m3VHJIOhIX07qcFttSZw4m
|
||||||
|
4rEU5mdxi9FatBWBzqnVm4Pn577aqRXK908j+6TvgWbZ6Cq0tw3syVT4kGj+93+P
|
||||||
|
uIQQQkTYN8UDQPsAKzfzkbQC9I5YXBKUoB9CfhXig8V9N75R0gsWkJ8Vy/8wsPXT
|
||||||
|
9/EPIIzhnhSuUIjvvBPbLGrzDgbhrfUQ/QVuXDVN8xl3rAWM/tiNGOnmzoYORyM5
|
||||||
|
ftrnCDIaO4aVKR6rtEzfdQa5Kid1StfhFien/U8jYErxkEn2HRt2gVEX5nYq31T+
|
||||||
|
0jgVode2Dzkm4+HKHmfOYsQeC07Mu6wZw9raNYqFjTcfh0ajFpLIT3j2YqOJE2jy
|
||||||
|
KbcveJcy2NiOiUl13exIZuBkZm0wEVbvgVX1PlgL3GJqnbU/Q+maRTb8FBoQVsOd
|
||||||
|
GIm7U/phU91qR+00SkOcp2LgHCCNKrmHXgiBNYBbInNIp6ze3bFvfKTRFn8WdY9v
|
||||||
|
Z7vNfKar8rt90mpjYG9qMhmvh4E9icfp3wRUtOwyi7VVtVTTUq0iFTe2C0m0v6KW
|
||||||
|
XcDwwwaTbl79BOqOH3Gp1flS2ECBsyiZAg0EY2N8xQEQAMWcyZbpxEyefX4JTszG
|
||||||
|
ocpz8C8yqvZJQUfoDK5AecQWR7OegPkIqwJcHEH5cz+MduklXNQdra/snn6pxGig
|
||||||
|
At3xCwfzRTH/aYXdjcjnma1elzZSTgk6Maw4zR/W9wea2DcUtMCcsys0gviN/VUe
|
||||||
|
Aqt+5pmhy2PlEWfJG+Mzyrqgz3Q8hRyAJAKONAwNhs1A4ZqQX/6iuCkJbH1CBeoW
|
||||||
|
+c+5qJHYEXsx25qR1yiKOFo5b90QOcwaebUq+xKQRlnESn75FTgDjDfDm9BqrHcn
|
||||||
|
Tv79kOuIN5vhz4BCsuo5QbNu4RGrs/1VSTPvMf5AN7xs9pYNMAEde7pSF1Ps3B5p
|
||||||
|
CE6iUw9L53ytV4iJQKXpzG29LofUu65YQjIXPgK7NbBO7FUHA41YbSfoWiOAjfMh
|
||||||
|
iE025YM2+RPQh/Nrc3PqBj4h21ycT+d8eEXKfc/okbVFFE9dKS1hUwKgSrs7baOG
|
||||||
|
CBZdpiB+t3jWrr8UrteALab7v0rndco3QKOe9U3f+Gm3MdgLK1TGiRgpdyiIXEel
|
||||||
|
J7zhsdoYEvaKMgUOjhf+COdlf8b9ITg93mDKe8h0OcpirCXw4O2ma3sklabzZKZf
|
||||||
|
CPhhja6Ro5gmO5pxaLau+esQWNrjEikynNIs+GRphtcFsVVH+ww26mR0nI65Llgv
|
||||||
|
kb4+DrbDGSPP6R/C2q/LMLM1ABEBAAG0ME1pY2hhbCBOb3dhayAoQ29kZS1TaWdu
|
||||||
|
aW5nIEtleSkgPG1ub3dha0Bpc2Mub3JnPokCTgQTAQoAOBYhBNmczq+Hl0cBTwON
|
||||||
|
YxguI1eUYu+qBQJjY3zFAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBgu
|
||||||
|
I1eUYu+q9IAP/j/GGneuvjwbXdATiQAmkiFlOxjs+SsO/hgA/mmWcm+Kpg4cAlbP
|
||||||
|
C2xEDa6biJyZ8TmLZEqPNrRm/umiisC8JnIJpIbInn42n4aDCRDW35lrYGdnP1Ft
|
||||||
|
fexnEOWAJBDRVvh9OnfRfvf+HLFfLFl40b/15YzkTYGIfrMR9y8zalkzXxsVNsyr
|
||||||
|
9Eq2pmYR7BT2z8d/9SAVuh8D3qgUylIgcFcCFJodsrI4zJSpIMfMntwVsZxDlis8
|
||||||
|
JVFN8/pfhuBBe6vjqX/cGJnj6OL3T12jvvniv13W3rar2Ocm6XA9j1t5TZNhKqAy
|
||||||
|
azAKu52NtdJjh25B6C/H+haXAX1eduCCE74uSarqS3F1wf6JI3p8fnWzk4hZNzxp
|
||||||
|
nZjIk3vrHNjE4jXTZosXCf5DoVRfMpNbxj3YEnXV+kNZQRYPPatUPgFYbxz91hbN
|
||||||
|
tHyCiy0GmTyf0QId8LTc0y9mPtP9QureJJ6rL8lt7pvXyrYglqhxDgRhJIGKMKdw
|
||||||
|
0bQtTEF4tyNzC4/sg4/omAGH66clhXlqMmuUjHSUiQyA4LL1mJl63Q+bwqXX4B8t
|
||||||
|
898tSUmb4Jmg3jLZ3Z9Hl7H8Sp3yYPOLzb2YUF6w3xFsUrNNzVxHFo8tAtEhtEfX
|
||||||
|
D+ypkowZq8g41WqMlOBrrzQFuExUSXckH2Cn97lV6lkBoueqxP+Zv0bbmQINBGNj
|
||||||
|
qIkBEADDw/CKszyuFKpVp4Z26rKJ3ooOlp8p9a+fmfuknPtMjJMSX8xK8pOlK739
|
||||||
|
K83yvDRUidT4+R9IAUKM7TqGA0hoPZmZQLiK0YLlAAXufKxO9IsDZI/7DuF2d8fu
|
||||||
|
usKQfS4oJC/IbzOAVwgwodnvKhttLWutT09GxiHrnfVPu6Uf4A+GWtrcTIWhXuxE
|
||||||
|
m7+16ToxBOTLtQ3hh79/RndUuM0ldKRRzJUzASGIPmdQJDLCKgSSeaGjZAdq6gkl
|
||||||
|
qT/K/R8eoLWSOaBRq8lBE1k7Tq4nSwthMHtCQq4+vxFWH3VF9hwy6ixccROPqt9s
|
||||||
|
fNfJK3KF4KGhfejMuVn/Lxp1v+Ne2DsdnVofFakAbBMpMyauzAyXPncYSfFhzLBD
|
||||||
|
kkn7THkfRznmHD8ux89kV534EyqYLjAy8AAD6zNc3tSYgfC0UUw7yz05Sl/eV9Xc
|
||||||
|
pbezu2ipONlXko8jpCQiiHck599cy+StrjjYPwcHF5m8uUlNnzHoUj8qsoK5SA8u
|
||||||
|
RnTW2I4DFbL0+x8eL7gmNQYFdMaA4azogtaTFWgPL2jPJ3B+/bUfHDZflvR0FB5+
|
||||||
|
OD/QHsDv4SB6uX8TOhGbFsHpt7E0scb2U9B8gQeQQJZ3jmcIRp+K18mjYh/ErDFW
|
||||||
|
23ixBe7h3tn2MGUTOhv1ibOYDE3GYBuGLQiom6yhCs8zrneuAQARAQABtDFXbG9k
|
||||||
|
ZWsgV2VuY2VsIChDb2RlLVNpZ25pbmcgS2V5KSA8d2xvZGVrQGlzYy5vcmc+iQJO
|
||||||
|
BBMBCgA4FiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmNjqIkCGwMFCwkIBwMFFQoJ
|
||||||
|
CAsFFgIDAQACHgECF4AACgkQel4ITKylGIRk9g//XrvOYy9zQkpo4Dkol8yLxr99
|
||||||
|
Dq9Ur2v8F5Ba4za4QdUxeYrlq8J827mkUqMtnlyb/+3zSMy2I6HAI8QxlDZL5K0g
|
||||||
|
Gm7iLrwVTM8nAQiNU5vAe4D6PeO5ATBEvRdAUTQGz4xeaTrUXbmNUSC1dZEPvH1z
|
||||||
|
Fa/Z1WZoy9GLeuWDXix6OXTP8FlQWUTL4/ILLtfJDsWCCX7efkyfnvad8Ye2NfU9
|
||||||
|
tBjRX5QQ0Dpvgpr8/7El44XcmaHxPWEiq8X2p/d6j3nU/7LspUXRu3ptu5Q2RqMM
|
||||||
|
iRDZme2c8zieHETpC7m5sshzGxRtT5jWEtZ6V37On5DNTObvXCiaGV95qgiHi5VG
|
||||||
|
s3MFD3QSo1jJI951k68UM8V+OnzbJGN7TezZ3fTn5Pwdd4C4035QMl0E5NXCcXc8
|
||||||
|
9d+3DeFmewRRGCaOKPuO/jFPLWcwMlQqp5tkNx8LpqEZfD7/t6FrSvDUsUDU8Rn0
|
||||||
|
TQILnUZioO68HmeuJbhKaUCMuZGjBIbBqviiufFRiJuEFOVKADQ1u/P5ct/0T/gE
|
||||||
|
JAho3aubzdYMH5DLsaw03W5KfOjeTLW10zSmSK65wnR6fdwlo5l/Sg6Z63QXD+/H
|
||||||
|
/OIFgzviJkyoh6MkH55z2K8BDWbhOmaUBjNAcQEXV1KyHeLDkQ+TJfLjctv4KIpv
|
||||||
|
D7i6kNIp1b6OSdDS9W+ZAg0EY2OzdwEQAMRWPO237ohaXNpKO+dw1qkfOYYisiTQ
|
||||||
|
yfkT7BG0Xvu8jxeOdRuvUzzplgOfwWhOQkyEEXd205/PpwReeeRwhiu0BDSrzYGM
|
||||||
|
KZdw9Bw4enoaOinf5WTqM76mc5WUYfvDJIiHies+ANxj4EqTzvSif9hxvvzrbKYV
|
||||||
|
lHdaGtLm40D6yZSzDEe3X49DmEABM4g/Bs7NfVJcJ3LtLo6qbLy2tKEgNPW+VN/s
|
||||||
|
harufucxnH5HM6BUUOGZx8L04UCNJu+jvZ0zjLc5DqubNO1526kZclAo94DfTkb+
|
||||||
|
ir9nxKn7RkdcseibeYPdeIh3le6aU6M0KhTJs3RCxaQF9At08Vrrkh+wkK2Jr5QW
|
||||||
|
bs8cHpEJ+Q7BwDuAQetFi94eq7Sswh4mjhJ6ZnFCx8v9EbQnvL76afMbhZOezpaQ
|
||||||
|
aAwXVuIio2fsJpHfxWnXb93H1QKiOQdBZZLQGowcFQCqAWg7h2FwWWbKMV1smGHr
|
||||||
|
/28tLZtk/4aSCd9cZ9+nofFPPemPLbYwnBECIZN21QKZ2oBXKxb3hchy4EBTKWtC
|
||||||
|
G/fbTsjSfTCUpMNZ57HO3rGXchjSdIf+tTGJpAqWkTcXuhWXBMWPK6/2REk/DKis
|
||||||
|
XHugHg9R9hqGs2DaMpGh5NrOLly9+0dsjU15iTQucXbCS9895bRtmDjIN8dLSo9H
|
||||||
|
6DDw4yO7SHTlABEBAAG0NE1hcmNpbiBHb2R6aW5hIChDb2RlLVNpZ25pbmcgS2V5
|
||||||
|
KSA8bWdvZHppbmFAaXNjLm9yZz6JAk4EEwEKADgWIQQJCioHkj+SW1dngDpC5d94
|
||||||
|
yDJx2wUCY2OzdwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBC5d94yDJx
|
||||||
|
29U0D/41C8WaGEphQW1N5lT/1284qiPuz3w3iSciAAoAe8iHUGBcSNpAWQmWvWXI
|
||||||
|
buKb92Gtt8JtSOHwQj8qiHjqRsUu02t/tEgQMQUq6p2jqbxODJfHR8oMFMMB0i0I
|
||||||
|
RgKtEQeq5wRJpVtH+zIFSl9PorsJtHHfhVbqxvE/axcNKa+WaqZdHuKMqADupQEw
|
||||||
|
6rD7yYVX6YPiHxMhba2AAAoHT/3VpHC0JidZ5BWGwkfnGbV1/7O91GHfJx6KN/AK
|
||||||
|
DKb5hFl4TrieDLJzphBWg0y4FJ4K7WSIKvcT2cLel9f9pHV6ysqSZWkCbkjkaVIi
|
||||||
|
LyoA0o7l263WU0D5oG2ihW6Pa2YrWHDDjfTem+kOEFsMjN+Gw74I4KWUBtldfnHK
|
||||||
|
A8TyeviKkVok1lwDAoJ3LJi/bcyCLgBZLInOU31mQ7mIXq1ENCOIvQvaG0Lwdt59
|
||||||
|
sBI8sknHkt+54t/VCaKbWSBOzgGur6EDf9WtPHWvHNCKEleDiHCELdhRYYtENO7T
|
||||||
|
vTv6Fq6Lh26dor26LnARLPvGLAKwONJ0vlTEG8IyoD5AHz9MwdXYgzh8wIvc/HtD
|
||||||
|
/0FlQGLd0WYVI6UjZfPxHOZAzARJKXLJMqiSn8hnO8v6JZaUcOF0yRKTKtzqsjzU
|
||||||
|
v9TubCGdQAaCSCaD2fmA0BEs/FpOnZ8P1fXMpcHGEtMV0qc0wZkCDQRjY7/GARAA
|
||||||
|
ubCCHkdiMblMA9ZlcOVN1Wep7TuYxQouATTb+73iHDQRNIU7DvluHoSq5zJe1Qst
|
||||||
|
zjTmtlkr2dyI5JnBexUEKrw2X7gPXfLaXY01gLLB/Jn8tU9VxPqBybxmjmEdP58B
|
||||||
|
I7BwmCyMYNqDuvPSfTMlogH/pF35Al+c8UbOfDEQqxSO2nKPNa4T5ZoVxvMxV4gn
|
||||||
|
hEJPv8Xte/wiE+CxxbmO2we6rwJjWe7O3T0mNmqvpO8iIsLlQnwTFD5L1huywPc0
|
||||||
|
UDHK0nl8k2lkue2buaOiancLatXt/i+L1DIimCgZwOt3DlVLURH5lz5ALXE/fn+5
|
||||||
|
wKkp+XVyNTAEFhSGifgBDYFw3nZeRTU7unMsRssL8SjuwPWoCcRI/3VE08xCuXc+
|
||||||
|
h6NpGfeJjLRgUSSBF+958djY320TcXaRLrqRhjcJ34dBsDYsRSC15nnq2JU6Vj5t
|
||||||
|
rJL9qOdwVAFwKeAfROUULcy/LHZ3QgKLN5jOfdqYzE2KHk1+VANttRPTG34i6uq6
|
||||||
|
yzCFFYadwST22+QWvxh2ohYj2INvvrzRf3lVxssWyb4USB0JPajgnGeNY/hSYfDa
|
||||||
|
KArqOr9S+3q7h0v4RgoPxDRFIC8v/10W4wPC7R3wj0m/1WHkSm951Wtzq3V84uCF
|
||||||
|
LLhx2ByNpnJFRFqklonAH3WHUIeYcdXAsTeunrGU/XsAEQEAAbQuR3JlZyBDaG91
|
||||||
|
bGVzIChDb2RlLVNpZ25pbmcgS2V5KSA8Z3JlZ0Bpc2Mub3JnPokCTgQTAQoAOBYh
|
||||||
|
BJWA1r8syA8eO7ESUt6rkdVLE8m4BQJjY7/GAhsDBQsJCAcDBRUKCQgLBRYCAwEA
|
||||||
|
Ah4BAheAAAoJEN6rkdVLE8m42PwP/RFmUzgsoM23Z/NQ2AacCFTmHweEllkmf+25
|
||||||
|
3hP80BuSHKsdzlmllFux+xbKZEpQK0nL3fqW8yyv69WmsoKZPpZJxmQ6bwUbtXC7
|
||||||
|
rHkt5gfOXiTaxDBmgO2dcnDsKLb+bEQ7C5hay1P8rOvf13a4UZeTP37gRGmMr38+
|
||||||
|
LvADIspIxBdSvFa7Hb4HKG4VVDai8jaPCF0q8daEWMJxyKSfOQBtSVVAzjLcGrYR
|
||||||
|
bCPDAI1DEASyQOru52WREe4vJCwSaq9dZyGhaWcnyTVQO8bsSLxu7cUVxA3SOheQ
|
||||||
|
izYKkYNbaBDmWlZxLYFsTUf5izEYdW5BwHaowmw22hSspFod+c37BoY/ePfkR5iQ
|
||||||
|
YuEff/unyqvdHMDqIXWZqpAi5o5hW3jdCd7ZL5T0WWjz4CQ8eko1ZYYnYzZlDrge
|
||||||
|
F0veW8+lzHBLx3Ad8HyVGwtRe+VV1V0AZ0lpWMtxo02ZDRtqNDqPqVfLT5P87ZPv
|
||||||
|
r5GhKtedgrjwY2clgmCT0xgAKNxi2SC+c/vI5PRkIoqwbTiryLIYq8tl6T1k6AMY
|
||||||
|
eN1ZNQR7eNEXpIvYRD/BZw7IWKkCRaKwfDVhUHCm0ikylwdLXIfEEEA5mu2LJeZh
|
||||||
|
vCddhks0S8+lRyWR/3okurF6rlloNtM1pslceh2AMDwfs3fORhYJxFsV7O7fyRnD
|
||||||
|
NS93fq56mQINBGNj8P4BEADXK//p0lWEUNUYirsm6BUyUXqPlPrpVTdPB1tJPj1o
|
||||||
|
zgeMKFOpYRPU1IZF1G6pbKD09gL6y19LehQYx1a57PF7kCx2ZvvcFN24EHto1H1p
|
||||||
|
Ti48dZ7KyyEO1rBeLY5Zjgz6YvQZcSH3cd6cTrAo7hPIAjtgSTWp04FjtYJqf+tT
|
||||||
|
gf+9ZWY+i4nQ6/Q5Z5NUd8jsOcOoFDsmY6Fds+lzn0aZSg2yfd8fnX5QFOIwDv66
|
||||||
|
aM25q2kvkrX0wtvSQbulC8x5g6fIB3xEL6MWbXcEBYkBMW5Cnw/Kmyj7lJwVwvEO
|
||||||
|
FFhKaOH/d2LG3rM66gl048aJYLhEJyFSyooBynXs8S/NLDgca94Bvb54FPX8LC3p
|
||||||
|
lqJRLxhdkha5NLcUYiHOq/L7LWdThh5rRAy87Ggog8TVza118K3oiYujlyVEzLhB
|
||||||
|
NVMT8x5kl15YknVgOKJAv9j28bSZihHrS7aga1BtYFD8yA9MuuDaHARV6YmThkdg
|
||||||
|
OEz/PNECjsxCLcT5Bbthzg6Jg1qo3Unyeup0UbyX4zxSphCVmerDmMYddLjJ/ydc
|
||||||
|
1uxyn4IPINBSx2sAPuUIymhVC29MB6N+SnB37/poTvSsIH15Vg264OVdaervIpuC
|
||||||
|
W3eUANr7zrdO85nc1CTWGhugFwccXv9nyxAt8zUF/ci17p1/mLpy9K3LqlStVI9j
|
||||||
|
MwARAQABtDBDYXRoeSBBbG1vbmQgKENvZGUtU2lnbmluZyBLZXkpIDxjYXRoeWFA
|
||||||
|
aXNjLm9yZz6JAk4EEwEKADgWIQT8h0w+P+hncHCscb617/asfhrd+AUCY2Pw/gIb
|
||||||
|
AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRC17/asfhrd+HM6D/9KD/n245Fq
|
||||||
|
jVzew92lJtufAxAFkTA5WO6fXweMlUeqMOub4vpVMLPLoFe5TzWbJMtF0m/P5+aU
|
||||||
|
YbcvZBWFHsrnwTgA55c1VrhggLOxpw4EU0TvBdwrO7PFOYc2WznaMG+mJdqw+uNM
|
||||||
|
yK+G44aIaC6rvi3ILSo5HPnbgQWHs39QIRLLcUjtqvavQQeyYAl0zrvNI9Xrs/Nf
|
||||||
|
eE6PS4hIXg90A9VJRhay18w9hA+STb+xmK+3oSwP1ayLqqQ43OnV/pExSHBsjBQk
|
||||||
|
4p1nIPlRFL30lGp/o2MoBsRvQM1tELpgBTk1LaTHzuKEpOskrWU37xu0QgEtj7YE
|
||||||
|
r0X+GGBxgJuUzqSyLsaDgH1sEDqE+AthFfv2dxDadcXM2cdch9y3OyuSMo89aWGc
|
||||||
|
mEVyesjYoV40tDCG73qLtfehhV/iARDMCfnZGyGYIZdDBL+tZTNeLKVDIUi/R3x9
|
||||||
|
OmpEl8ZuCuYltyEsJnCF/rQBVMgcTOmsMu6CMx+qT3kC8iGtHqkUT2ufpKISahTn
|
||||||
|
e329FQjClEWwBHkr0T4K80Z0REjSo6UBtio73IOCxXe0RqO37L/qgo8xKZbLxy86
|
||||||
|
857PRWJhgbw169FJ2kR5p+M5d/g/MUeYnigvWlORW5LyrFg6RnZ1ZbULZI80QhHN
|
||||||
|
aSFf/w020HBsLCkzWA/XM6MO2ifJTSn8NpkCDQRkSjCrARAApLUMHAbmxUMWLgDQ
|
||||||
|
apRZBwWXriEyIVqA/SIy1PyWPPFXqs3LZ5Kn5Gw1WO8PfzkPZNtccGmNLjujIoRB
|
||||||
|
qR41nV5zxcpS896SujBoYl80A4F4v9Op9i2pFeI9r9acFcUDjbGWBqNro4EfRcJN
|
||||||
|
Ctkd9+pl3TUvFX06QCTxmmHy3M81SW3b4NWI+jia1cKjCd+qBFBgKWdjSMBeVTBC
|
||||||
|
R9eKqsBQ1UJql2bRzc8pReS+TYCeEbhaOCvUCCKCwGtsSUOW726iNB/4zR4OOuQV
|
||||||
|
B9ORufwed+E/RXa8N08/l5O96uXG0krJtOVm0/qQcXOaKxiDo6djnAgCdjFK5zaj
|
||||||
|
7594wqbI7de58alWb/egqIhjBTgk+/cO+epZ05qx5SoJZL7ny2ottrfS2cBqP4g1
|
||||||
|
SIt1sYl9ImHmJkNrNDy0s25nE9Nga6OfRqVbwnwot4ouTGwj0oZsCjw+gWjDdztH
|
||||||
|
1fUWSnlA8jaX9/RZG2wKt9dI+Tp/U4d5dyTb8lIIzzgtAzDmDfPxwwT0rxAAL13A
|
||||||
|
gDkJ0AzXA4WTOxb/JE2yfCz//kt7n8SYM//LixL4VAB7e/wnfZBhTq0OFpaPjFU0
|
||||||
|
h/k0dc40AqcUuK3lSSjQr3KTzRHtjz8qtN4DFSuyZac83QSVtWE1rFKjS8bl3XHC
|
||||||
|
kFFRJ2dMt2WRSkLOYNiTGbYLvmEAEQEAAbQwQW5kcmVpIFBhdmVsIChDb2RlLVNp
|
||||||
|
Z25pbmcgS2V5KSA8YW5kcmVpQGlzYy5vcmc+iQJOBBMBCgA4FiEE2mo1COZypJ3T
|
||||||
|
gq/ZW49NkbiO2QkFAmRKMKsCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
|
||||||
|
W49NkbiO2QnQZw//XCpeqT0z/sqtu4FYWwYLz1OvWqhe+uA45f9BccnNSVkGFa7w
|
||||||
|
3hlLQC/FLUIx2cVy9AluJBP29iQge/bCcXnzo/QvCbhe/4lCTxhr7nsBe1bWpuNI
|
||||||
|
4Pl+cQxZQBwcz74zZ1jjaaQOqm3XtdZxeKNfCQmNvz389UZEk2m8K6qJD23fy20V
|
||||||
|
n5Y2C502UuP3MitbYKBxBSbs+Auwy1evz/prQ9VeD4Nv3Zr+jWbWFW+dSDC8jkrX
|
||||||
|
cGdwWrUQ51QD8VBB9lPWPGY6yTbRmacr4AlVSo2DAfyjHRrGHigRF/VAD5p1+u2g
|
||||||
|
3UFLJaEyujfzwU1kG4+zQCWZ2W2UBOekklq/yefxEY5vU1/Lad7vQhBmogQNF21T
|
||||||
|
FvLUE6ez7XNsdMZStDPiT8OoTyFZYLRM4yw5rWKw+1mICBv7NV82YD/8hoMoZPyX
|
||||||
|
2tNRTXv2MZ6qD++0dMCIZNEyFTB344srvQSyJ7K7vwxulc7iFWngRA8oe6JkAhH4
|
||||||
|
B0yNq1FJm6jIL41S2FmnDL3DlfAdKWapBqzgqkv+X5DQBaTlG9a4BcSsdMJgU/Yx
|
||||||
|
dD03YsKhDtEWTqBmmEamR1K1CgCC3mOJfsHB5z+Qhdraz2hMr00EQrD5lnpLLpcF
|
||||||
|
rYWoilvVlRy7Y7U5wfhY4074L2ZfB+yElKsvtfGKJX/8g+eJdeRuII+hjEc=
|
||||||
|
=NX7P
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
@ -0,0 +1,12 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Set-up/destroy chroot environment for named (DNS)
|
||||||
|
BindsTo=named-chroot.service
|
||||||
|
Wants=named-setup-rndc.service
|
||||||
|
After=named-setup-rndc.service
|
||||||
|
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
|
||||||
|
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files
|
@ -0,0 +1,25 @@
|
|||||||
|
# Configuration of files used in chroot
|
||||||
|
# Following files are made available after named-chroot.service start
|
||||||
|
# if they are missing or empty in target directory.
|
||||||
|
/etc/localtime
|
||||||
|
/etc/named.root.key
|
||||||
|
/etc/named.conf
|
||||||
|
/etc/named.rfc1912.zones
|
||||||
|
/etc/rndc.conf
|
||||||
|
/etc/rndc.key
|
||||||
|
/etc/named.iscdlv.key
|
||||||
|
/etc/crypto-policies/back-ends/bind.config
|
||||||
|
/etc/protocols
|
||||||
|
/etc/services
|
||||||
|
/etc/named.dnssec.keys
|
||||||
|
/etc/pki/dnssec-keys
|
||||||
|
/etc/named
|
||||||
|
/usr/lib64/bind
|
||||||
|
/usr/lib/bind
|
||||||
|
/usr/share/GeoIP
|
||||||
|
/run/named
|
||||||
|
/proc/sys/net/ipv4/ip_local_port_range
|
||||||
|
# Warning: the order is important
|
||||||
|
# If a directory containing $ROOTDIR is listed here,
|
||||||
|
# it MUST be listed last. (/var/named contains /var/named/chroot)
|
||||||
|
/var/named
|
@ -0,0 +1,31 @@
|
|||||||
|
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
|
||||||
|
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
|
||||||
|
# broken when rsyslogd daemon is restarted (due update, for example).
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Berkeley Internet Name Domain (DNS)
|
||||||
|
Wants=nss-lookup.target
|
||||||
|
Requires=named-chroot-setup.service
|
||||||
|
Before=nss-lookup.target
|
||||||
|
After=named-chroot-setup.service
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
Environment=NAMEDCONF=/etc/named.conf
|
||||||
|
EnvironmentFile=-/etc/sysconfig/named
|
||||||
|
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||||
|
PIDFile=/var/named/chroot/run/named/named.pid
|
||||||
|
|
||||||
|
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||||
|
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
|
||||||
|
|
||||||
|
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||||
|
|
||||||
|
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||||
|
|
||||||
|
PrivateTmp=false
|
||||||
|
Restart=on-abnormal
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -0,0 +1,7 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Generate rndc key for BIND (DNS)
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
|
||||||
|
ExecStart=/usr/libexec/generate-rndc-key.sh
|
@ -0,0 +1,59 @@
|
|||||||
|
//
|
||||||
|
// named.conf
|
||||||
|
//
|
||||||
|
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
|
||||||
|
// server as a caching only nameserver (as a localhost DNS resolver only).
|
||||||
|
//
|
||||||
|
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
||||||
|
//
|
||||||
|
|
||||||
|
options {
|
||||||
|
listen-on port 53 { 127.0.0.1; };
|
||||||
|
listen-on-v6 port 53 { ::1; };
|
||||||
|
directory "/var/named";
|
||||||
|
dump-file "/var/named/data/cache_dump.db";
|
||||||
|
statistics-file "/var/named/data/named_stats.txt";
|
||||||
|
memstatistics-file "/var/named/data/named_mem_stats.txt";
|
||||||
|
secroots-file "/var/named/data/named.secroots";
|
||||||
|
recursing-file "/var/named/data/named.recursing";
|
||||||
|
allow-query { localhost; };
|
||||||
|
|
||||||
|
/*
|
||||||
|
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||||
|
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||||
|
recursion.
|
||||||
|
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||||
|
control to limit queries to your legitimate users. Failing to do so will
|
||||||
|
cause your server to become part of large scale DNS amplification
|
||||||
|
attacks. Implementing BCP38 within your network would greatly
|
||||||
|
reduce such attack surface
|
||||||
|
*/
|
||||||
|
recursion yes;
|
||||||
|
|
||||||
|
dnssec-validation yes;
|
||||||
|
|
||||||
|
managed-keys-directory "/var/named/dynamic";
|
||||||
|
geoip-directory "/usr/share/GeoIP";
|
||||||
|
|
||||||
|
pid-file "/run/named/named.pid";
|
||||||
|
session-keyfile "/run/named/session.key";
|
||||||
|
|
||||||
|
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||||
|
include "/etc/crypto-policies/back-ends/bind.config";
|
||||||
|
};
|
||||||
|
|
||||||
|
logging {
|
||||||
|
channel default_debug {
|
||||||
|
file "data/named.run";
|
||||||
|
severity dynamic;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "." IN {
|
||||||
|
type hint;
|
||||||
|
file "named.ca";
|
||||||
|
};
|
||||||
|
|
||||||
|
include "/etc/named.rfc1912.zones";
|
||||||
|
include "/etc/named.root.key";
|
||||||
|
|
@ -0,0 +1,243 @@
|
|||||||
|
/*
|
||||||
|
Sample named.conf BIND DNS server 'named' configuration file
|
||||||
|
for the Red Hat BIND distribution.
|
||||||
|
|
||||||
|
See the BIND Administrator's Reference Manual (ARM) for details, in:
|
||||||
|
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
|
||||||
|
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
|
||||||
|
its manual.
|
||||||
|
*/
|
||||||
|
|
||||||
|
options
|
||||||
|
{
|
||||||
|
// Put files that named is allowed to write in the data/ directory:
|
||||||
|
directory "/var/named"; // "Working" directory
|
||||||
|
dump-file "data/cache_dump.db";
|
||||||
|
statistics-file "data/named_stats.txt";
|
||||||
|
memstatistics-file "data/named_mem_stats.txt";
|
||||||
|
secroots-file "data/named.secroots";
|
||||||
|
recursing-file "data/named.recursing";
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
Specify listenning interfaces. You can use list of addresses (';' is
|
||||||
|
delimiter) or keywords "any"/"none"
|
||||||
|
*/
|
||||||
|
//listen-on port 53 { any; };
|
||||||
|
listen-on port 53 { 127.0.0.1; };
|
||||||
|
|
||||||
|
//listen-on-v6 port 53 { any; };
|
||||||
|
listen-on-v6 port 53 { ::1; };
|
||||||
|
|
||||||
|
/*
|
||||||
|
Access restrictions
|
||||||
|
|
||||||
|
There are two important options:
|
||||||
|
allow-query { argument; };
|
||||||
|
- allow queries for authoritative data
|
||||||
|
|
||||||
|
allow-query-cache { argument; };
|
||||||
|
- allow queries for non-authoritative data (mostly cached data)
|
||||||
|
|
||||||
|
You can use address, network address or keywords "any"/"localhost"/"none" as argument
|
||||||
|
Examples:
|
||||||
|
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
|
||||||
|
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
|
||||||
|
*/
|
||||||
|
|
||||||
|
allow-query { localhost; };
|
||||||
|
allow-query-cache { localhost; };
|
||||||
|
|
||||||
|
/* Enable/disable recursion - recursion yes/no;
|
||||||
|
|
||||||
|
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||||
|
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||||
|
recursion.
|
||||||
|
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||||
|
control to limit queries to your legitimate users. Failing to do so will
|
||||||
|
cause your server to become part of large scale DNS amplification
|
||||||
|
attacks. Implementing BCP38 within your network would greatly
|
||||||
|
reduce such attack surface
|
||||||
|
*/
|
||||||
|
recursion yes;
|
||||||
|
|
||||||
|
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
|
||||||
|
|
||||||
|
/* Enable DNSSEC validation on recursive servers */
|
||||||
|
dnssec-validation yes;
|
||||||
|
|
||||||
|
/* In Fedora we use /run/named instead of default /var/run/named
|
||||||
|
so we have to configure paths properly. */
|
||||||
|
pid-file "/run/named/named.pid";
|
||||||
|
session-keyfile "/run/named/session.key";
|
||||||
|
|
||||||
|
managed-keys-directory "/var/named/dynamic";
|
||||||
|
|
||||||
|
/* In Fedora we use system-wide Crypto Policy */
|
||||||
|
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||||
|
include "/etc/crypto-policies/back-ends/bind.config";
|
||||||
|
};
|
||||||
|
|
||||||
|
logging
|
||||||
|
{
|
||||||
|
/* If you want to enable debugging, eg. using the 'rndc trace' command,
|
||||||
|
* named will try to write the 'named.run' file in the $directory (/var/named).
|
||||||
|
* By default, SELinux policy does not allow named to modify the /var/named directory,
|
||||||
|
* so put the default debug log file in data/ :
|
||||||
|
*/
|
||||||
|
channel default_debug {
|
||||||
|
file "data/named.run";
|
||||||
|
severity dynamic;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
Views let a name server answer a DNS query differently depending on who is asking.
|
||||||
|
|
||||||
|
By default, if named.conf contains no "view" clauses, all zones are in the
|
||||||
|
"default" view, which matches all clients.
|
||||||
|
|
||||||
|
Views are processed sequentially. The first match is used so the last view should
|
||||||
|
match "any" - it's fallback and the most restricted view.
|
||||||
|
|
||||||
|
If named.conf contains any "view" clause, then all zones MUST be in a view.
|
||||||
|
*/
|
||||||
|
|
||||||
|
view "localhost_resolver"
|
||||||
|
{
|
||||||
|
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
|
||||||
|
* If all you want is a caching-only nameserver, then you need only define this view:
|
||||||
|
*/
|
||||||
|
match-clients { localhost; };
|
||||||
|
recursion yes;
|
||||||
|
|
||||||
|
# all views must contain the root hints zone:
|
||||||
|
zone "." IN {
|
||||||
|
type hint;
|
||||||
|
file "/var/named/named.ca";
|
||||||
|
};
|
||||||
|
|
||||||
|
/* these are zones that contain definitions for all the localhost
|
||||||
|
* names and addresses, as recommended in RFC1912 - these names should
|
||||||
|
* not leak to the other nameservers:
|
||||||
|
*/
|
||||||
|
include "/etc/named.rfc1912.zones";
|
||||||
|
};
|
||||||
|
view "internal"
|
||||||
|
{
|
||||||
|
/* This view will contain zones you want to serve only to "internal" clients
|
||||||
|
that connect via your directly attached LAN interfaces - "localnets" .
|
||||||
|
*/
|
||||||
|
match-clients { localnets; };
|
||||||
|
recursion yes;
|
||||||
|
|
||||||
|
zone "." IN {
|
||||||
|
type hint;
|
||||||
|
file "/var/named/named.ca";
|
||||||
|
};
|
||||||
|
|
||||||
|
/* these are zones that contain definitions for all the localhost
|
||||||
|
* names and addresses, as recommended in RFC1912 - these names should
|
||||||
|
* not leak to the other nameservers:
|
||||||
|
*/
|
||||||
|
include "/etc/named.rfc1912.zones";
|
||||||
|
|
||||||
|
// These are your "authoritative" internal zones, and would probably
|
||||||
|
// also be included in the "localhost_resolver" view above :
|
||||||
|
|
||||||
|
/*
|
||||||
|
NOTE for dynamic DNS zones and secondary zones:
|
||||||
|
|
||||||
|
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
|
||||||
|
|
||||||
|
If you are using views and DDNS/secondary zones it is strongly
|
||||||
|
recommended to read FAQ on ISC site (www.isc.org), section
|
||||||
|
"Configuration and Setup Questions", questions
|
||||||
|
"How do I share a dynamic zone between multiple views?" and
|
||||||
|
"How can I make a server a slave for both an internal and an external
|
||||||
|
view at the same time?"
|
||||||
|
*/
|
||||||
|
|
||||||
|
zone "my.internal.zone" {
|
||||||
|
type primary;
|
||||||
|
file "my.internal.zone.db";
|
||||||
|
};
|
||||||
|
zone "my.slave.internal.zone" {
|
||||||
|
type secondary;
|
||||||
|
file "slaves/my.slave.internal.zone.db";
|
||||||
|
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
|
||||||
|
// put slave zones in the slaves/ directory so named can update them
|
||||||
|
};
|
||||||
|
zone "my.ddns.internal.zone" {
|
||||||
|
type primary;
|
||||||
|
allow-update { key ddns_key; };
|
||||||
|
file "dynamic/my.ddns.internal.zone.db";
|
||||||
|
// put dynamically updateable zones in the slaves/ directory so named can update them
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
key ddns_key
|
||||||
|
{
|
||||||
|
algorithm hmac-sha256;
|
||||||
|
secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
|
||||||
|
};
|
||||||
|
|
||||||
|
view "external"
|
||||||
|
{
|
||||||
|
/* This view will contain zones you want to serve only to "external" clients
|
||||||
|
* that have addresses that are not match any above view:
|
||||||
|
*/
|
||||||
|
match-clients { any; };
|
||||||
|
|
||||||
|
zone "." IN {
|
||||||
|
type hint;
|
||||||
|
file "/var/named/named.ca";
|
||||||
|
};
|
||||||
|
|
||||||
|
recursion no;
|
||||||
|
// you'd probably want to deny recursion to external clients, so you don't
|
||||||
|
// end up providing free DNS service to all takers
|
||||||
|
|
||||||
|
// These are your "authoritative" external zones, and would probably
|
||||||
|
// contain entries for just your web and mail servers:
|
||||||
|
|
||||||
|
zone "my.external.zone" {
|
||||||
|
type primary;
|
||||||
|
file "my.external.zone.db";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Trusted keys
|
||||||
|
|
||||||
|
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
|
||||||
|
should configure at least one trusted key.
|
||||||
|
|
||||||
|
Note that no key written below is valid. Especially root key because root zone
|
||||||
|
is not signed yet.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
trust-anchors {
|
||||||
|
// Root Key
|
||||||
|
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
|
||||||
|
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
|
||||||
|
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
|
||||||
|
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
|
||||||
|
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
|
||||||
|
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
|
||||||
|
R1AkUTV74bU=";
|
||||||
|
|
||||||
|
// Key for forward zone
|
||||||
|
example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
|
||||||
|
LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
|
||||||
|
LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
|
||||||
|
UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
|
||||||
|
yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
|
||||||
|
Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
|
||||||
|
Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
|
||||||
|
xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
|
||||||
|
|
||||||
|
|
||||||
|
// Key for reverse zone.
|
||||||
|
2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
|
||||||
|
};
|
||||||
|
*/
|
@ -0,0 +1,10 @@
|
|||||||
|
$TTL 3H
|
||||||
|
@ IN SOA @ rname.invalid. (
|
||||||
|
0 ; serial
|
||||||
|
1D ; refresh
|
||||||
|
1H ; retry
|
||||||
|
1W ; expire
|
||||||
|
3H ) ; minimum
|
||||||
|
NS @
|
||||||
|
A 127.0.0.1
|
||||||
|
AAAA ::1
|
@ -0,0 +1,10 @@
|
|||||||
|
$TTL 1D
|
||||||
|
@ IN SOA @ rname.invalid. (
|
||||||
|
0 ; serial
|
||||||
|
1D ; refresh
|
||||||
|
1H ; retry
|
||||||
|
1W ; expire
|
||||||
|
3H ) ; minimum
|
||||||
|
NS @
|
||||||
|
A 127.0.0.1
|
||||||
|
AAAA ::1
|
@ -0,0 +1,12 @@
|
|||||||
|
/var/named/data/named.run {
|
||||||
|
missingok
|
||||||
|
su named named
|
||||||
|
create 0644 named named
|
||||||
|
postrotate
|
||||||
|
/usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
|
||||||
|
/usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
|
||||||
|
/usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
|
||||||
|
/usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
|
||||||
|
/usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
|
||||||
|
endscript
|
||||||
|
}
|
@ -0,0 +1,11 @@
|
|||||||
|
$TTL 1D
|
||||||
|
@ IN SOA @ rname.invalid. (
|
||||||
|
0 ; serial
|
||||||
|
1D ; refresh
|
||||||
|
1H ; retry
|
||||||
|
1W ; expire
|
||||||
|
3H ) ; minimum
|
||||||
|
NS @
|
||||||
|
A 127.0.0.1
|
||||||
|
AAAA ::1
|
||||||
|
PTR localhost.
|
@ -0,0 +1,45 @@
|
|||||||
|
// named.rfc1912.zones:
|
||||||
|
//
|
||||||
|
// Provided by Red Hat caching-nameserver package
|
||||||
|
//
|
||||||
|
// ISC BIND named zone configuration for zones recommended by
|
||||||
|
// RFC 1912 section 4.1 : localhost TLDs and address zones
|
||||||
|
// and https://tools.ietf.org/html/rfc6303
|
||||||
|
// (c)2007 R W Franks
|
||||||
|
//
|
||||||
|
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
||||||
|
//
|
||||||
|
// Note: empty-zones-enable yes; option is default.
|
||||||
|
// If private ranges should be forwarded, add
|
||||||
|
// disable-empty-zone "."; into options
|
||||||
|
//
|
||||||
|
|
||||||
|
zone "localhost.localdomain" IN {
|
||||||
|
type primary;
|
||||||
|
file "named.localhost";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "localhost" IN {
|
||||||
|
type primary;
|
||||||
|
file "named.localhost";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
|
||||||
|
type primary;
|
||||||
|
file "named.loopback";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "1.0.0.127.in-addr.arpa" IN {
|
||||||
|
type primary;
|
||||||
|
file "named.loopback";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "0.in-addr.arpa" IN {
|
||||||
|
type primary;
|
||||||
|
file "named.empty";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
@ -0,0 +1,92 @@
|
|||||||
|
; This file holds the information on root name servers needed to
|
||||||
|
; initialize cache of Internet domain name servers
|
||||||
|
; (e.g. reference this file in the "cache . <file>"
|
||||||
|
; configuration file of BIND domain name servers).
|
||||||
|
;
|
||||||
|
; This file is made available by InterNIC
|
||||||
|
; under anonymous FTP as
|
||||||
|
; file /domain/named.cache
|
||||||
|
; on server FTP.INTERNIC.NET
|
||||||
|
; -OR- RS.INTERNIC.NET
|
||||||
|
;
|
||||||
|
; last update: December 20, 2023
|
||||||
|
; related version of root zone: 2023122001
|
||||||
|
;
|
||||||
|
; FORMERLY NS.INTERNIC.NET
|
||||||
|
;
|
||||||
|
. 3600000 NS A.ROOT-SERVERS.NET.
|
||||||
|
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
|
||||||
|
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
|
||||||
|
;
|
||||||
|
; FORMERLY NS1.ISI.EDU
|
||||||
|
;
|
||||||
|
. 3600000 NS B.ROOT-SERVERS.NET.
|
||||||
|
B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2
|
||||||
|
B.ROOT-SERVERS.NET. 3600000 AAAA 2801:1b8:10::b
|
||||||
|
;
|
||||||
|
; FORMERLY C.PSI.NET
|
||||||
|
;
|
||||||
|
. 3600000 NS C.ROOT-SERVERS.NET.
|
||||||
|
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
|
||||||
|
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
|
||||||
|
;
|
||||||
|
; FORMERLY TERP.UMD.EDU
|
||||||
|
;
|
||||||
|
. 3600000 NS D.ROOT-SERVERS.NET.
|
||||||
|
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
|
||||||
|
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
|
||||||
|
;
|
||||||
|
; FORMERLY NS.NASA.GOV
|
||||||
|
;
|
||||||
|
. 3600000 NS E.ROOT-SERVERS.NET.
|
||||||
|
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
|
||||||
|
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
|
||||||
|
;
|
||||||
|
; FORMERLY NS.ISC.ORG
|
||||||
|
;
|
||||||
|
. 3600000 NS F.ROOT-SERVERS.NET.
|
||||||
|
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
|
||||||
|
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
|
||||||
|
;
|
||||||
|
; FORMERLY NS.NIC.DDN.MIL
|
||||||
|
;
|
||||||
|
. 3600000 NS G.ROOT-SERVERS.NET.
|
||||||
|
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
|
||||||
|
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
|
||||||
|
;
|
||||||
|
; FORMERLY AOS.ARL.ARMY.MIL
|
||||||
|
;
|
||||||
|
. 3600000 NS H.ROOT-SERVERS.NET.
|
||||||
|
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
|
||||||
|
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
|
||||||
|
;
|
||||||
|
; FORMERLY NIC.NORDU.NET
|
||||||
|
;
|
||||||
|
. 3600000 NS I.ROOT-SERVERS.NET.
|
||||||
|
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
|
||||||
|
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
|
||||||
|
;
|
||||||
|
; OPERATED BY VERISIGN, INC.
|
||||||
|
;
|
||||||
|
. 3600000 NS J.ROOT-SERVERS.NET.
|
||||||
|
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
|
||||||
|
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
|
||||||
|
;
|
||||||
|
; OPERATED BY RIPE NCC
|
||||||
|
;
|
||||||
|
. 3600000 NS K.ROOT-SERVERS.NET.
|
||||||
|
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
|
||||||
|
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
|
||||||
|
;
|
||||||
|
; OPERATED BY ICANN
|
||||||
|
;
|
||||||
|
. 3600000 NS L.ROOT-SERVERS.NET.
|
||||||
|
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
|
||||||
|
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
|
||||||
|
;
|
||||||
|
; OPERATED BY WIDE
|
||||||
|
;
|
||||||
|
. 3600000 NS M.ROOT-SERVERS.NET.
|
||||||
|
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
|
||||||
|
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
|
||||||
|
; End of file
|
@ -0,0 +1,13 @@
|
|||||||
|
trust-anchors {
|
||||||
|
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
|
||||||
|
# for current trust anchor information.
|
||||||
|
#
|
||||||
|
# This key (20326) was published in the root zone in 2017.
|
||||||
|
# Servers which were already using the old key (19036) should
|
||||||
|
# roll seamlessly to this new one via RFC 5011 rollover. Servers
|
||||||
|
# being set up for the first time can use the contents of this
|
||||||
|
# file as initializing keys; thereafter, the keys in the
|
||||||
|
# managed key database will be trusted and maintained
|
||||||
|
# automatically.
|
||||||
|
. initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
|
||||||
|
};
|
@ -0,0 +1,6 @@
|
|||||||
|
dirs /var/named
|
||||||
|
|
||||||
|
files /var/named/named.ca
|
||||||
|
files /var/named/named.empty
|
||||||
|
files /var/named/named.localhost
|
||||||
|
files /var/named/named.loopback
|
@ -0,0 +1,26 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Berkeley Internet Name Domain (DNS)
|
||||||
|
Wants=nss-lookup.target
|
||||||
|
Wants=named-setup-rndc.service
|
||||||
|
Before=nss-lookup.target
|
||||||
|
After=named-setup-rndc.service
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
Environment=NAMEDCONF=/etc/named.conf
|
||||||
|
EnvironmentFile=-/etc/sysconfig/named
|
||||||
|
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||||
|
PIDFile=/run/named/named.pid
|
||||||
|
|
||||||
|
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||||
|
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
|
||||||
|
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||||
|
|
||||||
|
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||||
|
|
||||||
|
PrivateTmp=true
|
||||||
|
Restart=on-abnormal
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -0,0 +1,17 @@
|
|||||||
|
# BIND named process options
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# OPTIONS="whatever" -- These additional options will be passed to named
|
||||||
|
# at startup. Don't add -t here, enable proper
|
||||||
|
# -chroot.service unit file.
|
||||||
|
#
|
||||||
|
# NAMEDCONF=/etc/named/alternate.conf
|
||||||
|
# -- Don't use -c to change configuration file.
|
||||||
|
# Extend systemd named.service instead or use this
|
||||||
|
# variable.
|
||||||
|
#
|
||||||
|
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
|
||||||
|
# utility for every zone to ensure all zones are
|
||||||
|
# valid before named starts. If you set this option
|
||||||
|
# to 'yes' then service file doesn't perform those
|
||||||
|
# checks.
|
@ -0,0 +1,117 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ROOTDIR="$1"
|
||||||
|
CONFIG_FILES="${3:-/etc/named-chroot.files}"
|
||||||
|
|
||||||
|
usage()
|
||||||
|
{
|
||||||
|
echo
|
||||||
|
echo 'This script setups chroot environment for BIND'
|
||||||
|
echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
|
||||||
|
}
|
||||||
|
|
||||||
|
if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
|
||||||
|
echo 'Wrong number of arguments'
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Exit if ROOTDIR doesn't exist
|
||||||
|
if ! [ -d "$ROOTDIR" ]; then
|
||||||
|
echo "Root directory $ROOTDIR doesn't exist"
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ -r "$CONFIG_FILES" ]; then
|
||||||
|
echo "Files list $CONFIG_FILES doesn't exist" 2>&1
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
dev_create()
|
||||||
|
{
|
||||||
|
DEVNAME="$ROOTDIR/dev/$1"
|
||||||
|
shift
|
||||||
|
if ! [ -e "$DEVNAME" ]; then
|
||||||
|
/bin/mknod -m 0664 "$DEVNAME" $@
|
||||||
|
/bin/chgrp named "$DEVNAME"
|
||||||
|
if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
|
||||||
|
/usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
dev_chroot_prep()
|
||||||
|
{
|
||||||
|
dev_create random c 1 8
|
||||||
|
dev_create urandom c 1 9
|
||||||
|
dev_create zero c 1 5
|
||||||
|
dev_create null c 1 3
|
||||||
|
}
|
||||||
|
|
||||||
|
files_comment_filter()
|
||||||
|
{
|
||||||
|
if [ -d "$1" ]; then
|
||||||
|
grep -v '^[[:space:]]*#' "$1"/*.files
|
||||||
|
else
|
||||||
|
grep -v '^[[:space:]]*#' "$1"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
mount_chroot_conf()
|
||||||
|
{
|
||||||
|
if [ -n "$ROOTDIR" ]; then
|
||||||
|
# Check devices are prepared
|
||||||
|
dev_chroot_prep
|
||||||
|
files_comment_filter "$CONFIG_FILES" | while read -r all; do
|
||||||
|
# Skip nonexistant files
|
||||||
|
[ -e "$all" ] || continue
|
||||||
|
|
||||||
|
# If mount source is a file
|
||||||
|
if ! [ -d "$all" ]; then
|
||||||
|
# mount it only if it is not present in chroot or it is empty
|
||||||
|
if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
|
||||||
|
touch "$ROOTDIR$all"
|
||||||
|
mount --bind "$all" "$ROOTDIR$all"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# Mount source is a directory. Mount it only if directory in chroot is
|
||||||
|
# empty.
|
||||||
|
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
|
||||||
|
mount --bind --make-private "$all" "$ROOTDIR$all"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
umount_chroot_conf()
|
||||||
|
{
|
||||||
|
if [ -n "$ROOTDIR" ]; then
|
||||||
|
files_comment_filter "$CONFIG_FILES" | while read -r all; do
|
||||||
|
# Check if file is mount target. Do not use /proc/mounts because detecting
|
||||||
|
# of modified mounted files can fail.
|
||||||
|
if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
|
||||||
|
umount "$ROOTDIR$all"
|
||||||
|
# Remove temporary created files
|
||||||
|
[ -f "$all" ] && rm -f "$ROOTDIR$all"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$2" in
|
||||||
|
on)
|
||||||
|
mount_chroot_conf
|
||||||
|
;;
|
||||||
|
off)
|
||||||
|
umount_chroot_conf
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo 'Second argument has to be "on" or "off"'
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
@ -0,0 +1,124 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# This script will initialise token storage of softhsm PKCS11 provider
|
||||||
|
# in custom location. Is useful to store tokens in non-standard location.
|
||||||
|
#
|
||||||
|
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
|
||||||
|
# Quotes around eval are mandatory!
|
||||||
|
# Recommended use:
|
||||||
|
# eval "$(bash setup-named-softhsm.sh -A)"
|
||||||
|
#
|
||||||
|
|
||||||
|
SOFTHSM2_CONF="$1"
|
||||||
|
TOKENPATH="$2"
|
||||||
|
GROUPNAME="$3"
|
||||||
|
# Do not use this script for real keys worth protection
|
||||||
|
# This is intended for crypto accelerators using PKCS11 interface.
|
||||||
|
# Uninitialized token would fail any crypto operation.
|
||||||
|
PIN=1234
|
||||||
|
SO_PIN=1234
|
||||||
|
LABEL=rpm
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
echo_i()
|
||||||
|
{
|
||||||
|
echo "#" $@
|
||||||
|
}
|
||||||
|
|
||||||
|
random()
|
||||||
|
{
|
||||||
|
if [ -x "$(which openssl 2>/dev/null)" ]; then
|
||||||
|
openssl rand -base64 $1
|
||||||
|
else
|
||||||
|
dd if=/dev/urandom bs=1c count=$1 | base64
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
usage()
|
||||||
|
{
|
||||||
|
echo "Usage: $0 -A [token directory] [group]"
|
||||||
|
echo " or: $0 <config file> <token directory> [group]"
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
|
||||||
|
TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
|
||||||
|
usage >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$SOFTHSM2_CONF" = "-A" ]; then
|
||||||
|
# Automagic mode instead
|
||||||
|
MODE=secure
|
||||||
|
SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
|
||||||
|
PIN_SOURCE="$TOKENPATH/pin"
|
||||||
|
SOPIN_SOURCE="$TOKENPATH/so-pin"
|
||||||
|
TOKENPATH="$TOKENPATH/tokens"
|
||||||
|
else
|
||||||
|
MODE=legacy
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
|
||||||
|
|
||||||
|
umask 0022
|
||||||
|
|
||||||
|
if ! [ -f "$SOFTHSM2_CONF" ]; then
|
||||||
|
cat << SED > "$SOFTHSM2_CONF"
|
||||||
|
# SoftHSM v2 configuration file
|
||||||
|
|
||||||
|
directories.tokendir = ${TOKENPATH}
|
||||||
|
objectstore.backend = file
|
||||||
|
|
||||||
|
# ERROR, WARNING, INFO, DEBUG
|
||||||
|
log.level = ERROR
|
||||||
|
|
||||||
|
# If CKF_REMOVABLE_DEVICE flag should be set
|
||||||
|
slots.removable = false
|
||||||
|
SED
|
||||||
|
else
|
||||||
|
echo_i "Config file $SOFTHSM2_CONF already exists" >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$PIN_SOURCE" ]; then
|
||||||
|
touch "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||||
|
chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||||
|
if [ -n "$GROUPNAME" ]; then
|
||||||
|
chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||||
|
chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
export SOFTHSM2_CONF
|
||||||
|
|
||||||
|
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
|
||||||
|
then
|
||||||
|
echo_i "Token in ${TOKENPATH} is already initialized" >&2
|
||||||
|
|
||||||
|
[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
|
||||||
|
[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
|
||||||
|
else
|
||||||
|
PIN=$(random 6)
|
||||||
|
SO_PIN=$(random 18)
|
||||||
|
if [ -n "$PIN_SOURCE" ]; then
|
||||||
|
echo -n "$PIN" > "$PIN_SOURCE"
|
||||||
|
echo -n "$SO_PIN" > "$SOPIN_SOURCE"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo_i "Initializing tokens to ${TOKENPATH}..."
|
||||||
|
softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
|
||||||
|
|
||||||
|
if [ -n "$GROUPNAME" ]; then
|
||||||
|
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
|
||||||
|
chmod -R -- g=rX,o= "$TOKENPATH"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
|
||||||
|
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
|
||||||
|
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
|
||||||
|
# These are intentionaly not exported
|
||||||
|
echo "PIN=\"$PIN\""
|
||||||
|
echo "SO_PIN=\"$SO_PIN\""
|
@ -0,0 +1 @@
|
|||||||
|
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue