chroot and BIND

• Previous message: Jerry Litteer: "RE: Announcing Solaris Security Paper"
• Next in thread: Heather Flanagan: "Re: chroot and BIND"
• Reply: Heather Flanagan: "Re: chroot and BIND"
• Reply: Don Lopez: "Re: chroot and BIND"
• Reply: Joseph Tam: "Re: chroot and BIND"
• Reply: Skip Carter: "Re: chroot and BIND"
• Reply: Darren Moffat: "Re: chroot and BIND"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <20011018193457.9976.qmail@earthlink.net>
From: "Heather Flanagan" <hlf00@earthlink.net>
To: focus-sun@securityfocus.com
Date: Thu, 18 Oct 2001 15:34:56 -0400
Subject: chroot and BIND

I'm seeing the wierdest behavior out of a new BIND server I'm setting up - dates spit out by BIND are completely out of synch with the dates recorded by the system itself. Here's an example from /var/adm/messages:

Oct 18 23:11:33 ns1 ntpdate[3873]: [ID 398266 daemon.notice] waiting 120 seconds before trying again
Oct 19 03:13:26 ns1 usr/local/sbin/named[3755]: [ID 866145 daemon.info] refresh_callback: zone xx.xx.xx.in-addr.arpa/IN: failure in request to 10.10.10.15#53: clocks are unsynchronized
Oct 18 23:13:37 ns1 ntpdate[3873]: [ID 398266 daemon.notice] waiting 240 seconds before trying again
Oct 19 03:16:42 ns1 usr/local/sbin/named[3755]: [ID 866145 daemon.info] refresh_callback: zone domain.com/IN: failure in request to 10.10.10.15#53: clocks are unsynchronized
Oct 18 23:17:41 ns1 ntpdate[3873]: [ID 398266 daemon.notice] waiting 300 seconds before trying again

As you can see, I'm also working on xntpd...
Is there a "feature" when using chroot to start up named that would cause this behavior? Creating a secure BIND is not quite as easy as I'd hoped!

Thanks
-heather f.

-- 

• Previous message: Jerry Litteer: "RE: Announcing Solaris Security Paper"
• Next in thread: Heather Flanagan: "Re: chroot and BIND"
• Reply: Heather Flanagan: "Re: chroot and BIND"
• Reply: Don Lopez: "Re: chroot and BIND"
• Reply: Joseph Tam: "Re: chroot and BIND"
• Reply: Skip Carter: "Re: chroot and BIND"
• Reply: Darren Moffat: "Re: chroot and BIND"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Ronning named in chroot env ... You can keep the number of libs that you need to put in the chroot down by ... If you are using the ports collection to build bind, ... > In case someone is interested in running named in chrooted environment on ... > FreeBSD, below is my experience how this can be done. ... (FreeBSD-Security) Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind ... >:as user flags it would be trivial to have it the defaultt. ... > not be able to rebind its sockets), you can only restart it, and ... I'm not sure how bind handles restarts, but even if it execs over ... A shell script could copy the required shared libs into the chroot ... (FreeBSD-Security) Re: Proper way to run bind9 ... run if there is no chroot. ... I'll commit a fix for this in a second. ... >> file to run the system's version of bind, ... (freebsd-current) Re: bind update keeps messing up write-rights ... Whenever I update bind it messes up/resets access rights on my ... You must have bind configured to run in chroot. ... Move your updateable zone files there and update the referenced paths in named.conf accordingly. ... (Fedora) Re: RHEL 4 AS ... > environment (BIND and chroot'd BIND were installed during the OS ... These servers serving DNS without issue. ... Do you have a duplicate key file in the chroot environment? ... (linux.redhat)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint