The Samba-Bugzilla – Attachment 3384 Details for
Bug 4813
DNS: Simplify setup
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for named.conf
named.conf.patch (text/plain), 4.09 KB, created by
Matthias Dieter Wallnöfer
on 2008-07-03 12:58:51 UTC
(
hide
)
Description:
Patch for named.conf
Filename:
MIME Type:
Creator:
Matthias Dieter Wallnöfer
Created:
2008-07-03 12:58:51 UTC
Size:
4.09 KB
patch
obsolete
>diff --git a/source/setup/named.conf b/source/setup/named.conf >index 4f98bbd..0b08706 100644 >--- a/source/setup/named.conf >+++ b/source/setup/named.conf >@@ -1,12 +1,15 @@ >+# This file should be included in your main BIND configuration file > # >-# Insert these snippets into your named.conf or bind.conf to configure >-# the BIND nameserver. >-# >+# For example with >+# include "${PRIVATE_DIR}/named.conf"; > >-# You should always include the actual forward zone configuration: > zone "${DNSDOMAIN}." IN { > type master; >- file "${DNSDOMAIN}.zone"; >+ file "${PRIVATE_DIR}/${DNSDOMAIN}.zone"; >+ /* >+ * Attention: Not all BIND versions support "ms-self". The instead use >+ * of allow-update { any; }; is another, but less secure possibility. >+ */ > update-policy { > /* > * A rather long description here, as the "ms-self" option does >@@ -44,6 +47,8 @@ zone "${DNSDOMAIN}." IN { > > # The reverse zone configuration is optional. The following example assumes a > # subnet of 192.168.123.0/24: >+ >+/* > zone "123.168.192.in-addr.arpa" in { > type master; > file "123.168.192.in-addr.arpa.zone"; >@@ -51,54 +56,12 @@ zone "123.168.192.in-addr.arpa" in { > grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR; > }; > }; >+*/ >+ > # Note that the reverse zone file is not created during the provision process. > >-# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG >+# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG > # updates. If you are running an earlier version of BIND, or if you do not wish > # to use secure GSS-TSIG updates, you may remove the update-policy sections in > # both examples above. > >-# If you are running a capable version of BIND and you wish to support secure >-# GSS-TSIG updates, you must make the following configuration changes: >- >-# - Insert the following lines into the options {} section of your named.conf >-# file: >-tkey-gssapi-credential "DNS/${DNSDOMAIN}"; >-tkey-domain "${REALM}"; >- >-# - Modify BIND init scripts to pass the location of the generated keytab file. >-# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named >-# for this purpose: >-KEYTAB_FILE="${DNS_KEYTAB_ABS}" >-# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a >-# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If >-# your distribution does not provide a variable like KEYTAB_FILE to pass a >-# keytab file to the BIND daemon, a workaround is to place the following line in >-# BIND's sysconfig file or in the init script for BIND: >-export KRB5_KTNAME="${DNS_KEYTAB_ABS}" >- >-# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note >-# that most distributions have BIND configured to run under a non-root user >-# account. For example, Fedora 9 runs BIND as the user "named" once the daemon >-# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable >-# by the user that BIND run as. If BIND is running as a non-root user, the >-# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to >-# read it. Under Fedora 9, execute the following commands: >-chgrp named ${DNS_KEYTAB_ABS} >-chmod g+r ${DNS_KEYTAB_ABS} >- >-# - Ensure the BIND zone file(s) that will be dynamically updated are in a >-# directory where the BIND daemon can write. When BIND performs dynamic >-# updates, it not only needs to update the zone file itself but it must also >-# create a journal (.jnl) file to track the dynamic updates as they occur. >-# Under Fedora 9, the /var/named directory can not be written to by the "named" >-# user. However, the directory /var/named/dynamic directory does provide write >-# access. Therefore the zone files were placed under the /var/named/dynamic >-# directory. The file directives in both example zone statements at the >-# beginning of this file were changed by prepending the directory "dynamic/". >- >-# - If SELinux is enabled, ensure that all files have the appropriate SELinux >-# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon >-# and should have a SELinux type of named_conf_t. This can be set with the >-# following command: >-chcon -t named_conf_t ${DNS_KEYTAB_ABS}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3384">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 4813
: 3384 |
3385
|
3386