Chroot BIND named deprecated in Fedora 11

If you've tried to fire up a chroot named on Fedora 11 you may have noticed it complains about missing configuration files such as named.dnssec.keys.

There is a bug that implies you should use SELINUX instead of chroot. But if you aren't ready for SELINUX, you can still run a chroot name server. Here is how.

# tell the startup script to chroot named
echo 'ROOTDIR=/var/named/chroot' >> /etc/sysconfig/named

# copy or move and symlink. your choice. i'll move.
for f in named.dnssec.keys named.rfc1912.zones named.ca; do
        cp -p /etc/$f /var/named/chroot/etc/
        rm    /etc/$f
        ln -s /var/named/chroot/etc/$f /etc/$f
done

# you can begin to see how this may not be best in the long term
mkdir -p /var/named/chroot/etc/pki
tar -C /etc/pki cf - dnssec-keys | (cd /var/named/chroot/etc/pki; tar xvf -)

Instead of copying that PKI dir you could alternatively just disable DNSSEC in
named.conf, but you still need to copy named.rfc1912.zones and named.ca into your chroot.

See also: http://fedoraproject.org/wiki/Features/DNSSEC

Tags:

Syndicate

Subscribe to Syndicate