content-type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-RT-Original-Encoding: utf-8 Content-Length: 2053 Hi Ondra, I prepared two new patches. First one adds databases-directory option, that managed-keys, rndc addzone and rndc nta will all use. I think it might be useful for moving files to different place than authoritative data. It will work for all mkeys, nzf files and nta files. Second patch would remove support for new-zones-directory, because databases-directory can be used instead and it was not yet released in normal release. Would this patch be more acceptable? Kind regards, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@redhat.com PGP: 65C6C973 ----- Original Message ----- From: "Ondrej Sury via RT" To: pemensik@redhat.com Sent: Tuesday, October 10, 2017 5:01:34 PM Subject: [ISC-Bugs #46242] [PATCH] nta-directory support On Tue Oct 10 14:29:23 2017, pemensik@redhat.com wrote: > Hello, > > I mentioned already in ticket for new-zones-directory option we ship > BIND with /var/named directory read-only to named user by default. In > default installation named daemon can write into > /var/named/{data,dynamic,slaves} but not /var/named. Read ticket #44853 > for more detailed explanation. Hi Petr, there's a description here and in the #44853, but I haven't really found a technical reasoning why is this a good thing to do. What about instead of bikeshedding the configuration option you just set the working directory to be writeable. There are two possible approaches to this: a) just make /var/named writeable to bind user. The individual master zones shouldn't be writeable anyway (otherwise the security just wouldn't make sense anyway), so there would be not much difference to existing state b) move working directory to something else /var/tmp/named (??), and top it up with a small patch to resolve relative directories to working_dir first and then to /var/named (hardcoded on RedHat). I think that adding more and more directives to scatter individual writeable directories across the filesystem just doesn't make much sense. Cheers, Ondrej