Changes for issue #10 #11
Conversation
| RUN apk --update upgrade && \ | ||
| apk add bind gnupg1 && \ | ||
| rm -rf /var/cache/apk/* && \ | ||
| chmod g-w /var/bind && \ |
There was a problem hiding this comment.
The default alpine bind install sets up:
drwxrwx--- 5 root named 4.0K Feb 16 02:19 bind
Any reason you are removing group writes?
Also - they do not setup a /var/cache/bind at all in alpine.
So the question here really is do we follow "standards" (and again, I am using this loosely, since there don't seem be any official ones, but mostly popular opinion/common deployments), or do we go with what alpine sets up by default?
There was a problem hiding this comment.
I'm removing the group write because I don't want anything running as named writing to this directory.
I don't know why you are so fixated on using /var/bind at all. Is it just because whoever created the alpline package moved the files there? All we need is a directory that named can write to, so that's what I created.
We could use either /var/bind/sec or /var/bind/dyn for the same purpose, but neither of these are as "standard" as using the /var/cache/bind directory.
There was a problem hiding this comment.
If you are using dynamic zones, you need to have the group with write permissions if that's where the zones will live.
I am not fixated on using /var/bind -- in fact, it's very much going against what feels correct to me. Every production service we run (and have run for the past 15+ years) is using /var/cache/bind, but again for better or worse, this is what the OS/maintainers have chosen as their standard. Personally - I would like to stick something that's generally accepted among deployments, or at least within the OS used.
Imo - that's /etc/bind for all configs, and /var/cache/bind for all zones. I've been told that /var/cache/bind is not used outside of Debian/Ubuntu, and that '/var/bind' is used as a default (RHEL, CentOS, Alpine, etc). OpenBSD still uses /var/named.
So for example, one thing that everyone agrees on is that the run pid should be:
/var/run/named/named.pid
see for ref:
(ubuntu and debian -> /var/cache/bind)
https://wiki.debian.org/Bind9
https://help.ubuntu.com/community/BIND9ServerHowto
vs
(rhel/centos/openbsd-> /var/named)
https://man.openbsd.org/OpenBSD-5.5/named.8
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s2-bind-zone
(and in this case, they even explicitly mention bind is now allowed to write to it -- so no dynamic zones in the same dir)
There was a problem hiding this comment.
I fixed the PID path already. We could really be odd and just use /var/bind/cache if you want.
There was a problem hiding this comment.
:)
Give me some time to go through everything (in the middle of leaving for a vacation). There are just a couple of things I think we should change, but the rest looks good. I really like some of the suggestions. Thanks for the time/input/work and for going through everything!
| @@ -0,0 +1,30 @@ | |||
| // Configure the IPs to listen on here. | |||
There was a problem hiding this comment.
I like the proposal of having this in a separate options that can be loaded if the user wants to turn it into an authoritative (vs a recursive).
Definitely going to implement this.
tcely
force-pushed
the
config-changes
branch
from
71905a5 to
5c17e1c
Compare
2 participants
No description provided.