Re: bin/53652: Change permission of namedb directory

[Takahiro Kambe <taca%back-street.net@localhost>]

The following reply was made to PR bin/53652; it has been noted by GNATS.

From: Takahiro Kambe <taca%back-street.net@localhost>
To: christos%zoulas.com@localhost
Cc: gnats-bugs%NetBSD.org@localhost, taca%back-street.net@localhost
Subject: Re: bin/53652: Change permission of namedb directory
Date: Tue, 09 Oct 2018 15:25:53 +0900 (JST)

 In message <20181006181001.839577A1FB%mollari.NetBSD.org@localhost>
 	on Sat,  6 Oct 2018 18:10:01 +0000 (UTC),
 	christos%zoulas.com@localhost (Christos Zoulas) wrote:
 >  This is not a good idea. NetBSD-current comes with bind-9.12 and
 >  a local fix which avoids this issue.
 I think so, too.
 
 >  RCS file: /cvsroot/src/external/mpl/bind/dist/lib/dns/view.c,v
 >  revision 1.3
 >  date: 2018-09-12 11:28:42 -0400;  author: christos;  state: Exp;  lines: +2 -2;  commitid: adpcledHWXK8qPRA;
 >  Put the nta files in a subdirectory instead of requiring the namedb root
 >  directory to be writable by named... Others have expressed the same concern,
 >  but upstream refused: https://bugzilla.redhat.com/show_bug.cgi?id=1487823
 >  https://bugs.isc.org/Public/Bug/Display.html?id=46242
 Note: ISC refused to accept this change as above.
 
 >  Doesn't this work for you?
 It dose not completly with default configuration on NetBSD current
 8.99.25:
 
 # echo 'named_chrootdir="/var/chroot/named"' >> /etc/rc.conf
 # sh /etc/rc.d/named onestart
 Starting named.
 # sh /etc/rc.d/named onestatus
 named is running as pid 1140.
 # /usr/sbin/rndc secroots     
 rndc: 'secroots' failed: permission denied
 could not open named.secroots
 
 So, it is required changing permission of "directory" or providing
 proper default value for these statements: "secroots-file",
 "recursing-file" and so on.
 
 -- 
 Takahiro Kambe <taca%back-street.net@localhost>