CentOS - May 2016 - CentOS 6 as DNS-Server

Hello,

it has been a while since I had setup a DNS-Server with CentOS 6;
these days I added a few zones needed for DDNS; this works
but in /etc/ I found quite a strange file, I'm not sure if it was in use
at the beginning I used this system as a DNS-Server, and after several
'yum update'
not any more;

/etc/named.root.key with this content

managed-keys {
# DNSKEY for the root zone.
# Updates are published on root-dnssec-announce at icann.org
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};

and /etc/named.iscdlv.key with a content
identical to this: http://ftp.isc.org/isc/bind9/keys/9.8/bind.keys.v9_8

in no file neither in /etc/named.conf nor in any other file that is
included by the main config I can find a reference to /etc/named.root.key

is this file really needed or did it become obsolete?
(as seen on the URL above, /etc/named.root.key is part of
/etc/named.iscdlv.key)

Thanks,
Walter

> in no file neither in /etc/named.conf nor in any other file that is
> included by the main config I can find a reference to 
> /etc/named.root.key
> 
> is this file really needed or did it become obsolete?
> (as seen on the URL above, /etc/named.root.key is part of
> /etc/named.iscdlv.key)
# cat /etc/rc.d/init.d/named
...
ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named 
/etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf 
/etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /etc/named.root.key'

mount_chroot_conf()
...

# rpm -qf /etc/named.root.key /etc/named.iscdlv.key
bind-9.8.2-0.37.rc1.el6_7.7.x86_64
bind-9.8.2-0.37.rc1.el6_7.7.x86_64

> this seems to be relevant in chroot environments;
> 
> as I noticed when configuring the DDNS-feature, that this is a little 
> bit
> weired, when running in a chroot environment; I saw the recommendation 
> not
> to use a chroot in the man-page and removed bind-chroot and then the 
> zone
> updates worked perfekt;
> 
> so this file /etc/named.root.key isn't really used; or am I missing
> something?
These files are included in both my /etc/named.conf and 
/usr/share/doc/bind-x.x.x/named.conf.default which I probably used as a 
template years ago. I'm no dns expert but you'd probably need these 
files when accessing root servers directly without use of forwarders.

I'm also using ddns and have my zone files in 
/var/named/chroot/var/named/dynamic.
Selinux is enabled and I don't see any additional bind-related rules in 
my local policy or 
/etc/selinux/targeted/contexts/files/file_contexts.local.

On 10.05.2016 18:57, ????????? ???????? wrote:
>> this seems to be relevant in chroot environments;
>>
>> as I noticed when configuring the DDNS-feature, that this is a little 
>> bit
>> weired, when running in a chroot environment; I saw the 
>> recommendation not
>> to use a chroot in the man-page and removed bind-chroot and then the 
>> zone
>> updates worked perfekt;
>>
>> so this file /etc/named.root.key isn't really used; or am I missing
>> something?
>
> These files are included in both my /etc/named.conf and 
> /usr/share/doc/bind-x.x.x/named.conf.default which I probably used as 
> a template years ago. I'm no dns expert but you'd probably need
these
> files when accessing root servers directly without use of forwarders.
>
> I'm also using ddns and have my zone files in 
> /var/named/chroot/var/named/dynamic.
are you using DDNS in DualStack (IPv4 and IPv6 together) or do you have 
only DHCP or DHCPv6 and not both?
> Selinux is enabled and I don't see any additional bind-related rules 
> in my local policy or 
> /etc/selinux/targeted/contexts/files/file_contexts.local.
>
the manpage shows this:

"NOTES
        Red Hat SELinux BIND Security Profile:

        By default, Red Hat ships BIND with the most secure SELinux 
policy that
        will not prevent normal BIND operation and will prevent 
exploitation of
        all known BIND security vulnerabilities . See the selinux(8) man 
page
        for information about SElinux.

        It is not necessary to run named in a chroot environment if the 
Red Hat
        SELinux policy for named is enabled. When enabled, this policy 
is far
        more secure than a chroot environment. Users are recommended to 
enable
        SELinux and remove the bind-chroot package.

        With this extra security comes some restrictions:

        By default, the SELinux policy does not allow named to write any 
master
        zone database files. Only the root user may create files in the
        $ROOTDIR/var/named zone database file directory (the options {
        "directory" } option), where $ROOTDIR is set in 
/etc/sysconfig/named.

        The "named" group must be granted read privelege to these
files in
        order for named to be enabled to read them.

        Any file created in the zone database file directory is 
automatically
        assigned the SELinux file context named_zone_t .

        By default, SELinux prevents any role from modifying named_zone_t
        files; this means that files in the zone database directory 
cannot be
        modified by dynamic DNS (DDNS) updates or zone transfers.

        The Red Hat BIND distribution and SELinux policy creates three
        directories where named is allowed to create and modify files:
        /var/named/slaves, /var/named/dynamic /var/named/data. By 
placing files
        you want named to modify, such as slave or DDNS updateable zone 
files
        and database / statistics dump files in these directories, named 
will
        work normally and no further operator action is required. Files in
        these directories are automatically assigned the ?named_cache_t? 
file
        context, which SELinux allows named to write."