Anand Buddhdev
2020-May-28 10:26 UTC
[nsd-users] NSD still shows permission errors on Debian 10 Buster
On 27/05/2020 17:52, Wouter Wijngaards via nsd-users wrote: Hi Wouter,> I tried to fix the contrib nsd.service by adding Simon's suggestion to > it, if that is wrong let me know: > https://github.com/NLnetLabs/nsd/commit/922d5a27f8b291b1157530cfde49707c134cf486I have a suggestion. Maybe just delete this nsd.service file. To be honest, it's not very useful because it has a random mix of directives that don't help, or actually interfere with running NSD properly. As an example, it has this directive: RestrictAddressFamilies=AF_INET AF_UNIX But what about AF_INET6 then? The above will prevent NSD from being able to bind to an IPv6 socket. I don't know where this file came from, but it's not good. If it's in there, people will use it. If you really want to provide a systemd unit file, then provide a minimal one that will work on most systems. A packager for a particular distro can add things to it if he likes. Additionally, if a user wants to tighten things up, they can always create an overlay for this unit file on their systems. Adding to a systemd unit is easier than removing existing directives in the base unit file. Regards, Anand
Wouter Wijngaards
2020-May-28 11:06 UTC
[nsd-users] NSD still shows permission errors on Debian 10 Buster
Hi Anand, On 28/05/2020 12:26, Anand Buddhdev via nsd-users wrote:> On 27/05/2020 17:52, Wouter Wijngaards via nsd-users wrote: > > Hi Wouter, > >> I tried to fix the contrib nsd.service by adding Simon's suggestion to >> it, if that is wrong let me know: >> https://github.com/NLnetLabs/nsd/commit/922d5a27f8b291b1157530cfde49707c134cf486 >> > > I have a suggestion. Maybe just delete this nsd.service file. To be > honest, it's not very useful because it has a random mix of directives > that don't help, or actually interfere with running NSD properly. As anThank you for the suggestion. Removed it. Complicated and not useful is not what I want for a contrib file, instead I would want files in contrib to be helpful and add to make use of NSD in different environments easier. Yes the removal of IPv6 also seems counterproductive to me. Best regards, Wouter> example, it has this directive: > > RestrictAddressFamilies=AF_INET AF_UNIX > > But what about AF_INET6 then? The above will prevent NSD from being able > to bind to an IPv6 socket. > > I don't know where this file came from, but it's not good. If it's in > there, people will use it. If you really want to provide a systemd unit > file, then provide a minimal one that will work on most systems. A > packager for a particular distro can add things to it if he likes. > Additionally, if a user wants to tighten things up, they can always > create an overlay for this unit file on their systems. Adding to a > systemd unit is easier than removing existing directives in the base > unit file. > > Regards, > Anand > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users