Reviewed by: freebsd-current, freebsd-security

    Adjust rc.conf to run named in sandbox, adjust mtree to add /etc/namedb/s
    subdirectory (user bind, group bind) to hold secondaries, adjust
    comments in named.conf to reflect new secondary scheme.  (Note that
    core read-only zone files are left owned by root, increasing security even
    more).

1 files changed, 7 insertions, 3 deletions

diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf
index 31bb075..6d86859 100644
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@@ -1,4 +1,4 @@
-// $Id: named.conf,v 1.1 1998/05/07 23:42:33 ache Exp $
+// $Id: named.conf,v 1.2 1998/05/11 11:26:28 peter Exp $
 //
 // Refer to the named(8) man page for details.  If you are ever going
 // to setup a primary server, make sure you've understood the hairy
@@ -77,11 +77,15 @@ zone "0.0.127.IN-ADDR.ARPA" {
 //
 // NB: Don't blindly enable the examples below. :-)  Use actual names
 // and addresses instead.
+//
+// NOTE!!! FreeBSD runs bind in a sandbox (see named_flags in rc.conf).
+// The directory containing the secondary zones must be write accessible 
+// to bind.
 
 /*
 zone "domain.com" {
 	type slave;
-	file "domain.com.bak";
+	file "s/domain.com.bak";
 	masters {
 		192.168.1.1;
 	};
@@ -89,7 +93,7 @@ zone "domain.com" {
 
 zone "0.168.192.in-addr.arpa" {
 	type slave;
-	file "0.168.192.in-addr.arpa.bak";
+	file "s/0.168.192.in-addr.arpa.bak";
 	masters {
 		192.168.1.1;
 	};