$OpenBSD: SECURITY,v 1.3 1999/11/14 22:39:16 jakob Exp $

Quick notes on security issues using BIND 8
-------------------------------------------

The base version of BIND from ISC is 8.2.2-P5, which is belived
to be fairly secure (i.e no obvious or (to the author) known bugs).
It is, however, a large and complex piece of software, so there are 
bound to be bugs found in the future...

On OpenBSD, the recommended configuration is to run named in a 
chroot()-ed jail, typically /var/named, and also running named as
non-root, this currently defaults to user 'named'.  

The main configuration file /var/named/named.conf should be owned
by 'root', group 'named' and set to mode 640.
The user 'named' must be able to _read_ the file (reloading the 
nameserver, etc) but 'named' should never be able to _write_ into 
the file.

From this follows that the /var/named directory should not be writable 
by user 'named'. In fact, the directories that require writes by user
'named' are all the zone directories and /var/named/var/run. 
All other directories should be owned by 'root', group 'wheel'.
The /var/named/var/tmp directory should be mode 1777 (sticky bit set).

If you are using signed zones, don't store your private zone key(s) 
under /var/named.

Some additional work has been done to the source for this port/snapshot, 
this currently includes: 

	** Don't allow source routed sockets 
	** Most sprintf() have been changed to snprintf() 
	** Likewise strcpy() & strncpy() to strlcpy() in 
	   binaries named and named-xfer 
	** use mkstemp() instead of mktemp() 
	** Generate good random query IDs
	
There are also some functionality/bugfix patches (from the indicated sources).
[These are not strictly security related, but this seems a good place
 to mention this anyway, so...]
	
	** global transfer-source option [ISC]
	** allow trusted keys to be specified in hex [TISlabs]
        ** support multiple CNAMEs [ISC]


November 14, 1999
Hkan Olsson <ho@openbsd.org>
Jakob Schlyter <jakob@openbsd.org>
