IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
90a75f0d43
freeipa/install/share/bind.named.conf.template
Christian Heimes 90a75f0d43 Use system-wide crypto-policies on Fedora 
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00

61 lines
1.4 KiB
Plaintext
Raw Blame History

options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory:
directory "$NAMED_VAR_DIR"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "$NAMED_KEYTAB";
pid-file "$NAMED_PID";
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "$BINDKEYS_FILE";
managed-keys-directory "$MANAGED_KEYS_DIR";
/* crypto policy snippet on platforms with system-wide policy. */
$INCLUDE_CRYPTO_POLICY
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "$RFC1912_ZONES";
include "$ROOT_KEY";
/* WARNING: This part of the config file is IPA-managed.
* Modifications may break IPA setup or upgrades.
*/
dyndb "ipa" "$BIND_LDAP_SO" {
uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
base "cn=dns, $SUFFIX";
server_id "$FQDN";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/$FQDN";
};
/* End of IPA-managed part. */
Reference in New Issue View Git Blame Copy Permalink