--- bind-9.18.28/doc/man/named.8in.orig 2024-07-08 17:22:50.522668771 +0200 +++ bind-9.18.28/doc/man/named.8in 2024-07-31 22:01:07.556991781 +0200 @@ -236,13 +236,11 @@ \fBNOTE:\fP .INDENT 0.0 .INDENT 3.5 -On Linux, \fBnamed\fP uses the kernel\(aqs capability mechanism to drop -all root privileges except the ability to \fBbind\fP to a -privileged port and set process resource limits. Unfortunately, -this means that the \fI\%\-u\fP option only works when \fBnamed\fP is run -on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since -previous kernels did not allow privileges to be retained after -\fBsetuid\fP\&. +On illumos-based distributions, including OpenIndiana, \fBnamed\fP +uses the kernel\(aqs capability mechanism to drop +all root privileges. +The method script adds the privileges to \fBbind\fP to a privileged port. +Basic privileges are still retained after \fBsetuid\fP\&. .UNINDENT .UNINDENT .INDENT 0.0 @@ -264,6 +262,100 @@ Use of this option overrides the \fBlock\-file\fP option in \X'tty: link #std-iscman-named.conf'\fI\%named.conf\fP\X'tty: link'\&. If set to \fBnone\fP, the lock file check is disabled. .UNINDENT +.SH AUTOMATIC SERVICE MANAGEMENT (SMF) +.sp +The \fBDNS\fP service is managed by the service management facility, \fBsmf\fP(7), under the service identifier: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +svc:/network/dns/server:default +.ft P +.fi +.UNINDENT +.UNINDENT +.LP +Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fP(8). The service's status can +be queried using the \fBsvcs\fP(1) command. +.LP +\fBDNS\fP on illumos is managed via the service management facility described in +\fBsmf\fP(7). There are several options controlled by services properties which +can be set by the system administrator. The available options can be listed by +executing the following command: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +svccfg -s svc:/network/dns/server:default listprop options +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Each of these properties can be set using this command: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +svccfg -s svc:/network/dns/server:default setprop \fIpropname\fP = \fIvalue\fP +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The available options and their meanings are as follows: +.TP +.BR options/server +A string that specifies an alternative server command. If +not specified the default /usr/sbin/named is used. +.TP +.BR options/configuration_file +A string that specifies an alternative +configuration file to be used. The property is similar +to named(8) command line option '-c . +.TP +.BR options/ip_interfaces +A string that specifies which IP transport BIND will +transmit on. Possible values are 'IPv4' or 'IPv6'. Any +other setting assumes 'all', the default. +Equivalent to command line option '-4' or '-6'. +.TP +.BR options/listen_on_port +An integer that specifies the default UDP and TCP port +which will be used to listen for DNS requests. +If not specified, the server listens on port 53. +Equivalent to command line option '-p '. +.TP +.BR options/debug_level +An integer that specifies the default debug level. The +default is 0; no debugging. The higher the number the +more verbose debug information becomes. +Equivalent to command line option '-d '. +.TP +.BR options/threads +An integer that specifies the number of cpu worker threads to +create. The default of 0 causes named to try to +determine the number of CPUs present and create one +thread per CPU. +Equivalent to command line option '-n '. +.TP +.BR options/chroot_dir +Change the root directory using chroot(2) +to pathname after processing the command line +arguments, but before reading the configuration file. +The working directory must be below chroot_dir. +This option should be used in conjunction with the user option. +Equivalent to command line option '-t '. +.TP +.BR options/user +Change to user after completing privileged operations, such as +creating sockets that listen on privileged ports. +The default user is 'named'. +The working directory must be writable by this user. +Equivalent to command line option '-u user'. .SH SIGNALS .sp In routine operation, signals should not be used to control the @@ -299,7 +391,7 @@ .UNINDENT .SH SEE ALSO .sp -\X'tty: link https://datatracker.ietf.org/doc/html/rfc1033.html'\fI\%RFC 1033\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc1034.html'\fI\%RFC 1034\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link', \X'tty: link #std-iscman-named-checkconf'\fI\%named\-checkconf(8)\fP\X'tty: link', \X'tty: link #std-iscman-named-checkzone'\fI\%named\-checkzone(8)\fP\X'tty: link', \X'tty: link #std-iscman-rndc'\fI\%rndc(8)\fP\X'tty: link', \X'tty: link #std-iscman-named.conf'\fI\%named.conf(5)\fP\X'tty: link', BIND 9 Administrator Reference Manual. +\X'tty: link https://datatracker.ietf.org/doc/html/rfc1033.html'\fI\%RFC 1033\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc1034.html'\fI\%RFC 1034\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link', \X'tty: link #std-iscman-named-checkconf'\fBnamed\-checkconf(8)\fP\X'tty: link', \X'tty: link #std-iscman-named-checkzone'\fBnamed\-checkzone(8)\fP\X'tty: link', \X'tty: link #std-iscman-rndc'\fBrndc(8)\fP\X'tty: link', \X'tty: link #std-iscman-named.conf'\fBnamed.conf(5)\fP\X'tty: link', BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT