Configure BIND to use System Crypto Policy
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf
includes the appropriate configuration:
In the options
section of /etc/named.conf
, make sure that the following line
is not commented out or superseded by later includes:
include "/etc/crypto-policies/back-ends/bind.config";
Rationale
Overriding the system crypto policy makes the behavior of the BIND service violate expectations,
and makes system configuration more fragmented.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
function remediate_bind_crypto_policy() {
CONFIG_FILE="/etc/named.conf"
if test -f "$CONFIG_FILE"; then
sed -i 's|options {|&\n\tinclude "/etc/crypto-policies/back-ends/bind.config";|' "$CONFIG_FILE"
return 0
else
echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2
return 1
fi
}
remediate_bind_crypto_policy