-----BEGIN PGP SIGNED MESSAGE-----

	Setting up the jail for BIND 4.9.x-OW.

1. Create group 'named'.  Create user 'named', with group 'named' as the
primary GID.  Leave it locked ('*' in the password field, or similar).

2. Create a directory where named and named-xfer will live, such as
/named.  Populate it with the required files, setting their ownership
and permissions like this:

 drwx--x---   5 root     named        1024 Nov  8 10:04 ./

	(The new root directory itself.)

 -rwx------   1 root     root       164228 Nov  8 10:04 named
 -rwx--x---   1 root     named      244880 Nov  8 07:49 named-xfer

	(Our two binaries; named-xfer is statically-linked.)

 -rw-r-----   1 root     named       10990 Nov  8 08:01 named.boot

	(Main configuration file.)

 drwxr-x---   3 root     named        6144 Nov  8 07:59 named.dat/

	(Whatever directory is mentioned in your named.boot, above.)

 drwxrwx---   2 root     named        4096 Nov  8 11:36 named.dat/sec/

	(A subdirectory for the secondaries.)

 drwx--x---   2 root     named        1024 Nov  8 07:53 dev/
 drwx--x---   3 root     named        1024 Nov  8 07:51 usr/

	(These two are optional, see below.)

Zone files within /named/named.dat (or whatever you called it) should
be owned by root, and readable by group 'named'.  Secondaries should
be in a subdirectory both readable and writable by group 'named', and
the files themselves should have 'named' as their owner.

If you want to see logs from named-xfer (and you probably do), you will
also need /usr/lib/zoneinfo/localtime (or whatever your system uses for
the timezone file) and possibly the /dev/log socket within the new root
directory.  (Note that named itself, with the patch applied, is smart
enough to open /dev/log and initialize the timezone before changing its
root directory.)

3. If you are running an old version of syslogd that isn't capable of
reading multiple Unix domain sockets and you need logs from named-xfer,
you should start named with these commands:

	rm /named/dev/log
	ln /dev/log /named/dev/log		# should be same device
	/named/named -t /named -u named

In simpler cases, only the last command is needed (but you may need to
tell your syslogd to read an additional Unix domain socket, which is
usually done with a command-line option).

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Comment: http://www.openwall.com/signatures/
Charset: noconv

iQCVAwUBOmQ8wXK5fbEpUCnxAQGd0AP+PzrHToEL18mzAwBCXpJ+TYeh66KgcYy+
alk5uTVKwfgHdlQY0SXy9BEYNRWrIi4PBvyUcaNCFrtM/qtMEdGJalKMdEq5cqof
SkdZUmR3hJP2C/laxuZE0s2+3JMtQ8sKaL4QnguBIHxnu8cfjqXmx6IfdOrpWbiv
uaZUS8so8o8=
=S4aR
-----END PGP SIGNATURE-----