Installation notes:

Build and install somewhere initcaps and start-stop-daemon.

Reboot the kernel adding "init=/sbin/initcaps" on the command line.

For details on capabilities read
http://linux.kernel.org/pub/linux/libs/security/linux-privs/ .

==============================================================================
How to run BIND as a user:

* create a bind user:

adduser --system bind --ingroup nogroup

* create a directory for the pid file and the control socket:

mkdir /var/run/bind
chown bind.nogroup /var/run/bind

* add to bind.conf these lines (user bind uid is 121):

options {
      pid-file "/var/run/bind/named.pid";
};

controls { unix "/var/run/bind/ndc" perm 0600 owner 121 group 65534; };

* start the daemon with:

start-stop-daemon --start --chcaps cap_net_bind_service+ep --chuid bind \
	--exec /usr/sbin/named

* when you use ndc, run it as:

ndc -c /var/run/bind/ndc

* For ultimate security, build a chroot jail and use --chroot.

==============================================================================
Copyright 2000 Marco d'Itri <md@linux.it>, released in the public domain.
==============================================================================
