Red Hat APPLICATION STACK 1.2 RELEASE Bedienungsanleitung PDF herunterladen (Seite 23)

NTP

• The dnssec [yes|no] option no longer exists - The global dnssec [yes|no] options have

been split into two new options: dnssec-enable and dnssec-validation. The dnssec-

enable option enables DNSSEC support. The dnssec-validation option enables DNSSEC

validation. Note that setting dnssec-enable to "no" on recursive server means that it cannot be

used as a forwarder by another server that performs DNSSEC validation. Both options are set to

yes by default.

• You no longer need to specify the controls statement in /etc/named.conf if you use the rndc

management utility. The named service automatically allows control connections via the loopback

device and both named and rndc use the same secret key generated during installation (located in

/etc/rndc.key).

In a default installation, BIND is installed with DNSSEC validation enabled, and uses the ISC DLV

cache poisoning, then the end user will not be given this forged/spoofed data. DNSSEC deployment

is now a widely-implemented feature, is an important step in making the Internet more secure for

end users, and is fully supported in Red Hat Enterprise Linux 6. As previously mentioned, DNSSEC

validation is controlled with the dnssec-validation option in /etc/named.conf.

4.5. NTP

NTP (Network Time Protocol) is used to synchronize the clocks of computer systems over the network.

In Red Hat Enterprise Linux 6, the default configuraton file, /etc/ntp.conf, now has the following

lines commented:

#server 127.127.1.0 # local clock

#fudge 127.127.1.0 stratum 10

This configuration means that ntpd will only distribute time information to network clients if it is

specifically synchronized to an NTP server or a reference clock. To get ntpd to offer this information

even when not synchronized, the two lines should be uncommented.

Also, when ntpd is started with the -x option (in OPTIONS in the /etc/sysconfig/ntpd file),

or if there are servers specified in /etc/ntp/step-tickers, the service no longer runs the

ntpdate command before starting. There is now a separate ntpdate service which can be enabled

independently from the ntpd service. This ntpdate service is disabled by default, and should be

used only when other services require the correct time before starting, or do not function properly

when time modifications occur later by ntpd.

You may encounter problems running this service with the default NetworkManager configuration. It

may be necessary to add NETWORKWAIT=1 to /etc/sysconfig/network, as described in the Red

Hat Enterprise Linux Deployment Guide.

4.6. Kerberos

In Red Hat Enterprise Linux 6, Kerberos clients and servers (including KDCs) will default to not using

keys for the ciphers des-cbc-crc, des-cbc-md4, des-cbc-md5, des-cbc-raw, des3-cbc-raw,

des-hmac-sha1, and arcfour-hmac-exp. By default, clients will not be able to authenticate to

services which have keys of these types.

Most services can have a new set of keys (including keys for use with stronger ciphers) added to their

keytabs and experience no downtime, and the ticket granting service's keys can likewise be updated

to a set which includes keys for use with stronger ciphers, using kadmin's cpw -keepold command.

1 2 ... 18 19 20 21 22 23 24 25 26 27 28 ... 43 44

Keine Kommentare

Red Hat APPLICATION STACK 1.2 RELEASE Bedienungsanleitung Seite 23