On Tue, 12 Nov 2013, Erwin Lansing wrote:

Sorry about the delay, but I did finally update all three dns/bind9* ports today.

Thanks a lot for your work on this very important port.

I have dropped the complicated chroot, and related symlinking, logic from the default rc script as I don't think that is the right place to implement things.

I am somewhat astonished by this decision. FreeBSD has been running named chrooted for as long as I can remember. One of the really nice things about running BIND on FreeBSD has been that it came perfectly configured out of the box. I think a lot of people are going to be surprised by this.

Maybe the rc script is the wrong place to set up the chroot, but shouldn't the port at least set it up at install time? Without this, there is going to be a lot of duplicated and error prone effort with everyone setting up their own chroot environment.

I would recommend users who want the extra security to use jail(8) instead of a mere chroot.

Is it the consensus that running named chrooted doesn't really add additional security? If a jail is that much better, shouldn't the port set up an appropriately configured jail so that we once again have everything working out of the box?

Maybe the Capsicum framework will supersede both chroots and jails for added BIND security, but until then, shouldn't the chroot feature be retained?

Greg Rivers
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to