Re: chrooting BIND [was -Re: Here I am again, hat in hand with humble demeanor.......]

[Doug Barton]

On 9/27/2010 7:46 AM, Jerry Kemp wrote:

IMHO, the primary benefit of chrooting is security.

another, less painful option, again IMHO, is to run BIND in a jail if
you are using BSD,


The default configuration in FreeBSD is to run it chroot'ed. Given that 
it's very unlikely that the chroot will be broken, IMO running it in a 
jail for security reasons is overkill.



hth,

Doug

--

... and that's just a little bit of history repeating.
-- Propellerheads

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: chrooting BIND [was -Re: Here I am again, hat in hand with humble demeanor.......]

[Kevin Oberman]

 Date: Mon, 27 Sep 2010 09:46:44 -0500
 From: Jerry Kemp dns.bind.l...@oryx.cc
 Sender: bind-users-bounces+oberman=es@lists.isc.org
 
 IMHO, the primary benefit of chrooting is security.
 
 another, less painful option, again IMHO, is to run BIND in a jail if
 you are using BSD, or a zone if you are on Solaris, or a Solaris based
 distro.

While both are pretty simple to do on BSD, jail is far more secure, but
I certainly find setting up jails more complex than chrooting. (Besides,
the FreeBSD BIND is chrooted by default, so there is nothing to set up.)
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users