Crossfire wrote:
>
> Martin was once rumoured to have said:
> > > ... and here I was expecting you to say "but how do you compile a C
> > > program in a chrooted environment", and I was going to say "well okay,
> > > you do have a point, so the end result would be the same chicken/egg
> > > problem with one needing a binary to get out of the chroot", which
> > > either Terry, Crossfire or Angus would rebuke further... etc, etc.
> >
> > well, what is stopping that same program compiled on a similar box being
> > downloaded and run from within the chroot environment...
> >
> > so, you then remove all means of transferring files from within the
> > chroot environment...
> >
> > where do you stop??? ...my head hurts!
> >
> > > I'd imagine that a chrooted bind that isn't running as root would be
> > > safer.
> > ^^^^^
> >
> > emphasis on the "safer" which != "safe"...
> >
> > on the subject of bind, has anyone researched the alternatives to bind?
> > anyone used djbdns?
>
> djbdns is not really suitable for use on public DNS servers.
Could you please explain why? I have been using djbdns on various public
dns servers for well over a year. I have never had any problems.
> That,
> and it doesn't cache [it relies upon dnscache to do that], which makes
> it moderately useless.
Why? Whats wrong with relying on dnscache? You can run dnscache on the
loopback, and make djbdns available on the external interface. If you
want a external cache, use ip aliasing. Its just different.
> It also doesn't support AFXR, which means
> you'll be manually updating your secondaries. It is on my "not
> recommended list".
um, yes it does. Thats some of the secondaries I administer get updated.
>
> Yes, I do have a grudge against djb - I wouldn't have it if he didn't
> release crap and hide it behind his security guaranty.
oh well, I ain't getting into this again.
-Colin
>
> bind is good. Bind will work chrooted. Bind will work surrendering
> priveledges. You can't escape a chroot once you've surrendered root
> privs (unless your chrooted environment foolishly includes setuid
> binaries). OpenBSD knows this, and ships their bind configuration to
> chroot jail and surrender root by default. However, bind sucks for
> dynamic tables. Do not use bind for dynip stuff. (I use bind myself,
> mostly because I've been using Bind4 and Bind8 for years - that, and
> my `dynip' table has a very low rate of change, and I use magic,
> rather than the dynamic DNS update mechanisms to set it)
>
> There is also Dents which is a viable replacement for Bind. Dents
> also supports drop-in namespace modules. Dents works with
> Supersparrow. I haven't used dents, so I can't vouch for its feature
> set, however Dents sounds like the right thing by implementing the
> featureset, and making it behave in a sane manner.
>
> Yes, these are *MY* opinions.
>
> C.
> --
> --==============================================--
> Crossfire | This email was brought to you
> [EMAIL PROTECTED] | on 100% Recycled Electrons
> --==============================================--
>
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
