New BIND 9 chroot directories

Doug Barton DougB at
Mon Oct 4 22:53:51 PDT 2004

On Mon, 4 Oct 2004, Charles Swiger wrote:

> On Oct 4, 2004, at 10:48 PM, Makoto Matsushita wrote:
>> [ ...hier compliance... ]  Yes, the named configuration file (I
>> believe it is considered generally as important), master zone files
>> (also important, at least for me), are located under "/var."
>> So here's my question to all "running named with chroot sandobx"
>> users: are you ok with such important file is under /var?

As a whole, var is no more volatile than any other directory, although 
bits of it (like /var/run) are recreated at each boot. That said, your 
point about hier is well taken, and because most name servers will write 
out some files (even if it's just logs) then it was necessary to at 
least put the directories where files will be written on /var. 
Configurations that split volatile and non-volatile bits into seperate 
directories are possible, but IMO they are needlessly complicated. Also, 
different environments have different needs. In some environments master 
files are just as volatile as slaved files, so they need to be on /var 

Please also keep in mind that I actually USED this configuration in 
production on hundreds of name servers on a production enterprise 
network for years with a variety of different kinds of name servers, 
including authoritative, caching, forwarding, etc.

All that said, the defaults are just the defaults. The thing that people 
really need to keep in mind is that if you want to change it, you can.

> named_enable="YES"
> named_flags="-u bind -g bind -c /etc/named.conf"
> /etc/rc.conf and then do whatever you like under /var/named.

Um, no. First off, the -g option never did what people thought it did, 
and now does something entirely different in BIND 9. Also, if your 
config file is /etc/namedb/named.conf, it's pointless to specify it in 
named_flags, as that is the compiled in default.

> Some people want all of the zone files in one place, others want to use s/ 
> and /m (or slave/ and master/).  Zone file naming conventions also vary: some 
> append .rev and .db to zone files, some use just the former and not the 
> latter; etc.
> So long as the options support reasonable flexibility and do not break 
> backwards compatibility too much, any reasonable default is OK, and Doug as 
> maintainer is making a reasonable attempt to improve the security of a daemon 
> that many FreeBSD systems use.  Yay!


> I suppose the situation could be improved by having some shell script which 
> converts pre-chrooted named configs (at least the prior default config from 
> 4.x) into the new layout, perhaps by creating symlinks from the current 
> locations into the chroot tree under /var/named.

If anyone wants to come up with something like that, I'm all ears, 
however my guess is that the variety of input is so varied that such an 
undertaking would be pointless.



     This .signature sanitized for your protection

More information about the freebsd-current mailing list