HEADS UP: named now runs chroot'ed by default

Tillman Hodgson tillman at seekingfire.com
Wed Oct 6 10:36:11 PDT 2004

On Tue, Oct 05, 2004 at 05:11:16PM -0700, Doug Barton wrote:
> On Thu, 30 Sep 2004, Tillman Hodgson wrote:
> >How does chroot and NFS interact?
> It is theoretically possible, but I would not do it for performance and 
> reliability reasons. If you are doing something useful with named on a 
> real network you will have enough variables that you cannot control 
> which will make your life difficult, I personally would not want to add 
> more pain to the mix that could be avoided. :)
> If you want to share configs, share data, etc; then rsync, scp, etc. are 
> your friends. When I was at Yahoo! we had all the essential files in a 
> central CVS repo and I used makefiles with various targets to push them 
> out to the servers. This made updates, replication, installation, etc. 
> very easy with almost no room for error, and no external dependencies 
> other than the network and power for the individual name server.

I was using NFS not for sharing between machines but rarely to add a bit
of security an convenience: a host compromise on the named box could
not modify the files (RO export), yet an internal client could update
the zone file easily (ssh/kerberized telnet to the file server in
question and edit the file) and a rndc reload would update the named.

I can move away from that model easily enough, I just need to actually
make a plan to do so. If NFS and chroot are unhappy bedfellows, I'll do
so :-)


"If knowledge creates problems, ignorance will not solve them"
    -- Isaac Asimov.

More information about the freebsd-current mailing list