BIND chroot environment in 10-RELEASE...gone?

[Mark Andrews]

In message <529E179D.7030701 at rancid.berkeley.edu>, Michael Sinatra writes:
> On 12/3/13 7:25 AM, Boris Samorodov wrote:
> > 03.12.2013 12:56, Michael Sinatra :
> > 
> >> I am aware of the fact that unbound has "replaced" BIND in the base
> >> system, starting with 10.0-RELEASE.  What surprised me was recent
> >> commits to ports/dns/bind99 (and presumably other versions) that 
> appears
> >> to take away the supported chroot capabilities.
> > 
> > /usr/ports/UPDATING has some info about the matter.
> > 
> 
> Indeed, I based my original post on the notice in /usr/ports/UPDATING.
> That's what surprised me, and also leads me to believe that it is not
> unintentional.  Back when this was discussed in 2012 there was no
> discussion that FreeBSD would be taking away the good support it has for
> BIND chroot.  I interpreted dougb's advice to "just install the port"
> such that the port will allow the operator of, say, authoritative DNS
> servers to upgrade to 10.x from 9.x and still maintain a reasonable
> upgrade path without a lot of file location gyrations.
> 
> Some impressive work has been done (mainly by des it appears) to
> integrate unbound with the base FreeBSD system.  At the same time, work
> is currently being done to make the job of BIND-on-FreeBSD sysadmins
> harder.  That doesn't match the neutral vibe that I got the last time
> that this was discussed publicly.  Basically the idea back in 2012
> appeared to be that we needed to stop integrating a major DNS server
> package because, to my understanding, it was a lot of work to maintain.

As far as I could tell it was a religious issue.

Named chooses to die whenever it detects a internal inconsistancy,
be that failing to clear a pointer when calling a function or data
being inconsistent.  Since that causes the service to disappear it
leads to a high CVSS score and a advisary if it triggered remotely.
Putting it into something like Apple did with launchd drops the
CVSS score dramatically.

	 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
	 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

The only difference is the Availablity Impact between those two
scores.

ISC does ship a minimal nanny script in contrib but expects OS
integators can do a better job which Apple did.

Named itself is built and tested on FreeBSD boxes.  It doesn't need
to be modified to build on FreeBSD.  The occasional patches FreeBSD
came up with were integrated back into the code ISC ships so there
was no patching to be done when versions upgraded.

As for 9.9.x ESV it will be support for to at least June 2017, which
is 5+ years from BIND 9.9.0, and 4 years after 9.9.x was announced
as the ESV series with BIND 9.9.3.

BIND 9.6 went ESV in Mar 2010 and will be EoL in Jan 2014.

BIND 9.10 in is alpha at the moment.

BIND 10 is still in development.

Mark

>  So we integrated a *different* major DNS server package.  I guess I
> don't understand the motivation.  (Note also that I have been working
> with BIND--mostly on FreeBSD--for the past 15 years, and unbound since
> the 0.6 release, so I pretty much understand the pros and cons between
> the two.)
> 
> I am not unhappy with all of the work that has been done to make unbound
> work, but I am unhappy that BIND has been crippled in a certain way.
> 
> I am going to put as many of the bits together as I can to see if I can
> recreate the chroot environment via a port on 10.0-RELEASE.  I'll also
> submit a PR.  But I agree with the others that this is not a good idea,
> and if I had known that the port would remove support for chroot, I
> would have vigorously protested the switch to unbound.
> 
> michael
> 
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org