BIND chroot environment in 10-RELEASE...gone?

Wed Dec 4 13:26:10 UTC 2013

On Wed, Dec 4, 2013, at 3:58, Erwin Lansing wrote:
> On Tue, Dec 03, 2013 at 12:56:37AM -0800, Michael Sinatra wrote:
> > I am aware of the fact that unbound has "replaced" BIND in the base
> > system, starting with 10.0-RELEASE.  What surprised me was recent
> > commits to ports/dns/bind99 (and presumably other versions) that appears
> > to take away the supported chroot capabilities.  OTOH, it appears that
> > unbound has been given these capabilities.
> > 
> > I have no issues with removing BIND from base, but taking away the very
> > robust chroot support that FreeBSD had for BIND is something I would
> > oppose.  I like the idea of leveling the playing field for users of
> > other systems, but the way things have been implemented thus far--taking
> > away functionality from BIND while preferring unbound--seems
> > counter-productive.  It doesn't really level the playing field, it just
> > turns it the other way.
> > 
> > It seems like it would be pretty easy to preserve the /etc/rc.d/named
> > startup script and BIND.chroot.dist from 9.x and add them to the BIND
> > ports, so that people who need to run a full-blown BIND installation can
> > "just install the port" as was advised back in 2012 when the
> > BIND/unbound change was first being discussed on -hackers.  What are the
> > obstacles to doing something like this?
> > 
> 
> It's not as simple as you describe, trust me I tried :-)
> 
> The one point people in this thread seem to be missing is why BIND
> should be treated differently than all the other DNS severs?  BIND may
> have a bad security reputation back from the 4 and 8 days, but do you
> really think that BIND9 is so much more insecure than say NSD or Knot
> that it needs special treatment in ports?  Or what about Apache for that
> matter?  If you really think that, a chroot really isn't going to help
> you much and what you really want is a jail(8).  What should be done is
> to create an easy to do so, but for any port, not just one single port.
> I think we have all the tools available, so it is probably just a matter
> of writing some good documentation to add to the porters handbook,
> though to make it really easy might require some additions to the ports
> framework.
> 

This morning I was actually thinking about the true value of the chroot.
Breaking out of a chroot is not an impossible task; there have been many
PoCs over the years. Breaking out of a jail is a different and
intentionally more difficult matter. If this is a stance the project has
we should probably make it a bit clearer and provide some configuration
and documentation reinforcing "chroots aren't safe; use a jail".