BIND chroot environment in 10-RELEASE...gone?
Matt Smith
fbsd at xtaz.co.uk
Mon Dec 15 10:03:32 UTC 2014
On Dec 15 10:47, Ronald Klop wrote:
>On Mon, 15 Dec 2014 08:20:38 +0100, <sthaug at nethelp.no> wrote:
>><rant>
>>Removing the changeroot environment and symlinking logic is a net
>>disservice to the FreeBSD community, and disincentive to use FreeBSD.
>></rant>
>>
>>Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>
>Isn't this reasoning a bit flawed? Something hurt you so you state it
>is hurting a whole community.
>
>I, for one, am glad the security updates of the Bind software are now
>better maintainable across all FreeBSD version.
>NB: using a jail might give an easier to maintain secure environment
>for bind than a chroot. With more restrictions to the process also.
I agree and in my case it improved things. I was using BIND from the
base system as an internet authoratitive nameserver. It wasn't designed
for this and I should have been using the ports version at least. The
removal of BIND from the base made me look at its replacement, Unbound,
and from that it led me to NSD. So now I'm using both Unbound and NSD,
both in a chroot, and it's much more secure than BIND would have been in
my old configuration.
Sometimes being forced to make changes can bring improvements.
--
Matt
More information about the freebsd-stable
mailing list