BIND chroot environment in 10-RELEASE...gone?
Ian Smith
smithi at nimnet.asn.au
Tue Dec 16 09:17:56 UTC 2014
On Mon, 15 Dec 2014 22:12:45 -0800, Kevin Oberman wrote:
> On Mon, Dec 15, 2014 at 8:24 PM, Chris H <bsd-lists at bsdforge.com> wrote:
>
> > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug at nethelp.no wrote
[..]
> > > <rant>
> > > Removing the changeroot environment and symlinking logic is a net
> > > disservice to the FreeBSD community, and disincentive to use FreeBSD.
> > > </rant>
> > In all fairness (is there even such a thing?);
> > "Convenience" is a two-way street. For each person that thinks
> > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There
> > are at *least* as many whom feel differently. I chose to remove/disable
> > the BIND, from BASE, some time ago. As it wasn't "convenient" to have
> > to overcome/deal with the CVE/security issues. In the end, I was forced
> > to re-examine some of the other resolvers, that ultimately, only proved
> > to be better choice(s).
> >
> > Just sayin'
> Please don't conflate issues. Moving BIND out of the base system is
> something long overdue. I know that the longtime BIND maintainer, Doug B,
> had long felt it should be removed. This has exactly NOTHING to do with
> removing the default chroot installation. The ports were, by default
> installed chrooted. Jailed would have been better, but it was not something
> that could be done in a port unless the jail had already been set up.
> chroot is still vastly superior to not chrooted and I was very distressed
> to see it go from the ports.
>
> Disclaimer, since I retired I am no longer running a DNS server, so this
> had no impact on me. I simply see it as an unfortunate regression.
Me too, which is why I was pleased to see Warren's excellent handbook
example of setting up BIND in a jail as well catering to that need:
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-example-bind
That's for a caching-only local resolver, but it's hardly a long jump to
extend that framework to an authoratative nameserver, BIND or otherwise.
Good docs are gold, and can sometimes compensate for notsogood policy :)
cheers, Ian
More information about the freebsd-stable
mailing list