From owner-freebsd-current@FreeBSD.ORG Tue Oct 5 10:44:37 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 831A216A4CE; Tue, 5 Oct 2004 10:44:37 +0000 (GMT) Received: from smtp1.jazztel.es (smtp1.jazztel.es [62.14.3.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id B32A343D2D; Tue, 5 Oct 2004 10:44:36 +0000 (GMT) (envelope-from josemi@freebsd.jazztel.es) Received: from antivirus by smtp1.jazztel.es with antivirus id 1CEmoN-0001Ch-00 Tue, 05 Oct 2004 12:44:51 +0200 Received: from [212.106.254.137] (helo=rguez.homeunix.net) by smtp1.jazztel.es with esmtp id 1CEmoN-0001Bv-00 Tue, 05 Oct 2004 12:44:51 +0200 Received: from redesjm.local (orion.redesjm.local [192.168.254.16]) by rguez.homeunix.net (8.13.1/8.13.1) with ESMTP id i95AiYKn014762; Tue, 5 Oct 2004 12:44:34 +0200 (CEST) (envelope-from freebsd@redesjm.local) Received: from localhost (localhost [[UNIX: localhost]]) by redesjm.local (8.13.1/8.13.1/Submit) id i95AiXRh067486; Tue, 5 Oct 2004 12:44:33 +0200 (CEST) (envelope-from freebsd@redesjm.local) From: Jose M Rodriguez To: Doug Barton Date: Tue, 5 Oct 2004 12:44:32 +0200 User-Agent: KMail/1.7 References: <4160259A.3070708@FreeBSD.org> <200410042343.19211.freebsd@redesjm.local> <20041004181933.H96420@bo.vpnaa.bet> In-Reply-To: <20041004181933.H96420@bo.vpnaa.bet> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200410051244.33780.freebsd@redesjm.local> X-AntiVirus: checked by AntiVir Milter 1.1-beta; AVE 6.27.0.12; VDF 6.27.0.81 (host: antares.redesjm.local) X-Virus-Scanned: by antivirus cc: freebsd-current@freebsd.org cc: Jose M Rodriguez Subject: Re: New BIND 9 chroot directories X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2004 10:44:37 -0000 On Tuesday 05 October 2004 03:25, Doug Barton wrote: > On Mon, 4 Oct 2004, Jose M Rodriguez wrote: > > El Lunes, 4 de Octubre de 2004 22:10, Doug Barton escribi=F3: > > > > Really good work. But, this is really needed? > > I can't see why. > > Because running bind chrooted is considerably safer, and the defaults > should be as safe as possible unless it is an inconvenience to the > majority of our users. In this case you are arguing against the > change because it is a temporary inconvenience to you. That's not a > good enough reason. :) > That's not the question. I'll make a last effort on this. A) What I like. (fresh FreeBSD-5 BETA6). =2D No /var/named in the tarballs =2D No more support needed to src, src/etc, src/release ... =2D /etc/defaults/rc.conf: named_enable=3D"NO" named_flags=3D"-u bind" named_chrootdir=3D"" In release notes: FreeBSD have now strong support for named operation in a chroot cage. To activate this: - make a directory for your chroot cage - add to your /etc/rc.conf file: named_chrootdir=3D"" named_enable=3D"YES" - and start the named service with: #/etc/rc.d/named start B) What I'm near sure FreeBSD-5.3-RELEASE will have: =2D A populated /var/named in the tarballs =2D /etc/namedb as a symlink to /var/named/etc/namedb =2D more support to src, src/etc, src/release + to make the /var/named thing + to permit not to make it =2D /etc/defaults/rc.conf: named_enable=3D"NO" named_flags=3D"-u bind ..." named_chrootdir=3D"/var/named" In release notes FreeBSD now operates the dns service by default in a chroot cage under /var/named. =20 If you have any previous named setup in /var/named, you must backup, adapt and restore it after upgrade. Default named operation is now controlled by ... and zone files must reside in ... with this default layout ... ... The real diferences are related to: A) - /etc/rc.d/named: named_precmd()/chroot_autoupdate() may need more funtionality. - not try to simlink /etc/namedb to /var/named/etc/named - populate ${named_chrootdir}/etc/namedb from /etc/namedb - generate default rev zone files. some knob to control this, in the way of ${named_chroot_autoupdate} I must have other preferences about the chroot cage and others tings. But I think that is my personal problem. What I'm trying to explain is that general transition to=20 =46reeBSD-5.3-RELEASE is better with A. Also, I must agree fresh install may be better with B. Well, all is now exposed. This is your work and you must choose the way=20 to go release. > The entry in UPDATING already says, "If you are running a custom > named config already, go look at the defaults." We expect users doing > more advanced things to have more advanced skills. If they don't, > they should probably use the defaults. > > As for your other message about names of directories, layouts, etc., > feel free to edit the BIND.chroot.dist mtree file, and you can have > whatever you want. For that matter, edit /etc/rc.d/named if it will > make you feel better. No one is "forcing" you to do anything. You > have all the bits directly at hand, and the ability to do whatever > you want with them. > > Enjoy, > > Doug =2D- josemi