From owner-freebsd-stable@FreeBSD.ORG Tue Dec 3 17:40:54 2013 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B2C74C1 for ; Tue, 3 Dec 2013 17:40:54 +0000 (UTC) Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 357961499 for ; Tue, 3 Dec 2013 17:40:54 +0000 (UTC) Received: from schuylkill.es.net ([IPv6:2001:400:14:1:e4a6:c53b:b46e:a1a8]) (authenticated bits=0) by burnttofu.net (8.14.7/8.14.5) with ESMTP id rB3Hek8q015206 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Tue, 3 Dec 2013 12:40:52 -0500 (EST) (envelope-from michael@rancid.berkeley.edu) Message-ID: <529E179D.7030701@rancid.berkeley.edu> Date: Tue, 03 Dec 2013 09:40:45 -0800 From: Michael Sinatra User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Boris Samorodov , stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? References: <529D9CC5.8060709@rancid.berkeley.edu> <529DF7FA.7050207@passap.ru> In-Reply-To: <529DF7FA.7050207@passap.ru> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]); Tue, 03 Dec 2013 12:40:52 -0500 (EST) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 17:40:54 -0000 On 12/3/13 7:25 AM, Boris Samorodov wrote: > 03.12.2013 12:56, Michael Sinatra пишет: > >> I am aware of the fact that unbound has "replaced" BIND in the base >> system, starting with 10.0-RELEASE. What surprised me was recent >> commits to ports/dns/bind99 (and presumably other versions) that appears >> to take away the supported chroot capabilities. > > /usr/ports/UPDATING has some info about the matter. > Indeed, I based my original post on the notice in /usr/ports/UPDATING. That's what surprised me, and also leads me to believe that it is not unintentional. Back when this was discussed in 2012 there was no discussion that FreeBSD would be taking away the good support it has for BIND chroot. I interpreted dougb's advice to "just install the port" such that the port will allow the operator of, say, authoritative DNS servers to upgrade to 10.x from 9.x and still maintain a reasonable upgrade path without a lot of file location gyrations. Some impressive work has been done (mainly by des it appears) to integrate unbound with the base FreeBSD system. At the same time, work is currently being done to make the job of BIND-on-FreeBSD sysadmins harder. That doesn't match the neutral vibe that I got the last time that this was discussed publicly. Basically the idea back in 2012 appeared to be that we needed to stop integrating a major DNS server package because, to my understanding, it was a lot of work to maintain. So we integrated a *different* major DNS server package. I guess I don't understand the motivation. (Note also that I have been working with BIND--mostly on FreeBSD--for the past 15 years, and unbound since the 0.6 release, so I pretty much understand the pros and cons between the two.) I am not unhappy with all of the work that has been done to make unbound work, but I am unhappy that BIND has been crippled in a certain way. I am going to put as many of the bits together as I can to see if I can recreate the chroot environment via a port on 10.0-RELEASE. I'll also submit a PR. But I agree with the others that this is not a good idea, and if I had known that the port would remove support for chroot, I would have vigorously protested the switch to unbound. michael