Date: Tue, 03 Dec 2013 09:55:03 -0800 From: Michael Sinatra <michael@rancid.berkeley.edu> To: Royce Williams <royce@tycho.org>, stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <529E1AF7.1090002@rancid.berkeley.edu> In-Reply-To: <CA%2BE3k93XpRGr822YgNYFRPQPid9PucPYufgvUTV=jjirYR7gmg@mail.gmail.com> References: <529D9CC5.8060709@rancid.berkeley.edu> <529DF7FA.7050207@passap.ru> <CA%2BE3k93XpRGr822YgNYFRPQPid9PucPYufgvUTV=jjirYR7gmg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/3/13 7:58 AM, Royce Williams wrote: > If so, that is a net negative for security. Even if everyone running > public-facing BIND knows how to chroot, it means more work -- and more > potential implementation errors. When I changed jobs back in 2011, moving from UC Berkeley to where I could work with Kevin Oberman in ESnet, I was able to easily find my way around ESnet's DNS servers, even though I had never really collaborated directly with Kevin before. That's because I had set up the servers at UCB with minimal change to the base environment, and Kevin had done the same, so it was really easy to hit the ground running. It's also easy to transfer knowledge. I can see where FreeBSD consultants would really want a consistent file layout and environment as they move between systems. In addition to the work involved in simply migrating between 9.x and 10.x, the prospect of everyone rolling their own means that supporting people trying to run major DNS servers on FreeBSD has just gotten a lot harder. It's definitely a security issue, as you note, but it also presents a significant operational issue. michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?529E1AF7.1090002>