From owner-freebsd-stable@FreeBSD.ORG  Tue Dec  3 17:55:07 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D48B4AEE
 for <stable@freebsd.org>; Tue,  3 Dec 2013 17:55:07 +0000 (UTC)
Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9454B15C1
 for <stable@freebsd.org>; Tue,  3 Dec 2013 17:55:07 +0000 (UTC)
Received: from schuylkill.es.net ([IPv6:2001:400:14:1:e4a6:c53b:b46e:a1a8])
 (authenticated bits=0)
 by burnttofu.net (8.14.7/8.14.5) with ESMTP id rB3Ht3CC015245
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT);
 Tue, 3 Dec 2013 12:55:05 -0500 (EST)
 (envelope-from michael@rancid.berkeley.edu)
Message-ID: <529E1AF7.1090002@rancid.berkeley.edu>
Date: Tue, 03 Dec 2013 09:55:03 -0800
From: Michael Sinatra <michael@rancid.berkeley.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
 rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Royce Williams <royce@tycho.org>, stable@freebsd.org
Subject: Re: BIND chroot environment in 10-RELEASE...gone?
References: <529D9CC5.8060709@rancid.berkeley.edu> <529DF7FA.7050207@passap.ru>
 <CA+E3k93XpRGr822YgNYFRPQPid9PucPYufgvUTV=jjirYR7gmg@mail.gmail.com>
In-Reply-To: <CA+E3k93XpRGr822YgNYFRPQPid9PucPYufgvUTV=jjirYR7gmg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3
 (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]);
 Tue, 03 Dec 2013 12:55:06 -0500 (EST)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 17:55:07 -0000

On 12/3/13 7:58 AM, Royce Williams wrote:

> If so, that is a net negative for security.  Even if everyone running
> public-facing BIND knows how to chroot, it means more work -- and more
> potential implementation errors.

When I changed jobs back in 2011, moving from UC Berkeley to where I
could work with Kevin Oberman in ESnet, I was able to easily find my way
around ESnet's DNS servers, even though I had never really collaborated
directly with Kevin before.  That's because I had set up the servers at
UCB with minimal change to the base environment, and Kevin had done the
same, so it was really easy to hit the ground running.  It's also easy
to transfer knowledge.  I can see where FreeBSD consultants would really
want a consistent file layout and environment as they move between systems.

In addition to the work involved in simply migrating between 9.x and
10.x, the prospect of everyone rolling their own means that supporting
people trying to run major DNS servers on FreeBSD has just gotten a lot
harder.  It's definitely a security issue, as you note, but it also
presents a significant operational issue.

michael