From owner-freebsd-stable@FreeBSD.ORG Tue Dec 16 09:17:56 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B28E74A4 for ; Tue, 16 Dec 2014 09:17:56 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 27EFEF84 for ; Tue, 16 Dec 2014 09:17:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id sBG9HLbu095103; Tue, 16 Dec 2014 20:17:22 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 16 Dec 2014 20:17:21 +1100 (EST) From: Ian Smith To: Kevin Oberman Subject: Re: BIND chroot environment in 10-RELEASE...gone? In-Reply-To: Message-ID: <20141216193514.K68123@sola.nimnet.asn.au> References: <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Warren Block , FreeBSD-STABLE Mailing List , "sthaug@nethelp.no" , Chris H X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 09:17:56 -0000 On Mon, 15 Dec 2014 22:12:45 -0800, Kevin Oberman wrote: > On Mon, Dec 15, 2014 at 8:24 PM, Chris H wrote: > > > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug@nethelp.no wrote [..] > > > > > > Removing the changeroot environment and symlinking logic is a net > > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > > > In all fairness (is there even such a thing?); > > "Convenience" is a two-way street. For each person that thinks > > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > > are at *least* as many whom feel differently. I chose to remove/disable > > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > > to overcome/deal with the CVE/security issues. In the end, I was forced > > to re-examine some of the other resolvers, that ultimately, only proved > > to be better choice(s). > > > > Just sayin' > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrooted and I was very distressed > to see it go from the ports. > > Disclaimer, since I retired I am no longer running a DNS server, so this > had no impact on me. I simply see it as an unfortunate regression. Me too, which is why I was pleased to see Warren's excellent handbook example of setting up BIND in a jail as well catering to that need: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-example-bind That's for a caching-only local resolver, but it's hardly a long jump to extend that framework to an authoratative nameserver, BIND or otherwise. Good docs are gold, and can sometimes compensate for notsogood policy :) cheers, Ian