From owner-freebsd-net@freebsd.org  Mon Nov 13 20:14:13 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72BBBDD4766
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon, 13 Nov 2017 20:14:13 +0000 (UTC)
 (envelope-from driesmp@hotmail.com)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com
 (mail-oln040092067026.outbound.protection.outlook.com [40.92.67.26])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "Microsoft IT SSL SHA2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D96357C533
 for <freebsd-net@freebsd.org>; Mon, 13 Nov 2017 20:14:11 +0000 (UTC)
 (envelope-from driesmp@hotmail.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=ZlQ41jWEYx7s3Hp7njJBZbsz9JTpejl8X0CH5jHy1D4=;
 b=h3MPrNRIikovuKH60or2jkiedtvgDLQz8E3HoU0Hv/eYQPYLrHhfqgSXofopTwlEt5oJq+dPAQF/0YIyBhwz+IqG9m2rg9i7OPhXrF5lqG9LPskOosT6Hoax2I/TfyNw6QSqXMUMnnZ3Zd/M8h2o4yXgccOzygrhB51AwnXAb7ZPlNdmBiEhNpFHEyPNLST3iptmCZv3LIln92L8czcz84Hd3sKdsHpNRy3WJt1DEi1LarK94cIUMXzb3ISuzem2jeAQ86a8QfsDymVoBi0VUQOzsuD2nzG1hvmnD8gAnfDtB/ArR0prI1b2ePgu7XcgijsefrSGciiQvP2yDMRFTA==
Received: from HE1EUR02FT045.eop-EUR02.prod.protection.outlook.com
 (10.152.10.56) by HE1EUR02HT179.eop-EUR02.prod.protection.outlook.com
 (10.152.11.231) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.197.9; Mon, 13
 Nov 2017 20:14:09 +0000
Received: from DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM (10.152.10.56) by
 HE1EUR02FT045.mail.protection.outlook.com (10.152.11.238) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.20.197.9 via Frontend Transport; Mon, 13 Nov 2017 20:14:09 +0000
Received: from DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::c849:7164:6f82:6f55]) by DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::c849:7164:6f82:6f55%14]) with mapi id 15.20.0218.011; Mon, 13 Nov
 2017 20:14:09 +0000
From: Dries Michiels <driesmp@hotmail.com>
To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject: chroot implementation of bind and kea
Thread-Topic: chroot implementation of bind and kea
Thread-Index: AQHTXLqA7fta95F4fU+IlkN5JGtlKA==
Date: Mon, 13 Nov 2017 20:14:09 +0000
Message-ID: <DB6PR1001MB1238A4081466628B372B5176BB2B0@DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: nl-BE, en-US
Content-Language: nl-BE
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: freebsd.org; dkim=none (message not signed)
 header.d=none;freebsd.org; dmarc=none action=none header.from=hotmail.com;
x-incomingtopheadermarker: OriginalChecksum:A81ACDD6D9574F61B1BBAE89F129809218BC38F40F9A9EF1770C25418E47C9C6;
 UpperCasedChecksum:51645F83E96C25058CEC976A54501A899B9AFB86CBDCF829E6FFBD312B154DF3;
 SizeAsReceived:6824; Count:43
x-tmn: [q6/LiqAoUWbwYxfq58FlwtCGfsw1ZlbK]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1EUR02HT179;
 6:X4dmf7i1nNlNO+7ZdnaxjlMFMipu9suWtL4nIPsJ66XP11uT1kPffVidD56ads0Fr0NGLhh65XsH57cU926zb18yJRswNFWr+krapm2tp/teD6EPDVPCuSpsLkZdPWriiMDN8XAerGwkGjVCx1Rx3gz7THHcpHzY8/7POMgiQSlTqtgl6wXb+3eXjT8F/Qv34Gpgs+VbLlSsCajJHzelpjo8SfekNwS9PAn37qNXZgdIhND07PbMbTlyM9vLZLhbmLybnlS+RxtbysNAsvrXyElr2qzsIaEgMMKVi7CXJus6oetd1rdA+LqN+eOEtw4QlF9jjRKD8nv8WS9vsxRggr3HhDJ4Taka6T+pYjvIs6E=;
 5:/9dQbV1yzx5X5uTCQay0ymE8FoeA2O/59Ydc22Y1ZKlF7KbS+DUVgW5Foq+pO2hrZZSjyI2hkEfx2d6areumTYcEu1lB6+9jV0WGxXuFcMWne81qmC7HMz23k1yXEOXR+qissME6IYBuxb6F9RUFouDRz44SOhWggV2nlltbRs8=;
 24:sfu1jroqiJRT8yB04z9xlditYb2PcN5udERm47DuXxhujt7F52pTB2GT9kH+1kf9CqZAwjBGiC53a4kUL7JmXJ8xSv9fYs51pmrNSg1sK4g=;
 7:hneOgvXA8K9C7QQwFPXmUNIvhUT9MDjakXgLtuQiKr8AusZEJ/s7s7wl73iNb8+nfcpBJYAfoDY6LozTILRsgzBXsy9y5qyMzwi1Pc/h/KIZq/P8icX2x4FBOI7ECQsK+ep4Wrm2AcjFYT9Bs0eDVNBt6ypsXcqCPolw1Ari5OhTeWpqcg+9vUSj7ZRvq36YPyQFMJug1NTZvRLPSd5FcnqafwdEwwV1pOGoUHAA0EqGDp9Ezn5krR5CtSUlzmB/
x-incomingheadercount: 43
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: d6ffe24b-2637-446b-4c6d-08d52ad3193c
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
 RULEID:(22001)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125374)(1603101448)(1701031045);
 SRVR:HE1EUR02HT179; 
x-ms-traffictypediagnostic: HE1EUR02HT179:
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
 RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031);
 SRVR:HE1EUR02HT179; BCL:0; PCL:0;
 RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);
 SRVR:HE1EUR02HT179; 
x-forefront-prvs: 0490BBA1F0
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT;
 SFP:1901; SCL:1; SRVR:HE1EUR02HT179;
 H:DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d6ffe24b-2637-446b-4c6d-08d52ad3193c
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2017 20:14:09.2016 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR02HT179
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 20:14:13 -0000

Dear net mailing list,

At the moment BINDS=92s default chroot behavior is to move all necessary fi=
les to a directory specified in rc.conf as named_chrootdir.
Afterwards the RC script creates a symlink from /usr/local/etc/namedb/ to t=
he named_chrootdir so that config files etc can still be modified from /usr=
/local/etc/ as that is where they belong.
However, I find the chroot implementation of isc-dhcpd better. That is, ins=
tead of creating a symlink, copying the files over each time the program is=
 (re)started.
This has the additional benefit that if files in the chroot are compromised=
 they get overwritten by the originals on service restart. Could this be im=
plemented for BIND as well?
Another little question regarding chroot, is it possible to make net/kea ch=
rootable? There are currently no such options in the kea rc script.

With regards,
Dries