Date: Mon, 13 Nov 2017 15:38:04 -0500 From: Viktor Dukhovni <freebsd@dukhovni.org> To: freebsd-net@freebsd.org Subject: Re: chroot implementation of bind and kea Message-ID: <EE1C2891-A2C5-4CA8-9AD3-1C83DB5CB069@dukhovni.org> In-Reply-To: <DB6PR1001MB1238A4081466628B372B5176BB2B0@DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM> References: <DB6PR1001MB1238A4081466628B372B5176BB2B0@DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Nov 13, 2017, at 3:14 PM, Dries Michiels <driesmp@hotmail.com> = wrote: >=20 >=20 > At the moment BINDS=E2=80=99s default chroot behavior is to move all = necessary files to a directory specified in rc.conf as named_chrootdir. > Afterwards the RC script creates a symlink from /usr/local/etc/namedb/ = to the named_chrootdir so that config files etc can still be modified = from /usr/local/etc/ as that is where they belong. > However, I find the chroot implementation of isc-dhcpd better. That = is, instead of creating a symlink, copying the files over each time the = program is (re)started. > This has the additional benefit that if files in the chroot are = compromised they get overwritten by the originals on service restart. = Could this be implemented for BIND as well? > Another little question regarding chroot, is it possible to make = net/kea chrootable? There are currently no such options in the kea rc = script. One detail to keep in mind is that validating nameservers need to be able to make persistent updates to the root zone trust-anchor keys in accordance RFC 5011. The root KSK will be updated some time next year and ideally periodically there-after. So at least the root zone trust-anchor keys need to persist across restarts and not be reset to their initial state. --=20 Viktor.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EE1C2891-A2C5-4CA8-9AD3-1C83DB5CB069>