Date: Mon, 13 Nov 2017 22:02:04 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-net@freebsd.org Subject: Re: chroot implementation of bind and kea Message-ID: <5A0A084C.2000703@quip.cz> In-Reply-To: <EE1C2891-A2C5-4CA8-9AD3-1C83DB5CB069@dukhovni.org> References: <DB6PR1001MB1238A4081466628B372B5176BB2B0@DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM> <EE1C2891-A2C5-4CA8-9AD3-1C83DB5CB069@dukhovni.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Viktor Dukhovni wrote on 2017/11/13 21:38: > > >> On Nov 13, 2017, at 3:14 PM, Dries Michiels <driesmp@hotmail.com> wrote: >> >> >> At the moment BINDS’s default chroot behavior is to move all necessary files to a directory specified in rc.conf as named_chrootdir. >> Afterwards the RC script creates a symlink from /usr/local/etc/namedb/ to the named_chrootdir so that config files etc can still be modified from /usr/local/etc/ as that is where they belong. >> However, I find the chroot implementation of isc-dhcpd better. That is, instead of creating a symlink, copying the files over each time the program is (re)started. >> This has the additional benefit that if files in the chroot are compromised they get overwritten by the originals on service restart. Could this be implemented for BIND as well? >> Another little question regarding chroot, is it possible to make net/kea chrootable? There are currently no such options in the kea rc script. > > One detail to keep in mind is that validating nameservers need to be > able to make persistent updates to the root zone trust-anchor keys > in accordance RFC 5011. The root KSK will be updated some time next > year and ideally periodically there-after. So at least the root > zone trust-anchor keys need to persist across restarts and not > be reset to their initial state. I think keys can be updated by updating the port or by some dedicated periodic script. It seems safer to me. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A0A084C.2000703>