Date: Mon, 13 Nov 2017 22:02:04 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-net@freebsd.org Subject: Re: chroot implementation of bind and kea Message-ID: <5A0A084C.2000703@quip.cz> In-Reply-To: <EE1C2891-A2C5-4CA8-9AD3-1C83DB5CB069@dukhovni.org> References: <DB6PR1001MB1238A4081466628B372B5176BB2B0@DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM> <EE1C2891-A2C5-4CA8-9AD3-1C83DB5CB069@dukhovni.org>
index | next in thread | previous in thread | raw e-mail
Viktor Dukhovni wrote on 2017/11/13 21:38: > > >> On Nov 13, 2017, at 3:14 PM, Dries Michiels <driesmp@hotmail.com> wrote: >> >> >> At the moment BINDS’s default chroot behavior is to move all necessary files to a directory specified in rc.conf as named_chrootdir. >> Afterwards the RC script creates a symlink from /usr/local/etc/namedb/ to the named_chrootdir so that config files etc can still be modified from /usr/local/etc/ as that is where they belong. >> However, I find the chroot implementation of isc-dhcpd better. That is, instead of creating a symlink, copying the files over each time the program is (re)started. >> This has the additional benefit that if files in the chroot are compromised they get overwritten by the originals on service restart. Could this be implemented for BIND as well? >> Another little question regarding chroot, is it possible to make net/kea chrootable? There are currently no such options in the kea rc script. > > One detail to keep in mind is that validating nameservers need to be > able to make persistent updates to the root zone trust-anchor keys > in accordance RFC 5011. The root KSK will be updated some time next > year and ideally periodically there-after. So at least the root > zone trust-anchor keys need to persist across restarts and not > be reset to their initial state. I think keys can be updated by updating the port or by some dedicated periodic script. It seems safer to me. Miroslav Lachmanhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A0A084C.2000703>