From owner-freebsd-net@freebsd.org  Mon Nov 13 21:02:15 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 887C8DD5B37
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon, 13 Nov 2017 21:02:15 +0000 (UTC)
 (envelope-from SRS0=iVBU=CL=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5014D7E1F4
 for <freebsd-net@freebsd.org>; Mon, 13 Nov 2017 21:02:14 +0000 (UTC)
 (envelope-from SRS0=iVBU=CL=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id 50A5128416
 for <freebsd-net@freebsd.org>; Mon, 13 Nov 2017 22:02:06 +0100 (CET)
Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz
 [86.49.16.209])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id A37ED2840C
 for <freebsd-net@freebsd.org>; Mon, 13 Nov 2017 22:02:04 +0100 (CET)
Subject: Re: chroot implementation of bind and kea
To: freebsd-net@freebsd.org
References: <DB6PR1001MB1238A4081466628B372B5176BB2B0@DB6PR1001MB1238.EURPRD10.PROD.OUTLOOK.COM>
 <EE1C2891-A2C5-4CA8-9AD3-1C83DB5CB069@dukhovni.org>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <5A0A084C.2000703@quip.cz>
Date: Mon, 13 Nov 2017 22:02:04 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101
 Firefox/42.0 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <EE1C2891-A2C5-4CA8-9AD3-1C83DB5CB069@dukhovni.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 21:02:15 -0000

Viktor Dukhovni wrote on 2017/11/13 21:38:
>
>
>> On Nov 13, 2017, at 3:14 PM, Dries Michiels <driesmp@hotmail.com> wrote:
>>
>>
>> At the moment BINDS’s default chroot behavior is to move all necessary files to a directory specified in rc.conf as named_chrootdir.
>> Afterwards the RC script creates a symlink from /usr/local/etc/namedb/ to the named_chrootdir so that config files etc can still be modified from /usr/local/etc/ as that is where they belong.
>> However, I find the chroot implementation of isc-dhcpd better. That is, instead of creating a symlink, copying the files over each time the program is (re)started.
>> This has the additional benefit that if files in the chroot are compromised they get overwritten by the originals on service restart. Could this be implemented for BIND as well?
>> Another little question regarding chroot, is it possible to make net/kea chrootable? There are currently no such options in the kea rc script.
>
> One detail to keep in mind is that validating nameservers need to be
> able to make persistent updates to the root zone trust-anchor keys
> in accordance RFC 5011.  The root KSK will be updated some time next
> year and ideally periodically there-after.  So at least the root
> zone trust-anchor keys need to persist across restarts and not
> be reset to their initial state.

I think keys can be updated by updating the port or by some dedicated 
periodic script. It seems safer to me.

Miroslav Lachman