Date: Mon, 15 Dec 2014 10:03:27 +0000 From: Matt Smith <fbsd@xtaz.co.uk> To: Ronald Klop <ronald-lists@klop.ws> Cc: freebsd-stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <20141215100327.GE52267@xtaz.uk> In-Reply-To: <op.xqwlh6utkndu52@ronaldradial.radialsg.local> References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> <op.xqwlh6utkndu52@ronaldradial.radialsg.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 15 10:47, Ronald Klop wrote: >On Mon, 15 Dec 2014 08:20:38 +0100, <sthaug@nethelp.no> wrote: >><rant> >>Removing the changeroot environment and symlinking logic is a net >>disservice to the FreeBSD community, and disincentive to use FreeBSD. >></rant> >> >>Steinar Haug, Nethelp consulting, sthaug@nethelp.no > >Isn't this reasoning a bit flawed? Something hurt you so you state it >is hurting a whole community. > >I, for one, am glad the security updates of the Bind software are now >better maintainable across all FreeBSD version. >NB: using a jail might give an easier to maintain secure environment >for bind than a chroot. With more restrictions to the process also. I agree and in my case it improved things. I was using BIND from the base system as an internet authoratitive nameserver. It wasn't designed for this and I should have been using the ports version at least. The removal of BIND from the base made me look at its replacement, Unbound, and from that it led me to NSD. So now I'm using both Unbound and NSD, both in a chroot, and it's much more secure than BIND would have been in my old configuration. Sometimes being forced to make changes can bring improvements. -- Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141215100327.GE52267>