Date: Tue, 3 Dec 2013 06:58:15 -0900 From: Royce Williams <royce@tycho.org> To: stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <CA%2BE3k93XpRGr822YgNYFRPQPid9PucPYufgvUTV=jjirYR7gmg@mail.gmail.com> In-Reply-To: <529DF7FA.7050207@passap.ru> References: <529D9CC5.8060709@rancid.berkeley.edu> <529DF7FA.7050207@passap.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 3, 2013 at 6:25 AM, Boris Samorodov <bsam@passap.ru> wrote:
>
> 03.12.2013 12:56, Michael Sinatra =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
>
> > I am aware of the fact that unbound has "replaced" BIND in the base
> > system, starting with 10.0-RELEASE. What surprised me was recent
> > commits to ports/dns/bind99 (and presumably other versions) that appear=
s
> > to take away the supported chroot capabilities.
>
> /usr/ports/UPDATING has some info about the matter.
Specifically, 20131112 says:
All bind9 ports have been updated to support FreeBSD 10.x after
BIND was removed from the base system. It is now self-contained
in ${PREFIX}/etc/namedb, and chroot and symlinking options are
no longer supported out of the box.
Does that mean that those options now need to be manually configured
by each team running BIND?
If so, that is a net negative for security. Even if everyone running
public-facing BIND knows how to chroot, it means more work -- and more
potential implementation errors.
Royce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BE3k93XpRGr822YgNYFRPQPid9PucPYufgvUTV=jjirYR7gmg>