Date: Tue, 16 Dec 2014 20:17:21 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Kevin Oberman <rkoberman@gmail.com> Cc: Warren Block <wblock@wonkity.com>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, "sthaug@nethelp.no" <sthaug@nethelp.no>, Chris H <bsd-lists@bsdforge.com> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <20141216193514.K68123@sola.nimnet.asn.au> In-Reply-To: <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg@mail.gmail.com> References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> <e209e27f9eb42850326f5a4df458722b@ultimatedns.net> <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Dec 2014 22:12:45 -0800, Kevin Oberman wrote: > On Mon, Dec 15, 2014 at 8:24 PM, Chris H <bsd-lists@bsdforge.com> wrote: > > > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug@nethelp.no wrote [..] > > > <rant> > > > Removing the changeroot environment and symlinking logic is a net > > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > </rant> > > In all fairness (is there even such a thing?); > > "Convenience" is a two-way street. For each person that thinks > > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > > are at *least* as many whom feel differently. I chose to remove/disable > > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > > to overcome/deal with the CVE/security issues. In the end, I was forced > > to re-examine some of the other resolvers, that ultimately, only proved > > to be better choice(s). > > > > Just sayin' > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrooted and I was very distressed > to see it go from the ports. > > Disclaimer, since I retired I am no longer running a DNS server, so this > had no impact on me. I simply see it as an unfortunate regression. Me too, which is why I was pleased to see Warren's excellent handbook example of setting up BIND in a jail as well catering to that need: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-example-bind That's for a caching-only local resolver, but it's hardly a long jump to extend that framework to an authoratative nameserver, BIND or otherwise. Good docs are gold, and can sometimes compensate for notsogood policy :) cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141216193514.K68123>