From owner-freebsd-stable@FreeBSD.ORG  Mon Dec 15 10:03:32 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 28E70713
 for <freebsd-stable@freebsd.org>; Mon, 15 Dec 2014 10:03:32 +0000 (UTC)
Received: from mail.xtaz.uk (tao.xtaz.uk [IPv6:2001:8b0:202::10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DCBBC343
 for <freebsd-stable@freebsd.org>; Mon, 15 Dec 2014 10:03:31 +0000 (UTC)
Received: by mail.xtaz.uk (Postfix, from userid 1001)
 id 9FCAF209AF15; Mon, 15 Dec 2014 10:03:27 +0000 (GMT)
Date: Mon, 15 Dec 2014 10:03:27 +0000
From: Matt Smith <fbsd@xtaz.co.uk>
To: Ronald Klop <ronald-lists@klop.ws>
Subject: Re: BIND chroot environment in 10-RELEASE...gone?
Message-ID: <20141215100327.GE52267@xtaz.uk>
Mail-Followup-To: Matt Smith <fbsd@xtaz.co.uk>,
 Ronald Klop <ronald-lists@klop.ws>, freebsd-stable@freebsd.org
References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com>
 <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org>
 <20131203.223612.74719903.sthaug@nethelp.no>
 <20141215.082038.41648681.sthaug@nethelp.no>
 <op.xqwlh6utkndu52@ronaldradial.radialsg.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <op.xqwlh6utkndu52@ronaldradial.radialsg.local>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Dec 2014 10:03:32 -0000

On Dec 15 10:47, Ronald Klop wrote:
>On Mon, 15 Dec 2014 08:20:38 +0100, <sthaug@nethelp.no> wrote:
>><rant>
>>Removing the changeroot environment and symlinking logic is a net
>>disservice to the FreeBSD community, and disincentive to use FreeBSD.
>></rant>
>>
>>Steinar Haug, Nethelp consulting, sthaug@nethelp.no
>
>Isn't this reasoning a bit flawed? Something hurt you so you state it 
>is hurting a whole community.
>
>I, for one, am glad the security updates of the Bind software are now 
>better maintainable across all FreeBSD version.
>NB: using a jail might give an easier to maintain secure environment 
>for bind than a chroot. With more restrictions to the process also.

I agree and in my case it improved things. I was using BIND from the 
base system as an internet authoratitive nameserver. It wasn't designed 
for this and I should have been using the ports version at least. The 
removal of BIND from the base made me look at its replacement, Unbound, 
and from that it led me to NSD. So now I'm using both Unbound and NSD, 
both in a chroot, and it's much more secure than BIND would have been in 
my old configuration.

Sometimes being forced to make changes can bring improvements.

-- 
Matt