Date: Tue, 3 Dec 2013 14:14:01 -0600 (CST) From: Greg Rivers <gcr+freebsd-stable@tharned.org> To: Kevin Oberman <rkoberman@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> In-Reply-To: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> References: <529D9CC5.8060709@rancid.berkeley.edu> <529DF7FA.7050207@passap.ru> <CA%2BE3k93XpRGr822YgNYFRPQPid9PucPYufgvUTV=jjirYR7gmg@mail.gmail.com> <1386086749.9599.54995173.6CD35E54@webmail.messagingengine.com> <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 3 Dec 2013, Kevin Oberman wrote:
> On Tue, Dec 3, 2013 at 8:05 AM, Mark Felder <feld@freebsd.org> wrote:
>
>> On Tue, Dec 3, 2013, at 9:58, Royce Williams wrote:
>>> On Tue, Dec 3, 2013 at 6:25 AM, Boris Samorodov <bsam@passap.ru> wrote:
>>>>
>>>> 03.12.2013 12:56, Michael Sinatra пишет:
>>>>
>>>>> I am aware of the fact that unbound has "replaced" BIND in the base
>>>>> system, starting with 10.0-RELEASE. What surprised me was recent
>>>>> commits to ports/dns/bind99 (and presumably other versions) that
>>>>> appears to take away the supported chroot capabilities.
>>>>
>>>> /usr/ports/UPDATING has some info about the matter.
>>>
>>>
>>> Specifically, 20131112 says:
>>>
>>> All bind9 ports have been updated to support FreeBSD 10.x after
>>> BIND was removed from the base system. It is now self-contained
>>> in ${PREFIX}/etc/namedb, and chroot and symlinking options are
>>> no longer supported out of the box.
>>>
>>> Does that mean that those options now need to be manually configured
>>> by each team running BIND?
>>>
>>> If so, that is a net negative for security. Even if everyone running
>>> public-facing BIND knows how to chroot, it means more work -- and more
>>> potential implementation errors.
>>>
>>
>> I had not seen that UPDATING entry... I assume that due to shortage of
>> time by the maintainer and the urgency to just get the port working it
>> has been discarded for now. You could try adding the features back to
>> the port and seeing if the maintainer accepts them. Unfortunately I
>> don't have any inside information to assist you further.
>>
>
> It was a deliberate decision made by the maintainer. He said the chroot
> code in the installation was too complicated and would be removed as a
> part of the installation clean-up to get all BIND related files out of
> /usr and /etc. I protested at the time as did someone else, but the
> maintainer did not respond. I thnk this was a really, really bad
> decision.
>
> I searched a bit for the thread on removing BIND leftovers, but have
> failed to find it.
>
You're probably thinking about my November 17 posting:
http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html
I'm glad to see others finally speaking up; I was beginning to think I was
the only one who thought this was not a good idea. I'm a bit surprised
that no one has responded yet.
--
Greg Rivers
From owner-freebsd-stable@FreeBSD.ORG Tue Dec 3 21:16:20 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by hub.freebsd.org (Postfix) with ESMTPS id D8229D20
for <stable@freebsd.org>; Tue, 3 Dec 2013 21:16:20 +0000 (UTC)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b])
(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
(No client certificate requested)
by mx1.freebsd.org (Postfix) with ESMTPS id B2B4712A3
for <stable@freebsd.org>; Tue, 3 Dec 2013 21:16:20 +0000 (UTC)
Received: from mx.pao1.isc.org (localhost [127.0.0.1])
by mx.pao1.isc.org (Postfix) with ESMTP id B33E7C94AF;
Tue, 3 Dec 2013 21:16:07 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012;
t=1386105380; bh=epcGObV/YUsVOZ6Jfu/Hr3xj0i1rxNryTWIPPnzkx1g=;
h=To:Cc:From:References:Subject:In-reply-to:Date;
b=neQ906GrbHKdM/1uSuhM1FdHXbACogoX2RSZpYOfrla8Mb5l26mcfCFB/DQ+mhkLV
93fkR0MIEW3erlPZkjokGKeGj0PJfpWuClC9sREEamnrhFWGMYr90LpmYJ+2sRmoz0
Bn01Zml5qf6ppBq8dtOGILkvToD+E6he1lI3Yxbk=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20])
by mx.pao1.isc.org (Postfix) with ESMTP;
Tue, 3 Dec 2013 21:16:07 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1])
by zmx1.isc.org (Postfix) with ESMTP id 775D3160446;
Tue, 3 Dec 2013 21:23:54 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au
[211.30.183.50])
by zmx1.isc.org (Postfix) with ESMTPSA id 13987160436;
Tue, 3 Dec 2013 21:23:54 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1])
by rock.dv.isc.org (Postfix) with ESMTP id F2E17B100EB;
Wed, 4 Dec 2013 08:16:06 +1100 (EST)
To: Michael Sinatra <michael@rancid.berkeley.edu>
From: Mark Andrews <marka@isc.org>
References: <529D9CC5.8060709@rancid.berkeley.edu>
<529DF7FA.7050207@passap.ru> <529E179D.7030701@rancid.berkeley.edu>
Subject: Re: BIND chroot environment in 10-RELEASE...gone?
In-reply-to: Your message of "Tue, 03 Dec 2013 09:40:45 -0800."
<529E179D.7030701@rancid.berkeley.edu>
Date: Wed, 04 Dec 2013 08:16:06 +1100
Message-Id: <20131203211606.F2E17B100EB@rock.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL, BAYES_00, RP_MATCHES_RCVD,
SPF_PASS autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.pao1.isc.org
Cc: stable@freebsd.org, Boris Samorodov <bsam@passap.ru>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>;
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 21:16:20 -0000
In message <529E179D.7030701@rancid.berkeley.edu>, Michael Sinatra writes:
> On 12/3/13 7:25 AM, Boris Samorodov wrote:
> > 03.12.2013 12:56, Michael Sinatra :
> >
> >> I am aware of the fact that unbound has "replaced" BIND in the base
> >> system, starting with 10.0-RELEASE. What surprised me was recent
> >> commits to ports/dns/bind99 (and presumably other versions) that
> appears
> >> to take away the supported chroot capabilities.
> >
> > /usr/ports/UPDATING has some info about the matter.
> >
>
> Indeed, I based my original post on the notice in /usr/ports/UPDATING.
> That's what surprised me, and also leads me to believe that it is not
> unintentional. Back when this was discussed in 2012 there was no
> discussion that FreeBSD would be taking away the good support it has for
> BIND chroot. I interpreted dougb's advice to "just install the port"
> such that the port will allow the operator of, say, authoritative DNS
> servers to upgrade to 10.x from 9.x and still maintain a reasonable
> upgrade path without a lot of file location gyrations.
>
> Some impressive work has been done (mainly by des it appears) to
> integrate unbound with the base FreeBSD system. At the same time, work
> is currently being done to make the job of BIND-on-FreeBSD sysadmins
> harder. That doesn't match the neutral vibe that I got the last time
> that this was discussed publicly. Basically the idea back in 2012
> appeared to be that we needed to stop integrating a major DNS server
> package because, to my understanding, it was a lot of work to maintain.
As far as I could tell it was a religious issue.
Named chooses to die whenever it detects a internal inconsistancy,
be that failing to clear a pointer when calling a function or data
being inconsistent. Since that causes the service to disappear it
leads to a high CVSS score and a advisary if it triggered remotely.
Putting it into something like Apple did with launchd drops the
CVSS score dramatically.
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
The only difference is the Availablity Impact between those two
scores.
ISC does ship a minimal nanny script in contrib but expects OS
integators can do a better job which Apple did.
Named itself is built and tested on FreeBSD boxes. It doesn't need
to be modified to build on FreeBSD. The occasional patches FreeBSD
came up with were integrated back into the code ISC ships so there
was no patching to be done when versions upgraded.
As for 9.9.x ESV it will be support for to at least June 2017, which
is 5+ years from BIND 9.9.0, and 4 years after 9.9.x was announced
as the ESV series with BIND 9.9.3.
BIND 9.6 went ESV in Mar 2010 and will be EoL in Jan 2014.
BIND 9.10 in is alpha at the moment.
BIND 10 is still in development.
Mark
> So we integrated a *different* major DNS server package. I guess I
> don't understand the motivation. (Note also that I have been working
> with BIND--mostly on FreeBSD--for the past 15 years, and unbound since
> the 0.6 release, so I pretty much understand the pros and cons between
> the two.)
>
> I am not unhappy with all of the work that has been done to make unbound
> work, but I am unhappy that BIND has been crippled in a certain way.
>
> I am going to put as many of the bits together as I can to see if I can
> recreate the chroot environment via a port on 10.0-RELEASE. I'll also
> submit a PR. But I agree with the others that this is not a good idea,
> and if I had known that the port would remove support for chroot, I
> would have vigorously protested the switch to unbound.
>
> michael
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1312031407090.78399>