From owner-freebsd-stable@FreeBSD.ORG Tue Dec 3 15:58:36 2013 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7E8B536C for ; Tue, 3 Dec 2013 15:58:36 +0000 (UTC) Received: from mail-vc0-x22e.google.com (mail-vc0-x22e.google.com [IPv6:2607:f8b0:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 3D2801DF5 for ; Tue, 3 Dec 2013 15:58:36 +0000 (UTC) Received: by mail-vc0-f174.google.com with SMTP id id10so9742184vcb.5 for ; Tue, 03 Dec 2013 07:58:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type:content-transfer-encoding; bh=EbhP449IxwHV6uhhhG5p911+LKwVt1142AMhjW915qs=; b=w/gV9rWxabopayf4O8e+WkFuJ2KG+fySSfnWnyzdbIlXJ4fHDKGbKidDVrZ0fotXO3 1jWRcb+6/HAYB3JoKjH2g1bNYHF+7fJbJYmelBQyWd25jrjfqWjou2mVsMaQb9VZpCWH lXYhCvnYrzV80ce53WMaPnREr5hARVwH1NYflUdzZ5I5XftfFCSjz0nxIeDbSm8D6QFP LnljYUmINfOJi1nsATg+3AXvow+GFk0a2enr3i1sGvTjKx/VQHjyMM9ZrOaSnYWCGT0v QpX+vklkSitxHPussxrHAok2b2284q40WcQ4fQnxZMrD3UaE4hlklJCuRo8ETHIgTngA cC6A== X-Received: by 10.221.18.70 with SMTP id qf6mr1912555vcb.37.1386086315301; Tue, 03 Dec 2013 07:58:35 -0800 (PST) MIME-Version: 1.0 Sender: royce.williams@gmail.com Received: by 10.221.3.195 with HTTP; Tue, 3 Dec 2013 07:58:15 -0800 (PST) In-Reply-To: <529DF7FA.7050207@passap.ru> References: <529D9CC5.8060709@rancid.berkeley.edu> <529DF7FA.7050207@passap.ru> From: Royce Williams Date: Tue, 3 Dec 2013 06:58:15 -0900 X-Google-Sender-Auth: YBt6InBzJ-DYIDZGF4oFltpmgzQ Message-ID: Subject: Re: BIND chroot environment in 10-RELEASE...gone? To: stable@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2013 15:58:36 -0000 On Tue, Dec 3, 2013 at 6:25 AM, Boris Samorodov wrote: > > 03.12.2013 12:56, Michael Sinatra =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > > I am aware of the fact that unbound has "replaced" BIND in the base > > system, starting with 10.0-RELEASE. What surprised me was recent > > commits to ports/dns/bind99 (and presumably other versions) that appear= s > > to take away the supported chroot capabilities. > > /usr/ports/UPDATING has some info about the matter. Specifically, 20131112 says: All bind9 ports have been updated to support FreeBSD 10.x after BIND was removed from the base system. It is now self-contained in ${PREFIX}/etc/namedb, and chroot and symlinking options are no longer supported out of the box. Does that mean that those options now need to be manually configured by each team running BIND? If so, that is a net negative for security. Even if everyone running public-facing BIND knows how to chroot, it means more work -- and more potential implementation errors. Royce