From owner-freebsd-current@FreeBSD.ORG Mon Oct 4 20:22:25 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A655016A4CE for ; Mon, 4 Oct 2004 20:22:25 +0000 (GMT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9116043D1D for ; Mon, 4 Oct 2004 20:22:25 +0000 (GMT) (envelope-from DougB@freebsd.org) Received: from ob.icann.org ([192.0.35.106]) by comcast.net (rwcrmhc13) with SMTP id <20041004202224015002hpg5e> (Authid: domain_name_tsar); Mon, 4 Oct 2004 20:22:25 +0000 Date: Mon, 4 Oct 2004 13:22:24 -0700 (PDT) From: Doug Barton To: Jose M Rodriguez In-Reply-To: <200410021139.49551.freebsd@redesjm.local> Message-ID: <20041004131742.A778@bo.vpnaa.bet> References: <200410021033.37844.freebsd@redesjm.local> <20041002084741.GA55948@ip.net.ua> <200410021139.49551.freebsd@redesjm.local> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-current@freebsd.org Subject: Re: problems with latest bind9 setup changes X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2004 20:22:25 -0000 FYI, freebsd-current@freebsd.org and current@freebsd.org are two aliases for the same list. It is not needed to cc both. On Sat, 2 Oct 2004, Jose M Rodriguez wrote: > /usr/src/UPDATING > > - If enabled, the default is now to run named in a chroot > + The default is now to run named in a chroot I just committed an update to clarify that language. > IMHO, this is not a good design. If you ask ten admin about the best named > chrooted setup, you'll get, at last, twelve setups. That's correct, although the one I committed was the one I used at Yahoo! on hundreds of name servers, and is both thorough and effective. I "borrowed" from the best ideas from various knowledgeable sources, and my own extensive experience. Of course, if someone has better ideas, I'm open to them. > Making strong support for a chrooted named is really needed. But moving the > release default setup to a strong model on that not. I'm sorry, I don't understand this. > I'll prefer a sandwidch setup (named_flags="-u bind", named_chroot="") > as release default. Defaulting to using the chroot structure is a good change, and suitable for the vast majority of users. If you want something different, the knobs are there for you to twist. :) Doug -- This .signature sanitized for your protection