Re: New BIND 9 chroot directories

From: Charles Swiger <cswiger_at_mac.com>
Date: Mon, 4 Oct 2004 23:39:38 -0400
On Oct 4, 2004, at 10:48 PM, Makoto Matsushita wrote:
> [ ...hier compliance... ]  Yes, the named configuration file (I
> believe it is considered generally as important), master zone files
> (also important, at least for me), are located under "/var."
>
> So here's my question to all "running named with chroot sandobx"
> users: are you ok with such important file is under /var?

You raise a point that is worth considering.  FWIW, I was running 
nameservers with the config file at /etc/named.conf before the ability 
to chroot() was available.  However, the point can be answered in that 
it is entirely reasonable to have something like:

named_enable="YES"
named_flags="-u bind -g bind -c /etc/named.conf"

...in /etc/rc.conf and then do whatever you like under /var/named.

Some people want all of the zone files in one place, others want to use 
s/ and /m (or slave/ and master/).  Zone file naming conventions also 
vary: some append .rev and .db to zone files, some use just the former 
and not the latter; etc.

So long as the options support reasonable flexibility and do not break 
backwards compatibility too much, any reasonable default is OK, and 
Doug as maintainer is making a reasonable attempt to improve the 
security of a daemon that many FreeBSD systems use.  Yay!

I suppose the situation could be improved by having some shell script 
which converts pre-chrooted named configs (at least the prior default 
config from 4.x) into the new layout, perhaps by creating symlinks from 
the current locations into the chroot tree under /var/named.  Would 
something like that help address your concerns?

-- 
-Chuck
Received on Tue Oct 05 2004 - 01:39:43 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:15 UTC