Re: New BIND 9 chroot directories

From: Jose M Rodriguez <josemi_at_freebsd.jazztel.es>
Date: Tue, 5 Oct 2004 12:44:32 +0200
On Tuesday 05 October 2004 03:25, Doug Barton wrote:
> On Mon, 4 Oct 2004, Jose M Rodriguez wrote:
> > El Lunes, 4 de Octubre de 2004 22:10, Doug Barton escribió:
> >
> > Really good work.  But, this is really needed?
> > I can't see why.
>
> Because running bind chrooted is considerably safer, and the defaults
> should be as safe as possible unless it is an inconvenience to the
> majority of our users. In this case you are arguing against the
> change because it is a temporary inconvenience to you. That's not a
> good enough reason. :)
>

That's not the question.  I'll make a last effort on this.

A) What I like. (fresh FreeBSD-5 BETA6).

- No /var/named in the tarballs
- No more support needed to src, src/etc, src/release ...
- /etc/defaults/rc.conf:
 named_enable="NO"
 named_flags="-u bind"
 named_chrootdir=""

In release notes:

 FreeBSD have now strong support for named operation in a chroot cage.
 To activate this:
  - make a directory for your chroot cage
  - add to your /etc/rc.conf file:
   named_chrootdir="<dir>"
   named_enable="YES"
  - and start the named service with:
   #/etc/rc.d/named start

B) What I'm near sure FreeBSD-5.3-RELEASE will have:

- A populated /var/named in the tarballs
- /etc/namedb as a symlink to /var/named/etc/namedb
- more support to src, src/etc, src/release
 + to make the /var/named thing
 + to permit not to make it
- /etc/defaults/rc.conf:
 named_enable="NO"
 named_flags="-u bind ..."
 named_chrootdir="/var/named"

In release notes

 FreeBSD now operates the dns service by default in a chroot cage
 under /var/named.
 
 If you have any previous named setup in /var/named,  you must backup,
 adapt and restore it after upgrade.

 Default named operation is now controlled by ... and zone files must
 reside in ... with this default layout ...

 ...

The real diferences are related to:

A)
 - /etc/rc.d/named:
 named_precmd()/chroot_autoupdate() may need more funtionality.
  - not try to simlink /etc/namedb to /var/named/etc/named
  - populate ${named_chrootdir}/etc/namedb from /etc/namedb
  - generate default rev zone files.
 some knob to control this, in the way of ${named_chroot_autoupdate}

I must have other preferences about the chroot cage and others tings.
But I think that is my personal problem.

What I'm trying to explain is that general transition to 
FreeBSD-5.3-RELEASE is better with A.

Also, I must agree fresh install may be better with B.

Well, all is now exposed.  This is your work and you must choose the way 
to go release.

> The entry in UPDATING already says, "If you are running a custom
> named config already, go look at the defaults." We expect users doing
> more advanced things to have more advanced skills. If they don't,
> they should probably use the defaults.
>
> As for your other message about names of directories, layouts, etc.,
> feel free to edit the BIND.chroot.dist mtree file, and you can have
> whatever you want. For that matter, edit /etc/rc.d/named if it will
> make you feel better. No one is "forcing" you to do anything. You
> have all the bits directly at hand, and the ability to do whatever
> you want with them.
>
> Enjoy,
>
> Doug

--
  josemi
Received on Tue Oct 05 2004 - 08:44:37 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:15 UTC