chroot implementation of bind and kea
Miroslav Lachman
000.fbsd at quip.cz
Mon Nov 13 21:02:15 UTC 2017
Viktor Dukhovni wrote on 2017/11/13 21:38:
>
>
>> On Nov 13, 2017, at 3:14 PM, Dries Michiels <driesmp at hotmail.com> wrote:
>>
>>
>> At the moment BINDS’s default chroot behavior is to move all necessary files to a directory specified in rc.conf as named_chrootdir.
>> Afterwards the RC script creates a symlink from /usr/local/etc/namedb/ to the named_chrootdir so that config files etc can still be modified from /usr/local/etc/ as that is where they belong.
>> However, I find the chroot implementation of isc-dhcpd better. That is, instead of creating a symlink, copying the files over each time the program is (re)started.
>> This has the additional benefit that if files in the chroot are compromised they get overwritten by the originals on service restart. Could this be implemented for BIND as well?
>> Another little question regarding chroot, is it possible to make net/kea chrootable? There are currently no such options in the kea rc script.
>
> One detail to keep in mind is that validating nameservers need to be
> able to make persistent updates to the root zone trust-anchor keys
> in accordance RFC 5011. The root KSK will be updated some time next
> year and ideally periodically there-after. So at least the root
> zone trust-anchor keys need to persist across restarts and not
> be reset to their initial state.
I think keys can be updated by updating the port or by some dedicated
periodic script. It seems safer to me.
Miroslav Lachman
More information about the freebsd-net
mailing list