BIND chroot environment in 10-RELEASE...gone?
Michael Sinatra
michael at rancid.berkeley.edu
Tue Dec 3 17:55:07 UTC 2013
On 12/3/13 7:58 AM, Royce Williams wrote:
> If so, that is a net negative for security. Even if everyone running
> public-facing BIND knows how to chroot, it means more work -- and more
> potential implementation errors.
When I changed jobs back in 2011, moving from UC Berkeley to where I
could work with Kevin Oberman in ESnet, I was able to easily find my way
around ESnet's DNS servers, even though I had never really collaborated
directly with Kevin before. That's because I had set up the servers at
UCB with minimal change to the base environment, and Kevin had done the
same, so it was really easy to hit the ground running. It's also easy
to transfer knowledge. I can see where FreeBSD consultants would really
want a consistent file layout and environment as they move between systems.
In addition to the work involved in simply migrating between 9.x and
10.x, the prospect of everyone rolling their own means that supporting
people trying to run major DNS servers on FreeBSD has just gotten a lot
harder. It's definitely a security issue, as you note, but it also
presents a significant operational issue.
michael
More information about the freebsd-stable
mailing list