On Mon, Dec 15, 2014 at 8:24 PM, Chris H <bsd-lists at bsdforge.com>
wrote:
> On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug at nethelp.no wrote
>
> > > > > It was a deliberate decision made by the maintainer. He
said the
> chroot
> > > > > code in the installation was too complicated and would
be removed
> as a
> > > > > part of the installation clean-up to get all BIND
related files
> out of
> > > > > /usr and /etc. I protested at the time as did someone
else, but the
> > > > > maintainer did not respond. I thnk this was a really,
really bad
> > > > > decision.
> > > > >
> > > > > I searched a bit for the thread on removing BIND
leftovers, but
> have
> > > > > failed to find it.
> > > > >
> > > >
> > > > You're probably thinking about my November 17 posting:
> > > >
> > > >
> http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html
> > > >
> > > > I'm glad to see others finally speaking up; I was
beginning to think
> I
> > > > was the only one who thought this was not a good idea.
I'm a bit
> > > > surprised that no one has responded yet.
> > >
> > > I agree with the protesters here. Removing chroot and symlinking
logic
> > > in the ports is a significant disservice to FreeBSD users, and
will
> > > make it harder to use BIND in a sensible way. A net disincentive
to
> > > use FreeBSD :-(
> >
> > I have now installed my first 10.1 based name server. I had to spend
> > some hours to recreate the changeroot environment that I had so easily
> > available in FreeBSD up to 9.x.
> >
> > <rant>
> > Removing the changeroot environment and symlinking logic is a net
> > disservice to the FreeBSD community, and disincentive to use FreeBSD.
> > </rant>
> In all fairness (is there even such a thing?);
> "Convenience" is a two-way street. For each person that thinks
> the BIND chroot(8) mtree(8) symlink(2) was a great "service".
There
> are at *least* as many whom feel differently. I chose to remove/disable
> the BIND, from BASE, some time ago. As it wasn't "convenient"
to have
> to overcome/deal with the CVE/security issues. In the end, I was forced
> to re-examine some of the other resolvers, that ultimately, only proved
> to be better choice(s).
>
> Just sayin'
>
> --Chris
>
Please don't conflate issues. Moving BIND out of the base system is
something long overdue. I know that the longtime BIND maintainer, Doug B,
had long felt it should be removed. This has exactly NOTHING to do with
removing the default chroot installation. The ports were, by default
installed chrooted. Jailed would have been better, but it was not something
that could be done in a port unless the jail had already been set up.
chroot is still vastly superior to not chrooted and I was very distressed
to see it go from the ports.
Disclaimer, since I retired I am no longer running a DNS server, so this
had no impact on me. I simply see it as an unfortunate regression.
--
Kevin Oberman, Network Engineer, Retired