freebsd stable - Dec 2013 - BIND chroot environment in 10-RELEASE

Just a regular admin...

Personally I would prefer to NOT have python in base, hidden or otherwise.

I don't see BIND as being part of base anyway.  The LWR is sufficient for
base.  BIND is a service for other machines on the network.  Just like I
wouldn't want apache to be in base.

For example I'm installing FreeBSD on a laptop.  Do I really need BIND?
 Not really.  However when I build a server for a LAN, then I want to bring
in BIND, git, apache, etc...

If I have a one time migration of BIND in my migration from 9 to 10, so be
it.  I'm used to having to do *some* work on a major number upgrade after
all.  I'm happy to jail it and use the port vanilla.

I do agree this could have been managed better though.  This is not the
level of engineering I am used to from FreeBSD.  Having said that, the
level of engineering is, IMHO, far superior to most other OSs I've worked
with.

Thanks to all (past, present and future) who contribute to the effort.

In message <CAFPNf58F-YsZsOYc0BEqHcivFEtwWjvX83EWbvnUEjPpo4CXNA at
mail.gmail.com>, Lee Brown writes:
> Just a regular admin...
> 
> Personally I would prefer to NOT have python in base, hidden or otherwise.
> 
> I don't see BIND as being part of base anyway.  The LWR is sufficient
for
> base.  BIND is a service for other machines on the network.  Just like I
> wouldn't want apache to be in base.
Then you really do not understand BIND.
> For example I'm installing FreeBSD on a laptop.  Do I really need BIND?
> Not really.  However when I build a server for a LAN, then I want to bring
> in BIND, git, apache, etc...
Yes.  You need a validating resolver reachable over a secure channel.

Now one could argue about a desktop but anything mobile that connects
to random hot spots needs to do its own validation and until every
application that retrieves DNS data from the network that will
continue to be true.

	options {
		dnssec-validation auto;
		listen-on { 127.0.0.1; };
		listen-on-v6 { ::1; };
	};

Named has lots of options almost all of which don't need to be set.

	named -c /dev/null

makes a good recursive only resolver.  add

	options { dnssec-validation auto; }

and it becomes a good validating recursive only resolver.
> If I have a one time migration of BIND in my migration from 9 to 10, so be
> it.  I'm used to having to do *some* work on a major number upgrade
after
> all.  I'm happy to jail it and use the port vanilla.
> 
> I do agree this could have been managed better though.  This is not the
> level of engineering I am used to from FreeBSD.  Having said that, the
> level of engineering is, IMHO, far superior to most other OSs I've
worked
> with.
> 
> Thanks to all (past, present and future) who contribute to the effort.
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at
freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org