On Mon, 15 Dec 2014 08:20:38 +0100, <sthaug at nethelp.no> wrote:>> > > It was a deliberate decision made by the maintainer. He said the >> chroot >> > > code in the installation was too complicated and would be removed >> as a >> > > part of the installation clean-up to get all BIND related files out >> of >> > > /usr and /etc. I protested at the time as did someone else, but the >> > > maintainer did not respond. I thnk this was a really, really bad >> > > decision. >> > > >> > > I searched a bit for the thread on removing BIND leftovers, but have >> > > failed to find it. >> > > >> > >> > You're probably thinking about my November 17 posting: >> > >> http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html >> > >> > I'm glad to see others finally speaking up; I was beginning to think >> I was >> > the only one who thought this was not a good idea. I'm a bit >> surprised >> > that no one has responded yet. >> >> I agree with the protesters here. Removing chroot and symlinking logic >> in the ports is a significant disservice to FreeBSD users, and will >> make it harder to use BIND in a sensible way. A net disincentive to >> use FreeBSD :-( > > I have now installed my first 10.1 based name server. I had to spend > some hours to recreate the changeroot environment that I had so easily > available in FreeBSD up to 9.x. > > <rant> > Removing the changeroot environment and symlinking logic is a net > disservice to the FreeBSD community, and disincentive to use FreeBSD. > </rant> > > Steinar Haug, Nethelp consulting, sthaug at nethelp.noIsn't this reasoning a bit flawed? Something hurt you so you state it is hurting a whole community. I, for one, am glad the security updates of the Bind software are now better maintainable across all FreeBSD version. NB: using a jail might give an easier to maintain secure environment for bind than a chroot. With more restrictions to the process also. Regards, Ronald.
On Dec 15 10:47, Ronald Klop wrote:>On Mon, 15 Dec 2014 08:20:38 +0100, <sthaug at nethelp.no> wrote: >><rant> >>Removing the changeroot environment and symlinking logic is a net >>disservice to the FreeBSD community, and disincentive to use FreeBSD. >></rant> >> >>Steinar Haug, Nethelp consulting, sthaug at nethelp.no > >Isn't this reasoning a bit flawed? Something hurt you so you state it >is hurting a whole community. > >I, for one, am glad the security updates of the Bind software are now >better maintainable across all FreeBSD version. >NB: using a jail might give an easier to maintain secure environment >for bind than a chroot. With more restrictions to the process also.I agree and in my case it improved things. I was using BIND from the base system as an internet authoratitive nameserver. It wasn't designed for this and I should have been using the ports version at least. The removal of BIND from the base made me look at its replacement, Unbound, and from that it led me to NSD. So now I'm using both Unbound and NSD, both in a chroot, and it's much more secure than BIND would have been in my old configuration. Sometimes being forced to make changes can bring improvements. -- Matt
> > <rant> > > Removing the changeroot environment and symlinking logic is a net > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > </rant> > > > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no > > Isn't this reasoning a bit flawed? Something hurt you so you state it is > hurting a whole community. > > I, for one, am glad the security updates of the Bind software are now > better maintainable across all FreeBSD version.I don't see the connection between removing BIND from the base system (I agree that this makes BIND updates better maintainable) and the complete removal of the changeroot/symlink functionality.> NB: using a jail might give an easier to maintain secure environment for > bind than a chroot. With more restrictions to the process also.Absolutely agree. However, that requires time to learn jails properly, which I don't have right now. Thus *for me*, it would have been much nicer if the BIND ports had kept the changeroot/symlink functionality that (as far as I know) Doug Barton put in. I don't claim to speak for anybody but myself :-) Steinar Haug, Nethelp consulting, sthaug at nethelp.no