F11 bind-chroot - a question?
Craig White
craigwhite at azapple.com
Sun Jun 14 17:39:14 UTC 2009
On Sun, 2009-06-14 at 09:52 -0400, Todd Zullinger wrote:
> Tom Horsley wrote:
> > Why not just *always* run bind chroot?
>
> I'm guessing it's because, in general, Fedora is moving away from
> chroot and toward SELinux to provide extra security for these sorts of
> services?
>
> > Have the files live in /var/named, then updates just update the one
> > and only copy in /var/named? If someone somewhere really and truly
> > doesn't want to run chroot, provide a --prefix option in named so he
> > can tell it the config files are relative to /var/named instead of
> > relative to /, but in any case the config files always live in one
> > and only one place.
>
> That sounds like it would entail a similar amount of extra work and
> chances for introducing bugs that the bind-chroot-admin script had.
> If the bind daemon really is only trusted by admins when it is in a
> chroot, it might be a good reason to look at alternative DNS server
> software. :)
>
> I don't personally have much interest in this, but if other folks do,
> I'm sure suggestions in patch form would be taken more seriously by
> the bind maintainers (preferably upstream).
----
I think that for backwards compatibility, they have always had a
separate package for bind-chroot but it does make sense to always run
that way.
Also, there is a long history of attacks on public DNS servers for so
many reasons and some of that is weaknesses in BIND software but much of
it owes to the value of the target itself. If you control the DNS
server, you control the domain(s) it serves.
I don't personally see how using a different DNS server package or
running SELinux is involved with the decisions of bind-chroot packaging
decisions.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the fedora-list
mailing list