On Monday, 25 April 2016, <jaso...@mail-central.com> wrote: > > > On Mon, Apr 25, 2016, at 10:58 AM, Matthew Pounsett wrote: > > It's not clear to me why one would want to destroy/rebuild the chroot > every > > time you restart the process. > > Well, here > > (1) Because I inherited it this way, and > (2) The notes' quoted examples did that too, and > (3) I'd not yet gotten any/good advice NOT to (security?)
Unless you have a clear reason to do it (perhaps there's some security consideration I haven't thought of) it seems to me it's unnecessary complexity that would lead to problems just like this. > > TBH, I'm not even sure whether "these days", chroot is still recommended. > Apparmor or Docker instead? Is privsep taken care of in current bind so we > don't have to worry about it anymore (e.g., the openntpd vs ntpd case)? > I'm not clear on it. Although BIND 9 has never had a remote code execution exploit that I'm aware of, it's still advisable to run it in a chroot environment.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
