Re: F11 bind-chroot - a question?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2009-06-14 at 09:52 -0400, Todd Zullinger wrote:
> Tom Horsley wrote:
> > Why not just *always* run bind chroot?
> 
> I'm guessing it's because, in general, Fedora is moving away from
> chroot and toward SELinux to provide extra security for these sorts of
> services?
> 
> > Have the files live in /var/named, then updates just update the one
> > and only copy in /var/named? If someone somewhere really and truly
> > doesn't want to run chroot, provide a --prefix option in named so he
> > can tell it the config files are relative to /var/named instead of
> > relative to /, but in any case the config files always live in one
> > and only one place.
> 
> That sounds like it would entail a similar amount of extra work and
> chances for introducing bugs that the bind-chroot-admin script had.
> If the bind daemon really is only trusted by admins when it is in a
> chroot, it might be a good reason to look at alternative DNS server
> software. :)
> 
> I don't personally have much interest in this, but if other folks do,
> I'm sure suggestions in patch form would be taken more seriously by
> the bind maintainers (preferably upstream).
----
I think that for backwards compatibility, they have always had a
separate package for bind-chroot but it does make sense to always run
that way.

Also, there is a long history of attacks on public DNS servers for so
many reasons and some of that is weaknesses in BIND software but much of
it owes to the value of the target itself. If you control the DNS
server, you control the domain(s) it serves.

I don't personally see how using a different DNS server package or
running SELinux is involved with the decisions of bind-chroot packaging
decisions.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux