On Ubuntu Maverick (10.10) when installing bind it will come up in a configuration so bad that I havent seen it since redhat 6.2…
- There is no chrooting used (as in a real chroot with its own libs)
- It’s not using the chroot directory directive.
- it’s not using the chroot command line option.
- There’s no ACLs at all defined (ok, some are internal, but anyway)
I haven’t looked at the rndc keys yet, I hope these are in better shape.
This is really a bit hard to believe for me, I hadn’t even expected something like that to be possible in 2010…
I remember it was in 2001 when I last build a full chroot (with libs) for a named, then around came Trustix secure linux where the bind start script rebuilt a chroot env for bind with all the configs and launched bind inside of that.
If I hadn’t noticed it really really needs absolute paths to the zone files I wouldn’t have noticed.
My next steps:
- Probably best to open a bug for that.
- Ask someone to verify my finds.
- Move DNS to FreeBSD jail, and stop doing any core stuff on other OS.
Any bind guru around to take over maintaining it for Ubuntu?
I’m stomped just like Debian they don’t seem to enforce product experience for product maintainers. It’s a bit odd.
And it makes me agree a lot more than ever with RedHat’s idea to only deliver a cache only DNS config. Their reasoning was “if you can’t configure it, then you shouldn’t configure it for everyone’s safety”. Often ideas like that sound too arrogant and you worry they’ll discourage people. But looking at one of the top linux distros apparently fucking up the most basic internet server programs config, I can see a need for some level of discouragement.