BIND8, BIND9 static compilation problems

Ivan Ivanovic iiv at drenik.net
Wed Oct 15 10:18:33 UTC 2003


Quoting Mark.Andrews at isc.org:

> The names service switch library (required for looking up the
> password) requires routines that are part of the C library and
> are not already linked into the executable.

then, what is the point of creating static binary when it's not
functional in production env.? No wonder BIND (ISC) software hit's 
first place at SANS "The Twenty Most Critical Internet Security 
Vulnerabilities" http://www.sans.org/top20/#u1 
when you have this aproach to security measures.

> Now why are you starting named using chroot(8) rather than using
> -t which executes chroot(2) at the right point i.e. *after*
> the NSS library is loaded.  Note named-xfer doesn't require NSS.

first, i don't have any libs on production system, second i don't like 
using experimental features, specialy in production env's. 

quote from your (bind) install file:
-----------------------------------------
Chroot
-t followed by a directory path on the "named" command line will
cause the server to chroot() to that directory before it starts
loading the configuration file.
.... .... .....
Note: this feature is still experimental.
-----------------------------------------
end of quote...


Thanks for help, I'm looking for alternatives. 




More information about the bind-users mailing list