Installing bind is not very clear for me

/dev/rob0 rob0 at
Fri Sep 4 17:12:17 UTC 2015

On Thu, Sep 03, 2015 at 11:02:23PM +0200, Reindl Harald wrote:
> Am 03.09.2015 um 22:59 schrieb Robert Moskowitz:
> >On 09/03/2015 04:35 PM, Leandro wrote:
> >>Ok ...
> >>I got BIND 9.10.2-P3  working.
> >>I compiled with
> >>
> >>./configure --with-openssl --enable-threads --with-libxml2
> >>--with-libjson
> >>make
> >>make install
> >>
> >>Json statistics channel is working and chroot is not longer 
> >>mandatory.
> >
> >But do make sure you have selinux enforced.  Or run behind 
> >multiple firewalls...
> behind *multiple firewalls* - ?!?! - oh come on and get serious
> instead promote snakeoil -

I quite agree here.  Firewalls that attempt to filter DNS have 
terrible reputations for *breaking* DNS.  A single firewall is bad 
enough; multiple firewalls sounds like a disaster.

> typically BIND is *not* running as root and hence does not need
> any special handling compared to any other network service

I don't know if we can say what is "typical".  We can say, for 
running on Linux at least, that running as root is safe.  A 
compromised named would get root after having dropped superuser 
privileges, so it wouldn't be able to do much.

Regardless, again I quite agree that special handling is not 
necessary.  Look at the various BIND9 security announcements over
the years.  When have you seen one which involved a compromise of
any kind?

I cannot say with authority that BIND9 has never had a compromise, 
but I am confident in saying I have never seen one. is a 
recent blog posting which discusses this in detail.

> get rid of the horror stories from the 1990's..............
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list