Running current version of bind in a jail?

Tony Finch dot at
Mon Oct 24 10:04:43 UTC 2016

Tom <tomtux007 at> wrote:
> What's the reason, that it isn't necessary to run modern version of bind in a
> jail?

chroot is a defence against privilege escalation following a remote code
execution vulnerability. It isn't a very solid defence. And BIND 9 tends
to die of a self-check failure before remote code execution occurs,
judging by the last few years of vulnerability notices.

Also, on Linux, named drops most capabilities.

Stricter partitions (VMs or containers) which you can easily nuke and
rebuild from scratch mean there's much less need for chroot.

I still chroot my servers :-)

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Sole, Lundy, Fastnet: Easterly or northeasterly 5 to 7, becoming variable 3 or
4 later. Rough or very rough, becoming slight or moderate later. Rain or
showers. Moderate or good, occasionally poor.

More information about the bind-users mailing list