configure bind in chroot jail
stuart at registry.godaddy
stuart at registry.godaddy
Wed Aug 6 23:35:49 UTC 2025
> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Greg Choules via bind-users <bind-users at lists.isc.org>
> Reply to: Greg Choules <gregchoules+bindusers at googlemail.com>
> Date: Wednesday 6 August 2025 at 20:06
> To: Renzo Marengo <buckroger2011 at gmail.com>
> Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: Re: configure bind in chroot jailenzo. The Linux distros package their own versions of BIND, which they obtain from ISC and patch over the years, hence it is almost guaranteed to not be the latest. That may be OK for you. But see here for how to install it directly if you
> ZjQcmQRYFpfptBannerEnd
>
[snip]
>
> Whether you think that chroot is worth the effort is your decision. I can't tell you not to do it, just advise that many don't use chroot and have no issues. BIND needs to write to certain folders, depending on which features you use. But as it is running as a normal user, if the OS won't let it, it can't.
> Maybe you should ask RedHat and its users (there must be a RH forum) what they recommend and make your decision once you have gathered opinions from various sources.
>
> Hope that helps.
> Cheers, Greg
As a RH-family user, we use the COPR ISC packages with SELinux in enforcing mode and are more than happy with the level of security provided.
For inline signing, we've had to make some selinux policy modifications so that BIND can create/delete keys (when not using HSM's), but other than that, it works fine out of the box.
Stuart
More information about the bind-users
mailing list