chroot-ed bind 9 (was: Users Want *Seamless* Solutions, Not Patchwork)

[Pete Ehlke]

Jonathan de Boyne Pollard (J.deBoynePollard at tesco.net) said, on [010805 10:10]:
> 
> DN> I investigated BIND 8's ability to log directly to a file, but
> DN> since it won't roll over to a new file automatically when the
> DN> current file reaches its specified maximum size (it simply quits
> DN> logging!), I deemed it not useful for me.  If BIND would
> DN> automatically open a new log file when the current one fills 
> DN> then I would use this instead of syslog, and I would put BIND's
> DN> log directory on its own filesystem so that an intruder would 
> DN> have write access only to a filesystem that isn't critical to 
> DN> the rest of the system.
> 
> If there were a way of persuading BIND to log to its standard error (a novel
> concept in Unix, I know (-:) then you could simply pipe the standard error of
> "named" into the standard input of one of several tools that will write to and
> maintain an automatically cycled and size-capped set of log files (such as
> "multilog").
> 
Ermmm...

I let this pass the first time around, when Donald Nash asserted it, but
you're adding to an assertion that is simply false. Please go back and
reread section 6.2.10.1 of the ARM. You've missed the part where it
clearly explains how to tell bind to log directly to a file, cap that
file at a given size, and automatically rotate when that size limit is
reached. You don't need any external kludges like multilog.

-Pete