Building from source and running in chroot environment

[Spain, Dr. Jeffry A.]

> Are there relatively recent instructions on how to build BIND from source and run it in a chroot environment? It sounds obvious but everything I've come across assumes BIND is provided by some package manager or included with the operating system. I'd like to build the latest version of BIND and run it in a chroot environment.  I know you have to pre-populate the chroot directories but am not entirely clear on everything that's needed.

FWIW, I've been running BIND on Ubuntu, which uses AppArmor (https://help.ubuntu.com/12.10/serverguide/apparmor.html) to control file access by applications and services. I'm not able to argue the relative merits of chroot vs. AppArmor vs. other alternatives such as SELinux and SMACK. But stipulating for the moment that AppArmor is a reasonable alternative, it is fairly easy to use it with BIND 9 built from source. I start by installing the current packaged version of BIND on a snapshotted Ubuntu virtual machine that I can subsequently roll back. I save the files /etc/apparmor.d/usr.sbin.named and /etc/apparmor.d/local/usr.sbin.named, which I then place in my built-from-source BIND 9 installation. For this to work without modifying the file user.sbin.named, I use in my build the same ancillary directories that the Ubuntu package uses: /etc/bind for configuration files, /var/lib/bind for master zone data and DNSSEC keys, and /var/cache/bind for secondary zone data. Otherwise you can modify the file usr.sbin.named, which you should examine in conjunction with the AppArmor documentation for the details. You can deconstruct the Ubuntu bind9 source package (http://packages.ubuntu.com/quantal/bind9) to see everything else that the package installer does to set up BIND 9. Note that Ubuntu 13.04 (Raring Ringtail), due to be released in late April, will be the first Ubuntu version to include a packaged BIND 9.9.x.

Jeffry A. Spain, Network Administrator
Cincinnati Country Day School