On Wed, Nov 29, 2017 at 05:18:40PM +0000, Michał Kępień via RT wrote:
> I received an email comment from Loganaden Velvindron, who authored the
> patch adding seccomp support to BIND (see RT #35347):
> 
> > Thanks for reaching out. Could we look into a solution where seccomp
> > is still kept but as an experimental feature ?
> > 
> > If seccomp is too complex (and I understand the concerns there), how
> > about implementing a privilege separation model, and using seccomp
> > only for untrusted domains, while avoiding applying it to code paths
> > which are less likely to have security issues. FYI, OpenBSD had for a
> > long time been running a privilege separated ISC-BIND in their tree. I
> > didn't have time to dig into it, but I think that maybe it's time to
> > review it, and discuss with the ISC team ?

Given the points that were made about (a) syscalls varying depending on
underlying library implementation, (b) that we already use syscalls
which are bad enough, and (c) there are other ways to achieve similar
access control, the feature seems uncontrollable and there doesn't seem
to be much advantage in keeping it on as an experimental feature.

		Mukund