2 files changed, 14 insertions, 2 deletions

diff --git a/usr.sbin/bind/README.OpenBSD b/usr.sbin/bind/README.OpenBSD
index ec4822d764f..d30a6c738fd 100644
--- a/usr.sbin/bind/README.OpenBSD
+++ b/usr.sbin/bind/README.OpenBSD
@@ -1,10 +1,11 @@
-$OpenBSD: README.OpenBSD,v 1.6 2003/11/18 19:04:30 jakob Exp $
+$OpenBSD: README.OpenBSD,v 1.7 2004/03/24 07:59:07 deraadt Exp $
 
 additional features
 
 - call tzset before chroot
 - open /dev/null before chroot
 - write pid-file before chroot
+- privilege separation for binding to privileged ports from within chroot
 - arc4random() support (integrated in 9.3.0-snapshot)
 - fall back to system default random device when running chroot
 - add LCG (Linear Congruential Generator) implementation to libisc
diff --git a/usr.sbin/bind/bin/named/named.8 b/usr.sbin/bind/bin/named/named.8
index 753a66f3d24..848144cde44 100644
--- a/usr.sbin/bind/bin/named/named.8
+++ b/usr.sbin/bind/bin/named/named.8
@@ -27,10 +27,13 @@ part of the BIND 9 distribution from ISC. For more
 information on the DNS, see RFCs 1033, 1034, and 1035.
 .PP
 When invoked without arguments, \fBnamed\fR will
+fork into two processes for privilege separation. 
 \fBchroot()\fR to \fI/var/named\fR,
 read the default configuration file
 \fI/var/named/etc/named.conf\fR, read any initial
-data, and listen for queries.
+data, and listen for queries. The privileged process
+will communicate with the child and bind to privileged
+ports on its behalf. See CAVEATS section below.
 .SH "OPTIONS"
 .TP
 \fB-c \fIconfig-file\fB\fR
@@ -154,3 +157,11 @@ The default process-id file.
 .SH "AUTHOR"
 .PP
 Internet Software Consortium
+.SH "CAVEATS"
+\fBnamed\fR runs privilege separated for binding
+the privileged ports after an interface or address
+change. The privileged process will only allow
+\fBnamed\fR to bind to default ports. Make sure
+you use unprivileged (>1024) ports if you change
+any of the default ports in \fBnamed's\fR
+configuration or on the command-line.