A question related to this: What is it that prevents BIND from being removed from the base when there are very well working ports of BIND already that are far easier to update when vulnerabilities are found. Is it the dig(1), host(1) and nslookup(1) utilities? -Kimmo