Bind in FreeBSD, security advisories

[Mark Felder]

On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:
> 
> 
> This is very much an situation like replacing gcc with clang/llvm. 
> However, in the case of BIND we have no licensing problems, stability 
> problems, performance problems etc --- just concerns that BIND generates 
> many SAs -- which might be actually good indicator, as it demonstrates 
> that BIND is worked on.
> 

There's a man with a name whose initials match DJB that would strongly
disagree. Now he's not always the best person to reference, but he's
made a succinct point with his own software, whether or not you like
using it. 

Unbound/NSD are suitable replacements if we really need something in
base, and they have been picked up by OpenBSD for a good reason --
clean, secure, readable, maintainable codebases and their use across the
internet and on the ROOT servers is growing.

> I personally see no reason to remove BIND from base. If someone does not 
> want BIND in their system, they could always use the WITHOUT_BIND build 
> switch.

I'd be inclined to agree if it wasn't such a wholly insecure chunk of
code. You don't see people whining about Sendmail in base when they
prefer Postfix or Exim, but Sendmail doesn't have a new exploit every
week. You do tend to need an MTA for getting messages off the system
more than you need a local recursor/cache, but at least it's not causing
you maintenance headaches. If you consider the possibility that a large
enough percentage of users really desire a local recursor/cache it
should be our duty to give them the best option available.