Bind in FreeBSD, security advisories
Mark Felder
feld at FreeBSD.org
Tue Jul 30 14:04:48 UTC 2013
On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:
>
>
> This is very much an situation like replacing gcc with clang/llvm.
> However, in the case of BIND we have no licensing problems, stability
> problems, performance problems etc --- just concerns that BIND generates
> many SAs -- which might be actually good indicator, as it demonstrates
> that BIND is worked on.
>
There's a man with a name whose initials match DJB that would strongly
disagree. Now he's not always the best person to reference, but he's
made a succinct point with his own software, whether or not you like
using it.
Unbound/NSD are suitable replacements if we really need something in
base, and they have been picked up by OpenBSD for a good reason --
clean, secure, readable, maintainable codebases and their use across the
internet and on the ROOT servers is growing.
> I personally see no reason to remove BIND from base. If someone does not
> want BIND in their system, they could always use the WITHOUT_BIND build
> switch.
I'd be inclined to agree if it wasn't such a wholly insecure chunk of
code. You don't see people whining about Sendmail in base when they
prefer Postfix or Exim, but Sendmail doesn't have a new exploit every
week. You do tend to need an MTA for getting messages off the system
more than you need a local recursor/cache, but at least it's not causing
you maintenance headaches. If you consider the possibility that a large
enough percentage of users really desire a local recursor/cache it
should be our duty to give them the best option available.
More information about the freebsd-stable
mailing list