Bind in FreeBSD, security advisories
Ronald Klop
ronald-freebsd8 at klop.yi.org
Tue Jul 30 14:10:13 UTC 2013
On Tue, 30 Jul 2013 16:04:46 +0200, Mark Felder <feld at freebsd.org> wrote:
> On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:
>>
>>
>> This is very much an situation like replacing gcc with clang/llvm.
>> However, in the case of BIND we have no licensing problems, stability
>> problems, performance problems etc --- just concerns that BIND generates
>> many SAs -- which might be actually good indicator, as it demonstrates
>> that BIND is worked on.
>>
>
> There's a man with a name whose initials match DJB that would strongly
> disagree. Now he's not always the best person to reference, but he's
> made a succinct point with his own software, whether or not you like
> using it.
>
> Unbound/NSD are suitable replacements if we really need something in
> base, and they have been picked up by OpenBSD for a good reason --
> clean, secure, readable, maintainable codebases and their use across the
> internet and on the ROOT servers is growing.
>
>> I personally see no reason to remove BIND from base. If someone does not
>> want BIND in their system, they could always use the WITHOUT_BIND build
>> switch.
>
> I'd be inclined to agree if it wasn't such a wholly insecure chunk of
> code. You don't see people whining about Sendmail in base when they
> prefer Postfix or Exim, but Sendmail doesn't have a new exploit every
> week. You do tend to need an MTA for getting messages off the system
> more than you need a local recursor/cache, but at least it's not causing
> you maintenance headaches. If you consider the possibility that a large
> enough percentage of users really desire a local recursor/cache it
> should be our duty to give them the best option available.
DragonflyBSD also removed BIND from base some time ago.
http://www.shiningsilence.com/dbsdlog/2010/05/06/5853.html
Ronald.
More information about the freebsd-stable
mailing list