Bind in FreeBSD, security advisories
Daniel Kalchev
daniel at digsys.bg
Tue Jul 30 15:58:14 UTC 2013
On 30.07.13 18:26, Peter Maxwell wrote:
> On 30 July 2013 14:42, <sthaug at nethelp.no> wrote:
>
>
>> Yes, I know everything can be installed from packages/ports. Two of
>> *my* main reasons for using FreeBSD is that:
>>
>> 1. It's an integrated *system*, not just a kernel.
>>
> That's not an argument for retaining something that is non-essential for
> most people and can easily be installed from ports. There is very little
> that is actually essential in base... having to turn sendmail off on every
> new installation already does my nut in but having mail facilities is
> essential, so it has to be there.
I am surprised why so many people insist having an MTA is necessary, but
having well testes recursive DNS resolver is not.
Even on a typical "client" installation, it is more likely the resolver
will be useful, than the MTA.
By the way, both sendmail and BIND are off by default...
> Having bind in base does have one advantage in that it is more carefully
> scrutinised that it would likely be in ports.
This too..
I have always viewed FreeBSD not as an product, but instead as an
toolkit. A toolkit, from which to build the OS you need.
So far, FreeBSD has worked better for that purpose than any other
toolkit around (plus, I am biased).
There are a number of knobs, that let you customize FreeBSD to your
heart's content.
In theory, everything but the absolute minimum of the base system might
be removed.. and have everything depend on ports. However, the base
system is just that -- one collection of code that gets built and tested
together. This brings quality.
Having said this, it is perfectly ok to replace BIND with any other
resolver + name server.... as long as there is suitable candidate that
has passed enough testing. Is there one? Do we know enough of their quirks?
Daniel
More information about the freebsd-stable
mailing list