Bind in FreeBSD, security advisories

[Shane Ambler]

On 31/07/2013 01:31, Daniel Kalchev wrote:

> But here is an idea: Remove BIND from HEAD overnight and see how many
>  will complain ;-) If nobody complains, don't put it back in.

Or change the default to off. If you want bind add WITH_BIND=yes to src.conf

It's hard to say FreeBSD is a safe and secure OS when part of the base
install is always being shown to have security flaws. New features need
to prove they are reliable before they are accepted into a release yet
we allow something that has a long proven history of being a source of
security concerns.

For something that needs to be constantly updated in between system
updates then ports is the place to install it from.

I think it is less about whether bind is useful and needs to be in base
and more about should every user of FreeBSD be open to security issues
or should a user have the option to say "yes I want potentially insecure
software on my machine". The ports system allows messages that make it
obvious to the user about security concerns.

Yes many users know the bind utilities and rely on them but a lot of
users have no idea how to use them. I expect that the bind tools are
used by a number of users that know what they are doing and need them
for testing and debugging issues, they also know how to install them
when they need them. I believe most users would not need or use these tools.

How many people setup and use a FreeBSD machine without adding something
from ports or packages?

And yes I setup my own dns server to resolve internal host names instead
of filling /etc/hosts with entries. As for the tools like dig and host,
I rarely use them.