Bind in FreeBSD, security advisories
Mark Felder
feld at FreeBSD.org
Wed Jul 31 12:22:23 UTC 2013
On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote:
>
> On 31.07.13 09:38, Shane Ambler wrote:
> >
> > For something that needs to be constantly updated in between system
> > updates then ports is the place to install it from.
>
> You don't have to update BIND constantly, especially if you are not
> using it. If you are using it, you will want it updated, no matter what.
>
Let's take a moment and consider the state of the internet and DNS
attacks. The RRL and RPZ2 patchsets[1] are newer developments that
successfully add additional security and features to BIND. It was also
recently announced that due to the success of this work the RRL[2] patch
will be accepted by ISC into BIND mainline.
How many users of BIND on FreeBSD are going to realize they need to run
a copy of BIND from ports to get this extremely important protection? It
certainly isn't going to get backported to 8-STABLE or 9-STABLE; I don't
even know if it will show up in 10.0-RELEASE as a quick grep shows it's
not there. To put some perspective on it, FreeBSD 8.x users are
literally 6 years behind CURRENT...
Now Redhat has a bugzilla[3] report backporting it to RHEL6, but
FreeBSD's policy is generally "bugfixes and security fixes only, don't
introduce new features or behavior", and I don't expect that to change
especially for a piece of software in contrib. If a user was running
BIND from ports and they would more readily have that feature at their
disposal. The port maintainer could even put a sane default in the
example config. Unfortunately the number of FreeBSD BIND users who
realize they are afforded this protection are going to be slim, and the
number actually using it nearly as small. It's quite disappointing.
[1] http://ss.vix.su/~vjs/rrlrpz.html
[2]
http://www.isc.org/blogs/isc-adds-ddos-defense-module-to-bind-software/
[3] https://bugzilla.redhat.com/show_bug.cgi?id=873624
More information about the freebsd-stable
mailing list