Bind in FreeBSD, security advisories
Erwin Lansing
erwin at FreeBSD.org
Wed Jul 31 12:37:50 UTC 2013
On Wed, Jul 31, 2013 at 07:22:20AM -0500, Mark Felder wrote:
>
> Let's take a moment and consider the state of the internet and DNS
> attacks. The RRL and RPZ2 patchsets[1] are newer developments that
> successfully add additional security and features to BIND. It was also
> recently announced that due to the success of this work the RRL[2] patch
> will be accepted by ISC into BIND mainline.
>
> How many users of BIND on FreeBSD are going to realize they need to run
> a copy of BIND from ports to get this extremely important protection? It
> certainly isn't going to get backported to 8-STABLE or 9-STABLE; I don't
> even know if it will show up in 10.0-RELEASE as a quick grep shows it's
> not there. To put some perspective on it, FreeBSD 8.x users are
> literally 6 years behind CURRENT...
>
3rd party, and especially those that are still being distributed as
experimental, will not be part of the base BIND code. It will only
contain a direct import from the vendor sources.
After a -STABLE branche is branched into a -RELEASE branch, the latter
will only get security updates, sometimes backported depending on the
upstream life cycle. For feature update, users have always been
dependent on ports as the BIND versions included in -RELEASE are quickly
falling behind.
On a side note, BIND 10 introduces a large number of 3rd party
dependencies, none of which are very attractive to include in the
FreeBSD base system by default. This means that we can use BIND9 so
far, but for the long term, we'll have to look into a more viable
alternative anyway.
Erwin
--
Erwin Lansing http://droso.dk
erwin at FreeBSD.org http:// www.FreeBSD.org
More information about the freebsd-stable
mailing list