Bind in FreeBSD, security advisories

Wed Jul 31 13:58:40 UTC 2013

On 31.07.13 15:22, Mark Felder wrote:
> On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote:
>> On 31.07.13 09:38, Shane Ambler wrote:
>>> For something that needs to be constantly updated in between system
>>> updates then ports is the place to install it from.
>> You don't have to update BIND constantly, especially if you are not
>> using it. If you are using it, you will want it updated, no matter what.
>>
> Let's take a moment and consider the state of the internet and DNS
> attacks. The RRL and RPZ2 patchsets[1] are newer developments that
> successfully add additional security and features to BIND. It was also
> recently announced that due to the success of this work the RRL[2] patch
> will be accepted by ISC into BIND mainline.
>
> How many users of BIND on FreeBSD are going to realize they need to run
> a copy of BIND from ports to get this extremely important protection? It
> certainly isn't going to get backported to 8-STABLE or 9-STABLE;

There is one solution to this, which I proposed earlier. Just don't 
ship/build the BIND binary by default. You will end up with only the 
resolver available and not be concerned with things like DDoS 
amplification. If you want an authoritative name server, just install it 
from ports.

Another solution is to include the appropriate warning in named.conf for 
anyone setting up name server on FreeBSD to read. In fact, text like 
this is already present in say, 6-stable's version (I know, that version 
is very outdated already):

/*
*************************************************************************
*           _  _____ _____ _____ _   _ _____ ___ ___  _ _             *
*          / \|_   _|_   _| ____| \ | |_   _|_ _/ _ \| \ | |            *
*         / _ \ | |   | | |  _| |  \| | | |  | | | | |  \| |            *
*        / ___ \| |   | | | |___| |\  | | |  | | |_| | |\ |            *
*       /_/   \_\_|   |_| |_____|_| \_| |_| |___\___/|_| \_|            *
* *
*************************************************************************

The version of BIND in the RELENG_6 branch (FreeBSD 6.x) is NOT suitable
for use with DNSSEC, either as a validating resolver or an authoritative
name server.  If you plan to use DNSSEC for any purpose you should use a
newer version of BIND, preferably version 9.6.x or higher.

Additionally, this version of BIND (9.3.x) is beyond its End Of Life (EOL)
date and is no longer supported by ISC.

Newer versions are available in the ports tree (e.g., /usr/ports/dns/bind96)
or by upgrading your FreeBSD installation to version 8.0 or higher.
*/

A better solution would be to apply the RRL patch to BIND in 8-stable 
and 9-stable. FreeBSD does ship a very controlled version of BIND in 
base and keeping it patched is trivial, in comparison with someone 
applying the patches themselves on "original" BIND sources that were 
just released (in a port). FreeBSD does apply patches to other software 
in base: for example ssh and the HPN patches.

Even if you personally prefer some other DNS resolver/server that won't 
replace BIND In 8-stable or 9-stable (which will live in the coming 
years and result in the same problems).
Every FreeBSD installation does benefit from an mature and full feature 
recursive resolver being available in the base system. What else than 
BIND you propose? Why is it better and ... most importantly, considering 
the topic of this thread: why you think it will not be subject to many 
new SAs over time?
For.. if we don't have anything better at hand, BIND will apparently stay.

Daniel