From owner-freebsd-questions@FreeBSD.ORG Wed Aug 1 20:47:59 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4A0616A469 for ; Wed, 1 Aug 2007 20:47:59 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with SMTP id 91ECA13C4B3 for ; Wed, 1 Aug 2007 20:47:59 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 7016 invoked by uid 399); 1 Aug 2007 20:47:59 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTP; 1 Aug 2007 20:47:59 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <46B0F17C.2010506@FreeBSD.org> Date: Wed, 01 Aug 2007 13:47:56 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.5 (X11/20070723) MIME-Version: 1.0 To: Jeffrey Goldberg References: <499c70c0707260136hea82f27s87dfa53432d0e409@mail.gmail.com> <94c6ae7ae570814564d364bfe9aad8ea@szalbot.homedns.org> <20070801030504.GA3773@bifrost.agrussell.com> <426DE541-FB51-44FF-B7F4-B34E0F9A7861@goldmark.org> <46B0DB5F.4020401@FreeBSD.org> <60BEAECB-C72A-46B3-90D7-F3AB8778605D@goldmark.org> In-Reply-To: <60BEAECB-C72A-46B3-90D7-F3AB8778605D@goldmark.org> X-Enigmail-Version: 0.95.1 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Zbigniew Szalbot , "A.G. Russell IV" , Freebsd questions Subject: Re: Waiting for BIND security announcement X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 20:48:00 -0000 Jeffrey Goldberg wrote: > On Aug 1, 2007, at 2:13 PM, Doug Barton wrote: > >> If you want to stay as close as possible to 6.2-RELEASE but also >> include the fixes that the security officer deems important enough to >> release widely, use the tag RELENG_6_2 (usually in your supfile for >> cvsup or csup). If you want the latest code for 6-stable, which will >> eventually become 6.3-RELEASE, use just RELENG_6. > > Thank you. I wasn't clear in my original message. I meant to talk > about RELENG_6_2 which is what I meant when I said "6.2 Release with > patches". But I fully acknowledge that while I've used RCS for ages, I > still don't fully grok branches and trunks (or HEADs in CVS), so I do > state things badly and can always use the reminder of how things work. I had a feeling that was what you meant, but I wanted to be sure it was clear for other readers, and for the archives. > Anyway, I was disappointed that the BIND fix didn't make it into > RELENG_6_2. I can't speak for the security team, but I'm pretty sure that this change is forthcoming. >> When it comes to BIND stuff in particular, I always update the ports >> first, so anyone with a mission critical DNS operation can get fixes >> ASAP. There is even an option in the port to overwrite the base BIND >> if you so desire. > > Ah-ha. That makes a big difference. OK. If I'm going to expose my > name server to the big bad world while tracking RELENG_N_M ("release > with patches") I'll use bind from ports. In addition to security issues, the ports give you a greater degree of flexibility in how BIND is configured. If you're going to be offering a public name server (and by that I hope you mean authoritative, not recursive) on 6-stable you're probably better off using 9.4.x anyway, with the threading option disabled. If you're going to be doing a high-capacity authoritative server (or a high load resolver for an internal network) your BEST bet is to evaluate FreeBSD 7 (soon to be release) and BIND 9.4.x with threading _enabled_. You'll get better performance by far in a high load situation. > Are there other things in /usr/src/contrib that follow this pattern? Sure, lots. Too many for me to list without having to think hard about it and potentially leave something out. >> hth, > > Yes, it helps a great deal. Thank you very much for your work on this > and your patience with me. My pleasure. :) Doug -- This .signature sanitized for your protection