Date: Thu, 2 Aug 2007 16:18:59 -0500 From: Jeffrey Goldberg <jeffrey@goldmark.org> To: Doug Barton <dougb@FreeBSD.org> Cc: Freebsd questions <freebsd-questions@freebsd.org> Subject: Re: Waiting for BIND security announcement Message-ID: <0D4A505C-5934-48AE-AB79-05D6D47DD668@goldmark.org> In-Reply-To: <46B0F17C.2010506@FreeBSD.org> References: <499c70c0707260136hea82f27s87dfa53432d0e409@mail.gmail.com> <94c6ae7ae570814564d364bfe9aad8ea@szalbot.homedns.org> <20070801030504.GA3773@bifrost.agrussell.com> <426DE541-FB51-44FF-B7F4-B34E0F9A7861@goldmark.org> <46B0DB5F.4020401@FreeBSD.org> <60BEAECB-C72A-46B3-90D7-F3AB8778605D@goldmark.org> <46B0F17C.2010506@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 1, 2007, at 3:47 PM, Doug Barton wrote:
> I can't speak for the security team, but I'm pretty sure that this
> change is forthcoming.
As someone has already noted in this thread, the wait is over.
>>> When it comes to BIND stuff in particular, I always update the ports
>>> first, so anyone with a mission critical DNS operation can get fixes
>>> ASAP. There is even an option in the port to overwrite the base BIND
>>> if you so desire.
>>
>> Ah-ha. That makes a big difference. OK. If I'm going to expose my
>> name server to the big bad world while tracking RELENG_N_M ("release
>> with patches") I'll use bind from ports.
>
> In addition to security issues, the ports give you a greater degree of
> flexibility in how BIND is configured. If you're going to be offering
> a public name server (and by that I hope you mean authoritative, not
> recursive) on 6-stable you're probably better off using 9.4.x anyway,
> with the threading option disabled.
Yes, I do mean a (low volume) authoritative name server for a small
handful of low traffic vanity domains. My intention is to set it up
as a master which will transfer zone information to a professional
DNS hosting service (dnspark.net whom I'm very happy with).
Currently I have to modify my zone information through DNSPark's web
interface (which is very good and seems to allow everything except
"generate" rules). But since I'm masochistic, I figure that I should
inflict problems on myself like remembering to update the serial
numbers myself. (Big shouting reminder comments at both ends of the
zone files seem to do the trick)
Also, while I'm extremely happy with dnspark.net, having one instance
of the authoritative zone data fully under my control makes me feel
better.
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0D4A505C-5934-48AE-AB79-05D6D47DD668>