Date: Wed, 01 Aug 2007 13:47:56 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Jeffrey Goldberg <jeffrey@goldmark.org> Cc: Zbigniew Szalbot <zbigniew@szalbot.homedns.org>, "A.G. Russell IV" <arussell@bifrost.hos.net>, Freebsd questions <freebsd-questions@freebsd.org> Subject: Re: Waiting for BIND security announcement Message-ID: <46B0F17C.2010506@FreeBSD.org> In-Reply-To: <60BEAECB-C72A-46B3-90D7-F3AB8778605D@goldmark.org> References: <499c70c0707260136hea82f27s87dfa53432d0e409@mail.gmail.com> <94c6ae7ae570814564d364bfe9aad8ea@szalbot.homedns.org> <20070801030504.GA3773@bifrost.agrussell.com> <426DE541-FB51-44FF-B7F4-B34E0F9A7861@goldmark.org> <46B0DB5F.4020401@FreeBSD.org> <60BEAECB-C72A-46B3-90D7-F3AB8778605D@goldmark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeffrey Goldberg wrote:
> On Aug 1, 2007, at 2:13 PM, Doug Barton wrote:
>
>> If you want to stay as close as possible to 6.2-RELEASE but also
>> include the fixes that the security officer deems important enough to
>> release widely, use the tag RELENG_6_2 (usually in your supfile for
>> cvsup or csup). If you want the latest code for 6-stable, which will
>> eventually become 6.3-RELEASE, use just RELENG_6.
>
> Thank you. I wasn't clear in my original message. I meant to talk
> about RELENG_6_2 which is what I meant when I said "6.2 Release with
> patches". But I fully acknowledge that while I've used RCS for ages, I
> still don't fully grok branches and trunks (or HEADs in CVS), so I do
> state things badly and can always use the reminder of how things work.
I had a feeling that was what you meant, but I wanted to be sure it
was clear for other readers, and for the archives.
> Anyway, I was disappointed that the BIND fix didn't make it into
> RELENG_6_2.
I can't speak for the security team, but I'm pretty sure that this
change is forthcoming.
>> When it comes to BIND stuff in particular, I always update the ports
>> first, so anyone with a mission critical DNS operation can get fixes
>> ASAP. There is even an option in the port to overwrite the base BIND
>> if you so desire.
>
> Ah-ha. That makes a big difference. OK. If I'm going to expose my
> name server to the big bad world while tracking RELENG_N_M ("release
> with patches") I'll use bind from ports.
In addition to security issues, the ports give you a greater degree of
flexibility in how BIND is configured. If you're going to be offering
a public name server (and by that I hope you mean authoritative, not
recursive) on 6-stable you're probably better off using 9.4.x anyway,
with the threading option disabled.
If you're going to be doing a high-capacity authoritative server (or a
high load resolver for an internal network) your BEST bet is to
evaluate FreeBSD 7 (soon to be release) and BIND 9.4.x with threading
_enabled_. You'll get better performance by far in a high load situation.
> Are there other things in /usr/src/contrib that follow this pattern?
Sure, lots. Too many for me to list without having to think hard about
it and potentially leave something out.
>> hth,
>
> Yes, it helps a great deal. Thank you very much for your work on this
> and your patience with me.
My pleasure. :)
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46B0F17C.2010506>