From owner-freebsd-stable@FreeBSD.ORG Wed Jul 31 12:22:23 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7C2C2FF9 for ; Wed, 31 Jul 2013 12:22:23 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4DDB22EF3 for ; Wed, 31 Jul 2013 12:22:22 +0000 (UTC) Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id C1151213A9 for ; Wed, 31 Jul 2013 08:22:20 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Wed, 31 Jul 2013 08:22:20 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=ZlEOChvjDhmaOAZUnhQ9Z7swl48=; b=UDB wWOMoGGMknJaflblRSqVIP9QGa6bkUV0KvhilZa309IaRUStk7YR5OdOjafw+lNs apbKZaNFWb9Hbswy8Txo56K377oRF6+58WP4sXwMmKtMYc3o28jZDBGXz27m9PUH u/TDkQqScKA0dZfsj6n6sy6qbUYizr0f38vcRNw8= Received: by web3.nyi.mail.srv.osa (Postfix, from userid 99) id A48A7B01F71; Wed, 31 Jul 2013 08:22:20 -0400 (EDT) Message-Id: <1375273340.22504.3655263.0DFF1E05@webmail.messagingengine.com> X-Sasl-Enc: wQ7Gr/6Mh4G/6nGFmM21fKf6Bu6BHxcxM1JciiCTjeSu 1375273340 From: Mark Felder To: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-9e4be734 In-Reply-To: <51F8F1CB.20707@digsys.bg> References: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <51F7B5C7.6050008@digsys.bg> <51F7C07C.9060606@digsys.bg> <51F7E352.30300@digsys.bg> <51F8B0E8.8090608@ShaneWare.Biz> <51F8F1CB.20707@digsys.bg> Subject: Re: Bind in FreeBSD, security advisories Date: Wed, 31 Jul 2013 07:22:20 -0500 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 12:22:23 -0000 On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote: > > On 31.07.13 09:38, Shane Ambler wrote: > > > > For something that needs to be constantly updated in between system > > updates then ports is the place to install it from. > > You don't have to update BIND constantly, especially if you are not > using it. If you are using it, you will want it updated, no matter what. > Let's take a moment and consider the state of the internet and DNS attacks. The RRL and RPZ2 patchsets[1] are newer developments that successfully add additional security and features to BIND. It was also recently announced that due to the success of this work the RRL[2] patch will be accepted by ISC into BIND mainline. How many users of BIND on FreeBSD are going to realize they need to run a copy of BIND from ports to get this extremely important protection? It certainly isn't going to get backported to 8-STABLE or 9-STABLE; I don't even know if it will show up in 10.0-RELEASE as a quick grep shows it's not there. To put some perspective on it, FreeBSD 8.x users are literally 6 years behind CURRENT... Now Redhat has a bugzilla[3] report backporting it to RHEL6, but FreeBSD's policy is generally "bugfixes and security fixes only, don't introduce new features or behavior", and I don't expect that to change especially for a piece of software in contrib. If a user was running BIND from ports and they would more readily have that feature at their disposal. The port maintainer could even put a sane default in the example config. Unfortunately the number of FreeBSD BIND users who realize they are afforded this protection are going to be slim, and the number actually using it nearly as small. It's quite disappointing. [1] http://ss.vix.su/~vjs/rrlrpz.html [2] http://www.isc.org/blogs/isc-adds-ddos-defense-module-to-bind-software/ [3] https://bugzilla.redhat.com/show_bug.cgi?id=873624