From owner-freebsd-stable@FreeBSD.ORG Wed Jul 31 13:58:40 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6F775725 for ; Wed, 31 Jul 2013 13:58:40 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.21.123]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0442523A6 for ; Wed, 31 Jul 2013 13:58:39 +0000 (UTC) Received: from dcave.digsys.bg (dcave.digsys.bg [193.68.6.1]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.6/8.14.6) with ESMTP id r6VDwS62025771 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 31 Jul 2013 16:58:29 +0300 (EEST) (envelope-from daniel@digsys.bg) Message-ID: <51F91804.2020503@digsys.bg> Date: Wed, 31 Jul 2013 16:58:28 +0300 From: Daniel Kalchev User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130627 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories References: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <51F7B5C7.6050008@digsys.bg> <51F7C07C.9060606@digsys.bg> <51F7E352.30300@digsys.bg> <51F8B0E8.8090608@ShaneWare.Biz> <51F8F1CB.20707@digsys.bg> <1375273340.22504.3655263.0DFF1E05@webmail.messagingengine.com> In-Reply-To: <1375273340.22504.3655263.0DFF1E05@webmail.messagingengine.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 13:58:40 -0000 On 31.07.13 15:22, Mark Felder wrote: > On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote: >> On 31.07.13 09:38, Shane Ambler wrote: >>> For something that needs to be constantly updated in between system >>> updates then ports is the place to install it from. >> You don't have to update BIND constantly, especially if you are not >> using it. If you are using it, you will want it updated, no matter what. >> > Let's take a moment and consider the state of the internet and DNS > attacks. The RRL and RPZ2 patchsets[1] are newer developments that > successfully add additional security and features to BIND. It was also > recently announced that due to the success of this work the RRL[2] patch > will be accepted by ISC into BIND mainline. > > How many users of BIND on FreeBSD are going to realize they need to run > a copy of BIND from ports to get this extremely important protection? It > certainly isn't going to get backported to 8-STABLE or 9-STABLE; There is one solution to this, which I proposed earlier. Just don't ship/build the BIND binary by default. You will end up with only the resolver available and not be concerned with things like DDoS amplification. If you want an authoritative name server, just install it from ports. Another solution is to include the appropriate warning in named.conf for anyone setting up name server on FreeBSD to read. In fact, text like this is already present in say, 6-stable's version (I know, that version is very outdated already): /* ************************************************************************* * _ _____ _____ _____ _ _ _____ ___ ___ _ _ * * / \|_ _|_ _| ____| \ | |_ _|_ _/ _ \| \ | | * * / _ \ | | | | | _| | \| | | | | | | | | \| | * * / ___ \| | | | | |___| |\ | | | | | |_| | |\ | * * /_/ \_\_| |_| |_____|_| \_| |_| |___\___/|_| \_| * * * ************************************************************************* The version of BIND in the RELENG_6 branch (FreeBSD 6.x) is NOT suitable for use with DNSSEC, either as a validating resolver or an authoritative name server. If you plan to use DNSSEC for any purpose you should use a newer version of BIND, preferably version 9.6.x or higher. Additionally, this version of BIND (9.3.x) is beyond its End Of Life (EOL) date and is no longer supported by ISC. Newer versions are available in the ports tree (e.g., /usr/ports/dns/bind96) or by upgrading your FreeBSD installation to version 8.0 or higher. */ A better solution would be to apply the RRL patch to BIND in 8-stable and 9-stable. FreeBSD does ship a very controlled version of BIND in base and keeping it patched is trivial, in comparison with someone applying the patches themselves on "original" BIND sources that were just released (in a port). FreeBSD does apply patches to other software in base: for example ssh and the HPN patches. Even if you personally prefer some other DNS resolver/server that won't replace BIND In 8-stable or 9-stable (which will live in the coming years and result in the same problems). Every FreeBSD installation does benefit from an mature and full feature recursive resolver being available in the base system. What else than BIND you propose? Why is it better and ... most importantly, considering the topic of this thread: why you think it will not be subject to many new SAs over time? For.. if we don't have anything better at hand, BIND will apparently stay. Daniel