Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Jan 2014 13:33:54 -0800
From:      Waitman Gobble <gobble.wa@gmail.com>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: Why was nslookup removed from FreeBSD 10?
Message-ID:  <CAFuo_fyJtSL=adMoJXDZNY14GLYia49bhXDe9SL=-hsCvhKTYw@mail.gmail.com>
In-Reply-To: <52E426B8.3080905@fjl.co.uk>
References:  <52E40CC4.6090401@fjl.co.uk> <201401252137.50132.mark.tinka@seacom.mu> <52E41619.1000505@fjl.co.uk> <20140125202038.125a4264@gumby.homeunix.com> <52E426B8.3080905@fjl.co.uk>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sat, Jan 25, 2014 at 1:03 PM, Frank Leonhardt <frank2@fjl.co.uk> wrote:

> On 25/01/2014 20:20, RW wrote:
>
>> On Sat, 25 Jan 2014 19:52:57 +0000
>> Frank Leonhardt wrote:
>>
>>
>>  As you and Waitman both pointed out, nslookup IS part of BIND, yet as
>>> I said in the diatribe following the question in my post, so is
>>> "host" and that's still there.
>>>
>> >From the host manpage:
>>
>> COMPATIBILITY
>>       host aims to be reasonably compatible with `host' utility from
>>       BIND9 distribution,
>>
>
> Yes -  I read that too, and assumed it means it's a derived work until I'd
> checked the source code. It's contributed, but part of ldns and not bind.
> By removing bind from the base system in favour of ldns based stuff, it
> could mean that its just the case that no one wrote an ldns version of
> nslookup or dig; only host. This is one of my theories as to the answer.
>
> It's worth noting that one of the criticisms I've heard of nslookup has
> been that it DOESN'T use BIND as a resolver and works in its self-contained
> way, and is therefore not valid as a DNS (meaning BIND) debugging tool.
> However, it should mean that it's stand-alone - hence the Windoze port
> (which used to contain incriminating strings showing it was pinched from
> BSD!)
>
> So if you prefer a slightly rephrased question: Why has someone written
> "host" for FreeBSD 10.0 but neglected to provide nslookup (or dig)?
>
> As to Matt's comment that "almost half of all the security vulnerabilities
> in the entire lifetime of the FreeBSD project have been from BIND.
> Personally, I'd say that's "pretty spectacular."" - I'd say that's these
> security vulnerabilities are more to do with DNS the protocol rather than
> BIND the implementation. Whoever would have thought that criminals would
> have got their hands on computers? By removing BIND and not replacing it
> with anything (apart from a local resolver) will, I guess, meet your
> security needs. But I'm talking about nslookup, not the whole of BIND and
> all its utilities. I've never heard of a security problem with nslookup.
> Except, of course, with the Micro$soft version ;-)
>
> There must be a discussion about how the decision was taken somewhere,
> mustn't there? If there isn't, its looking like an accident.
>
> Regards, Frank.
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"
>


I believe the reasoning..  because BIND is a full-featured authoritative
name server (and much more), unbound has a much more narrow aim. unbound
also has BSD license. (ISC is similar).

Anyway, So far I like my experimental BIND10 authoritative nameserver much
better than my BIND9 servers, but I can't see how BIND10 would ever be part
of base. That wouldn't work.


-- 
Waitman Gobble
San Jose California USA
510-830-7975



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAFuo_fyJtSL=adMoJXDZNY14GLYia49bhXDe9SL=-hsCvhKTYw>