From owner-freebsd-questions@FreeBSD.ORG Sat Jan 25 21:33:56 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE6D3A7C for ; Sat, 25 Jan 2014 21:33:56 +0000 (UTC) Received: from mail-bk0-x22b.google.com (mail-bk0-x22b.google.com [IPv6:2a00:1450:4008:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 427A118F9 for ; Sat, 25 Jan 2014 21:33:56 +0000 (UTC) Received: by mail-bk0-f43.google.com with SMTP id mx11so2012447bkb.16 for ; Sat, 25 Jan 2014 13:33:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1SdgTU59tUD3TKau/wubnbQLEH5XZpgCr6I346VnAk4=; b=k9fo5o4OP8+1B9zLZpHYTKOyRPFpVZ49YlBmOqwy+Qy2NoohFSpw70xYJtv4GZDRXj xXHSWyGnQnJMvGEPMgi3PeZaF6eFidqww+Qzmfs/AV9JD/semWTQc5SRcTzgdtqvjFuV NiJmRY59xXtIe/GSPCvwxiMvrV/O5JsDFBn50CimLvt8HIOtZJO2Xgih3znU/DNwZXdv UlM/JLc3g2vMZlqWlcRQXLNSn9OJmeWpC8z030pG9kMrvCgJSQ2jTi+fvlTFIj5WCvJS aEvVetTJN7PcmqfqVlUkep98daoTKqpYyIyrH0auecV1Gngp7zTk5hoRPwPebW4kVi/n lirg== MIME-Version: 1.0 X-Received: by 10.204.126.206 with SMTP id d14mr3154729bks.13.1390685634638; Sat, 25 Jan 2014 13:33:54 -0800 (PST) Received: by 10.204.123.193 with HTTP; Sat, 25 Jan 2014 13:33:54 -0800 (PST) In-Reply-To: <52E426B8.3080905@fjl.co.uk> References: <52E40CC4.6090401@fjl.co.uk> <201401252137.50132.mark.tinka@seacom.mu> <52E41619.1000505@fjl.co.uk> <20140125202038.125a4264@gumby.homeunix.com> <52E426B8.3080905@fjl.co.uk> Date: Sat, 25 Jan 2014 13:33:54 -0800 Message-ID: Subject: Re: Why was nslookup removed from FreeBSD 10? From: Waitman Gobble To: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2014 21:33:56 -0000 On Sat, Jan 25, 2014 at 1:03 PM, Frank Leonhardt wrote: > On 25/01/2014 20:20, RW wrote: > >> On Sat, 25 Jan 2014 19:52:57 +0000 >> Frank Leonhardt wrote: >> >> >> As you and Waitman both pointed out, nslookup IS part of BIND, yet as >>> I said in the diatribe following the question in my post, so is >>> "host" and that's still there. >>> >> >From the host manpage: >> >> COMPATIBILITY >> host aims to be reasonably compatible with `host' utility from >> BIND9 distribution, >> > > Yes - I read that too, and assumed it means it's a derived work until I'd > checked the source code. It's contributed, but part of ldns and not bind. > By removing bind from the base system in favour of ldns based stuff, it > could mean that its just the case that no one wrote an ldns version of > nslookup or dig; only host. This is one of my theories as to the answer. > > It's worth noting that one of the criticisms I've heard of nslookup has > been that it DOESN'T use BIND as a resolver and works in its self-contained > way, and is therefore not valid as a DNS (meaning BIND) debugging tool. > However, it should mean that it's stand-alone - hence the Windoze port > (which used to contain incriminating strings showing it was pinched from > BSD!) > > So if you prefer a slightly rephrased question: Why has someone written > "host" for FreeBSD 10.0 but neglected to provide nslookup (or dig)? > > As to Matt's comment that "almost half of all the security vulnerabilities > in the entire lifetime of the FreeBSD project have been from BIND. > Personally, I'd say that's "pretty spectacular."" - I'd say that's these > security vulnerabilities are more to do with DNS the protocol rather than > BIND the implementation. Whoever would have thought that criminals would > have got their hands on computers? By removing BIND and not replacing it > with anything (apart from a local resolver) will, I guess, meet your > security needs. But I'm talking about nslookup, not the whole of BIND and > all its utilities. I've never heard of a security problem with nslookup. > Except, of course, with the Micro$soft version ;-) > > There must be a discussion about how the decision was taken somewhere, > mustn't there? If there isn't, its looking like an accident. > > Regards, Frank. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" > I believe the reasoning.. because BIND is a full-featured authoritative name server (and much more), unbound has a much more narrow aim. unbound also has BSD license. (ISC is similar). Anyway, So far I like my experimental BIND10 authoritative nameserver much better than my BIND9 servers, but I can't see how BIND10 would ever be part of base. That wouldn't work. -- Waitman Gobble San Jose California USA 510-830-7975