Date: Tue, 30 Jul 2013 16:10:07 +0200 From: "Ronald Klop" <ronald-freebsd8@klop.yi.org> To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories Message-ID: <op.w01ga50n8527sy@ronaldradial.versatec.local> In-Reply-To: <1375193086.25610.3260371.08421FD0@webmail.messagingengine.com> References: <CAO%2BPfDctepQY0mGH7H%2BgOSm4HJwhe-RCND%2BmxAArnRxpWiCsjg@mail.gmail.com> <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <51F7B5C7.6050008@digsys.bg> <CAOgwaMt4G02yhU0cbiq_EEwhi4=mgt2kLGJf0Rgb8t9wECsGJA@mail.gmail.com> <51F7C07C.9060606@digsys.bg> <1375193086.25610.3260371.08421FD0@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 30 Jul 2013 16:04:46 +0200, Mark Felder <feld@freebsd.org> wrote: > On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote: >> >> >> This is very much an situation like replacing gcc with clang/llvm. >> However, in the case of BIND we have no licensing problems, stability >> problems, performance problems etc --- just concerns that BIND generates >> many SAs -- which might be actually good indicator, as it demonstrates >> that BIND is worked on. >> > > There's a man with a name whose initials match DJB that would strongly > disagree. Now he's not always the best person to reference, but he's > made a succinct point with his own software, whether or not you like > using it. > > Unbound/NSD are suitable replacements if we really need something in > base, and they have been picked up by OpenBSD for a good reason -- > clean, secure, readable, maintainable codebases and their use across the > internet and on the ROOT servers is growing. > >> I personally see no reason to remove BIND from base. If someone does not >> want BIND in their system, they could always use the WITHOUT_BIND build >> switch. > > I'd be inclined to agree if it wasn't such a wholly insecure chunk of > code. You don't see people whining about Sendmail in base when they > prefer Postfix or Exim, but Sendmail doesn't have a new exploit every > week. You do tend to need an MTA for getting messages off the system > more than you need a local recursor/cache, but at least it's not causing > you maintenance headaches. If you consider the possibility that a large > enough percentage of users really desire a local recursor/cache it > should be our duty to give them the best option available. DragonflyBSD also removed BIND from base some time ago. http://www.shiningsilence.com/dbsdlog/2010/05/06/5853.html Ronald.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.w01ga50n8527sy>