On 31.07.13 15:22, Mark Felder wrote:
On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote:
On 31.07.13 09:38, Shane Ambler wrote:
For something that needs to be constantly updated in between system
updates then ports is the place to install it from.
You don't have to update BIND constantly, especially if you are not
using it. If you are using it, you will want it updated, no matter what.
Let's take a moment and consider the state of the internet and DNS
attacks. The RRL and RPZ2 patchsets[1] are newer developments that
successfully add additional security and features to BIND. It was also
recently announced that due to the success of this work the RRL[2] patch
will be accepted by ISC into BIND mainline.
How many users of BIND on FreeBSD are going to realize they need to run
a copy of BIND from ports to get this extremely important protection? It
certainly isn't going to get backported to 8-STABLE or 9-STABLE;
There is one solution to this, which I proposed earlier. Just don't
ship/build the BIND binary by default. You will end up with only the
resolver available and not be concerned with things like DDoS
amplification. If you want an authoritative name server, just install it
from ports.
Another solution is to include the appropriate warning in named.conf for
anyone setting up name server on FreeBSD to read. In fact, text like
this is already present in say, 6-stable's version (I know, that version
is very outdated already):
/*
*************************************************************************
* _ _____ _____ _____ _ _ _____ ___ ___ _ _ *
* / \|_ _|_ _| ____| \ | |_ _|_ _/ _ \| \ | | *
* / _ \ | | | | | _| | \| | | | | | | | | \| | *
* / ___ \| | | | | |___| |\ | | | | | |_| | |\ | *
* /_/ \_\_| |_| |_____|_| \_| |_| |___\___/|_| \_| *
* *
*************************************************************************
The version of BIND in the RELENG_6 branch (FreeBSD 6.x) is NOT suitable
for use with DNSSEC, either as a validating resolver or an authoritative
name server. If you plan to use DNSSEC for any purpose you should use a
newer version of BIND, preferably version 9.6.x or higher.
Additionally, this version of BIND (9.3.x) is beyond its End Of Life (EOL)
date and is no longer supported by ISC.
Newer versions are available in the ports tree (e.g., /usr/ports/dns/bind96)
or by upgrading your FreeBSD installation to version 8.0 or higher.
*/
A better solution would be to apply the RRL patch to BIND in 8-stable
and 9-stable. FreeBSD does ship a very controlled version of BIND in
base and keeping it patched is trivial, in comparison with someone
applying the patches themselves on "original" BIND sources that were
just released (in a port). FreeBSD does apply patches to other software
in base: for example ssh and the HPN patches.
Even if you personally prefer some other DNS resolver/server that won't
replace BIND In 8-stable or 9-stable (which will live in the coming
years and result in the same problems).
Every FreeBSD installation does benefit from an mature and full feature
recursive resolver being available in the base system. What else than
BIND you propose? Why is it better and ... most importantly, considering
the topic of this thread: why you think it will not be subject to many
new SAs over time?
For.. if we don't have anything better at hand, BIND will apparently stay.
Daniel
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
