Bind in FreeBSD, security advisories

2013-07-30 Thread David Demelier 
Hi,

For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?

This will probably free by half the number of FreeBSD SA's in the future.

Regards,

-- 
Demelier David
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mark Felder 
People don't seem upset about not having a webserver, IMAP/POP daemon,
or LDAP server in base, so I don't understand what the big deal is about
removing BIND. If the concern is over the rare case when you absolutely
need a DNS recursor and there are none you can reach I suppose we should
just import Unbound. However, if you can't reach any DNS servers I
assume you can't reach the roots either, so I don't understand what a
local recursor will gain you.

I support removing BIND from base, but there's a larger conversation to
be had (again).
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Tom Evans 
On Tue, Jul 30, 2013 at 8:55 AM, David Demelier
 wrote:
> Hi,
>
> For years, a lot of security advisories have been present for bind.
> I'm just guessing if it's not a good idea to remove bind from base?
>
> This will probably free by half the number of FreeBSD SA's in the future.
>

Sure, but no bind in base also implies no dig, nslookup or host.

Cheers

Tom
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Wiley, Glen 
I think you could conceptually differentiate between DNS clients and
servers and remove bind without removing the DNS clients.

On 7/30/13 8:39 AM, "Tom Evans"  wrote:

>On Tue, Jul 30, 2013 at 8:55 AM, David Demelier
> wrote:
>> Hi,
>>
>> For years, a lot of security advisories have been present for bind.
>> I'm just guessing if it's not a good idea to remove bind from base?
>>
>> This will probably free by half the number of FreeBSD SA's in the
>>future.
>>
>
>Sure, but no bind in base also implies no dig, nslookup or host.
>
>Cheers
>
>Tom
>___
>freebsd-stable@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Garrett Wollman 
In article
<1375186900.23467.3223791.24cb3...@webmail.messagingengine.com>,
f...@freebsd.org writes:

>just import Unbound. However, if you can't reach any DNS servers I
>assume you can't reach the roots either, so I don't understand what a
>local recursor will gain you.

There are plenty of situations in which a remote recursive resolver is
untrustworthy.  (Some would say any situation.)  It doesn't have to be
BIND, but people do legitimately want the normal DNS diagnostic
utilities, which sadly have been tied together with BIND for some
years now.  (I don't know why anyone would ever use nslookup(1), but
host(1) and dig(1) are pretty much essential.)

It is a little bit disconcerting to see that big chunks of our BSD
heritage have turned into someone else's commercial product, but that
seems to be the way of the world these days.

-GAWollman

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Daniel Kalchev 


On 30.07.13 15:21, Mark Felder wrote:

People don't seem upset about not having a webserver, IMAP/POP daemon,
or LDAP server in base, so I don't understand what the big deal is about
removing BIND.


I believe the primary reason these things are not in the base system is 
that they have plenty of dependencies, with possibly conflicting 
licenses etc.



If the concern is over the rare case when you absolutely
need a DNS recursor and there are none you can reach I suppose we should
just import Unbound.


There are many and good reasons to include an fully featured name 
server, or at least full recursive resolver. For example, for properly 
supporting DNSSEC.
We could in theory remove the BIND's authoritative name server 
executable... if that is attracting the SAs.


The justification "reduce the number of SA's", that is, "the bad PR" is 
probably not enough. Going that direction, we should consider Comrade 
Stalin's maxim "FreeBSD exists, there are problems, here is the solution 
-- no FreeBSD, no problems!" :-)


Daniel
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mark Felder 
On Tue, Jul 30, 2013, at 7:45, Garrett Wollman wrote:
> 
> There are plenty of situations in which a remote recursive resolver is
> untrustworthy.  (Some would say any situation.)  It doesn't have to be
> BIND, but people do legitimately want the normal DNS diagnostic
> utilities, which sadly have been tied together with BIND for some
> years now.  (I don't know why anyone would ever use nslookup(1), but
> host(1) and dig(1) are pretty much essential.)
> 

If you're that paranoid about a remote resolver you'd have to be
paranoid about someone doing a MITM on your DNS lookups altogether,
since even having your own local recursor can't protect you from that as
99% of the web doesn't use DNSSEC. This will quickly turn into a
security yak-shaving contest, but I completely understand your
viewpoint.

I'd vote for keeping the bind utilities in base; I use them every day.
The ones provided with unbound work well, but finger memory...
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mark Felder 
On Tue, Jul 30, 2013, at 7:47, Daniel Kalchev wrote:
> 
> We could in theory remove the BIND's authoritative name server 
> executable... if that is attracting the SAs.
> 

It's the same executable, that's the problem :-)
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mehmet Erol Sanliturk 
On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev  wrote:

>
> On 30.07.13 15:21, Mark Felder wrote:
>
>> People don't seem upset about not having a webserver, IMAP/POP daemon,
>> or LDAP server in base, so I don't understand what the big deal is about
>> removing BIND.
>>
>
> I believe the primary reason these things are not in the base system is
> that they have plenty of dependencies, with possibly conflicting licenses
> etc.
>
>  If the concern is over the rare case when you absolutely
>> need a DNS recursor and there are none you can reach I suppose we should
>> just import Unbound.
>>
>
> There are many and good reasons to include an fully featured name server,
> or at least full recursive resolver. For example, for properly supporting
> DNSSEC.
> We could in theory remove the BIND's authoritative name server
> executable... if that is attracting the SAs.
>
> The justification "reduce the number of SA's", that is, "the bad PR" is
> probably not enough. Going that direction, we should consider Comrade
> Stalin's maxim "FreeBSD exists, there are problems, here is the solution --
> no FreeBSD, no problems!" :-)
>
> Daniel
>



Then , there exists a new problem :


"There is no FreeBSD ..."


Thank you very much .


Mehmet Erol Sanliturk
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Daniel Kalchev 


On 30.07.13 16:13, Mehmet Erol Sanliturk wrote:




On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev > wrote:



Going that direction, we should consider Comrade Stalin's maxim
"FreeBSD exists, there are problems, here is the solution -- no
FreeBSD, no problems!" :-)

Daniel




Then , there exists a new problem :


"There is no FreeBSD ..."


We already know Comrade Stalin's solution had... bugs. Not before 
millions parted with their lives...


When/if we remove BIND from FreeBSD, we might find out whether that 
solution has bugs, or not. Not until then, though.


Back to the topic :)

My take on this is that removing BIND from the base today is.. 
irresponsible. First, most who use FreeBSD expect an DNS server to be 
readily available. Some people would just avoid to use any ports etc.
BIND in base is well tested and known evil. If we are ever to replace it 
with something else, that something else has to prove itself - 
demonstrate that it is at least as good as BIND -- in the base system. 
In practice, not in theory.


This is very much an situation like replacing gcc with clang/llvm. 
However, in the case of BIND we have no licensing problems, stability 
problems, performance problems etc --- just concerns that BIND generates 
many SAs -- which might be actually good indicator, as it demonstrates 
that BIND is worked on.


I personally see no reason to remove BIND from base. If someone does not 
want BIND in their system, they could always use the WITHOUT_BIND build 
switch.


Daniel
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Ronald Klop 
On Tue, 30 Jul 2013 15:32:44 +0200, Daniel Kalchev   
wrote:




On 30.07.13 16:13, Mehmet Erol Sanliturk wrote:




On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev > wrote:



Going that direction, we should consider Comrade Stalin's maxim
"FreeBSD exists, there are problems, here is the solution -- no
FreeBSD, no problems!" :-)

Daniel




Then , there exists a new problem :


"There is no FreeBSD ..."


We already know Comrade Stalin's solution had... bugs. Not before  
millions parted with their lives...


When/if we remove BIND from FreeBSD, we might find out whether that  
solution has bugs, or not. Not until then, though.


Back to the topic :)

My take on this is that removing BIND from the base today is..  
irresponsible. First, most who use FreeBSD expect an DNS server to be  
readily available.


Interesting. What are your statistics of 'most' based on?

Ronald.


Some people would just avoid to use any ports etc.
BIND in base is well tested and known evil. If we are ever to replace it  
with something else, that something else has to prove itself -  
demonstrate that it is at least as good as BIND -- in the base system.  
In practice, not in theory.


This is very much an situation like replacing gcc with clang/llvm.  
However, in the case of BIND we have no licensing problems, stability  
problems, performance problems etc --- just concerns that BIND generates  
many SAs -- which might be actually good indicator, as it demonstrates  
that BIND is worked on.


I personally see no reason to remove BIND from base. If someone does not  
want BIND in their system, they could always use the WITHOUT_BIND build  
switch.


Daniel
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread sthaug 
> > For years, a lot of security advisories have been present for bind.
> > I'm just guessing if it's not a good idea to remove bind from base?
> >
> > This will probably free by half the number of FreeBSD SA's in the future.
> >
> 
> Sure, but no bind in base also implies no dig, nslookup or host.

Exactly. It's a slippery slope - if we continue removing useful
functionality from FreeBSD there are fewer and fewer arguments for
why one should use FreeBSD and not Linux.

Yes, I know everything can be installed from packages/ports. Two of
*my* main reasons for using FreeBSD is that:

1. It's an integrated *system*, not just a kernel.
2. The base system contains a lot of the useful functionality I need.

and every contrib part which is removed, detracts from this.

YMMV.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mark Felder 
On Tue, Jul 30, 2013, at 8:44, Ronald Klop wrote:
> 
> Interesting. What are your statistics of 'most' based on?
> 

Yes, this shouldn't be left to conjecture. A large community poll should
be the first step IMHO.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Strange sendmail behaviour after upgrade to 9.1-BETA2

2013-07-30 Thread Pavel Timofeev 
Hello everyone!
I've just upgraded (binary) my server from FreeBSD 9.1-RELEASE amd64
to 9.2-BETA2.
And my sendmail can't resolv any hostname. It says:
Jul 30 17:28:54 reticulum sm-mta[3191]: r6UCqeun016122:
to=, ctladdr= (1001/1001),
delay=00:36:14, xdelay=00:00:00, mailer=esmtp, pri=300348,
relay=kalmar.xxx.ru., dsn=4.0.0, stat=Deferred: Name server:
kalmar.xxx.ru.: host name lookup failure

Meanwhile, I didn't change anything in resolv.conf and I can't find
anything wrong when I use nslookup manually. It works. Furthermore,
when I set to mailertable something like
xxx.ru  smtp:[192.168.62.209]
where ip address is address of another server (not kalmar's which is
mx server) sendmail works but with strange log message
Jul 30 17:44:17 octans sm-mta[11666]: r6UDiGhD011656:
to=, ctladdr= (1001/1001),
delay=00:00:01, xdelay=00:00:01, mailer=smtp, pri=30340,
relay=[192.168.62.209] [192.168.62.209], dsn=2.0.0, stat=Sent
(r6UDiG8v018961 Message accepted for delivery)
Why it says relay's ip address two time in log?
Is someone experiencing such problems? I mean can someone confirm
similar behaviour?
Could you please check on 9.2-BETA2 stuff like "echo bla | mail
myem...@mydomain.com"?
I can provide more info that you want. Thanks!
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Wiley, Glen 
The package would have to be reworked to remove the name server - not an
impossible task and you could make a case for it from an ideological
perspective, but is it worth the work?

On 7/30/13 8:59 AM, "Mark Felder"  wrote:

>On Tue, Jul 30, 2013, at 7:47, Daniel Kalchev wrote:
>> 
>> We could in theory remove the BIND's authoritative name server
>> executable... if that is attracting the SAs.
>> 
>
>It's the same executable, that's the problem :-)
>___
>freebsd-stable@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mark Felder 
On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:
> 
> 
> This is very much an situation like replacing gcc with clang/llvm. 
> However, in the case of BIND we have no licensing problems, stability 
> problems, performance problems etc --- just concerns that BIND generates 
> many SAs -- which might be actually good indicator, as it demonstrates 
> that BIND is worked on.
> 

There's a man with a name whose initials match DJB that would strongly
disagree. Now he's not always the best person to reference, but he's
made a succinct point with his own software, whether or not you like
using it. 

Unbound/NSD are suitable replacements if we really need something in
base, and they have been picked up by OpenBSD for a good reason --
clean, secure, readable, maintainable codebases and their use across the
internet and on the ROOT servers is growing.

> I personally see no reason to remove BIND from base. If someone does not 
> want BIND in their system, they could always use the WITHOUT_BIND build 
> switch.

I'd be inclined to agree if it wasn't such a wholly insecure chunk of
code. You don't see people whining about Sendmail in base when they
prefer Postfix or Exim, but Sendmail doesn't have a new exploit every
week. You do tend to need an MTA for getting messages off the system
more than you need a local recursor/cache, but at least it's not causing
you maintenance headaches. If you consider the possibility that a large
enough percentage of users really desire a local recursor/cache it
should be our duty to give them the best option available.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Tim Daneliuk 

On 07/30/2013 08:13 AM, Mehmet Erol Sanliturk wrote:

On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev  wrote:



On 30.07.13 15:21, Mark Felder wrote:


People don't seem upset about not having a webserver, IMAP/POP daemon,
or LDAP server in base, so I don't understand what the big deal is about
removing BIND.



I believe the primary reason these things are not in the base system is
that they have plenty of dependencies, with possibly conflicting licenses
etc.

  If the concern is over the rare case when you absolutely

need a DNS recursor and there are none you can reach I suppose we should
just import Unbound.



There are many and good reasons to include an fully featured name server,
or at least full recursive resolver. For example, for properly supporting
DNSSEC.
We could in theory remove the BIND's authoritative name server
executable... if that is attracting the SAs.

The justification "reduce the number of SA's", that is, "the bad PR" is
probably not enough. Going that direction, we should consider Comrade
Stalin's maxim "FreeBSD exists, there are problems, here is the solution --
no FreeBSD, no problems!" :-)

Daniel





Then , there exists a new problem :


"There is no FreeBSD ..."


Thank you very much .




Exactly.  Either strip everything out of the base
including things like perl or admit that there is more
to a modern OS than just kernel and admin tools.



--
---
Tim Daneliuk
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mark Felder 
On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote:
> 
> and every contrib part which is removed, detracts from this.
> 

And every contrib part that is added to base is another piece of
software that rots for the life of a major release and ends up getting
replaced by frustrated endusers with the latest in ports...

The tight integration of the base system that everyone appreciates and
respects is far below high-level software like BIND.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Ronald Klop 

On Tue, 30 Jul 2013 16:04:46 +0200, Mark Felder  wrote:


On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:



This is very much an situation like replacing gcc with clang/llvm.
However, in the case of BIND we have no licensing problems, stability
problems, performance problems etc --- just concerns that BIND generates
many SAs -- which might be actually good indicator, as it demonstrates
that BIND is worked on.



There's a man with a name whose initials match DJB that would strongly
disagree. Now he's not always the best person to reference, but he's
made a succinct point with his own software, whether or not you like
using it.

Unbound/NSD are suitable replacements if we really need something in
base, and they have been picked up by OpenBSD for a good reason --
clean, secure, readable, maintainable codebases and their use across the
internet and on the ROOT servers is growing.


I personally see no reason to remove BIND from base. If someone does not
want BIND in their system, they could always use the WITHOUT_BIND build
switch.


I'd be inclined to agree if it wasn't such a wholly insecure chunk of
code. You don't see people whining about Sendmail in base when they
prefer Postfix or Exim, but Sendmail doesn't have a new exploit every
week. You do tend to need an MTA for getting messages off the system
more than you need a local recursor/cache, but at least it's not causing
you maintenance headaches. If you consider the possibility that a large
enough percentage of users really desire a local recursor/cache it
should be our duty to give them the best option available.



DragonflyBSD also removed BIND from base some time ago.
http://www.shiningsilence.com/dbsdlog/2010/05/06/5853.html

Ronald.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Ronald Klop 
On Tue, 30 Jul 2013 15:53:08 +0200, Tim Daneliuk   
wrote:



On 07/30/2013 08:13 AM, Mehmet Erol Sanliturk wrote:
On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev   
wrote:




On 30.07.13 15:21, Mark Felder wrote:


People don't seem upset about not having a webserver, IMAP/POP daemon,
or LDAP server in base, so I don't understand what the big deal is  
about

removing BIND.



I believe the primary reason these things are not in the base system is
that they have plenty of dependencies, with possibly conflicting  
licenses

etc.

  If the concern is over the rare case when you absolutely
need a DNS recursor and there are none you can reach I suppose we  
should

just import Unbound.



There are many and good reasons to include an fully featured name  
server,
or at least full recursive resolver. For example, for properly  
supporting

DNSSEC.
We could in theory remove the BIND's authoritative name server
executable... if that is attracting the SAs.

The justification "reduce the number of SA's", that is, "the bad PR" is
probably not enough. Going that direction, we should consider Comrade
Stalin's maxim "FreeBSD exists, there are problems, here is the  
solution --

no FreeBSD, no problems!" :-)

Daniel





Then , there exists a new problem :


"There is no FreeBSD ..."


Thank you very much .




Exactly.  Either strip everything out of the base
including things like perl or admit that there is more
to a modern OS than just kernel and admin tools.





You have perl in base?
http://bsd.slashdot.org/story/02/05/14/0015234/freebsd-perl-to-be-removed
;-)

Ronald.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Chris Ross 

On Jul 30, 2013, at 10:07 , Mark Felder wrote:
> On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote:
>> 
>> and every contrib part which is removed, detracts from this.
> 
> And every contrib part that is added to base is another piece of
> software that rots for the life of a major release and ends up getting
> replaced by frustrated endusers with the latest in ports…

  I do generally agree with this point, but it's not "every contrib part".
Many contrib additions can be useful to a majority, and not rotting
software.  Some will use more recent replacements from ports, others
won't, but it's not always bad.

> The tight integration of the base system that everyone appreciates and
> respects is far below high-level software like BIND.

  I agree with this point too, however I, like others have voiced, feel
strongly that diagnostic [client] tools like host and/or dig are not at
all "high-level software" and _need_ to be present in a base
system.  Whosever they are.

   - Chris


___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Ronald Klop 

On Tue, 30 Jul 2013 16:07:30 +0200, Mark Felder  wrote:


On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote:


and every contrib part which is removed, detracts from this.



And every contrib part that is added to base is another piece of
software that rots for the life of a major release and ends up getting
replaced by frustrated endusers with the latest in ports...

The tight integration of the base system that everyone appreciates and
respects is far below high-level software like BIND.


+1

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Freddie Cash 
On 2013-07-30 12:55 AM, "David Demelier"  wrote:
>
> Hi,
>
> For years, a lot of security advisories have been present for bind.
> I'm just guessing if it's not a good idea to remove bind from base?
>
> This will probably free by half the number of FreeBSD SA's in the future.

Hasn't this discussion occurred several times already on the -current
mailing list over the past year? And hadn't unbound and/or ldns been
imported into - current already?

This just seems very familiar somehow...
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Strange sendmail behaviour after upgrade to 9.1-BETA2

2013-07-30 Thread Pavel Timofeev 
Sorry, I've already realised that double relay's ip address in log in normal.
Anyway, problem is still here.

2013/7/30 Pavel Timofeev :
> Hello everyone!
> I've just upgraded (binary) my server from FreeBSD 9.1-RELEASE amd64
> to 9.2-BETA2.
> And my sendmail can't resolv any hostname. It says:
> Jul 30 17:28:54 reticulum sm-mta[3191]: r6UCqeun016122:
> to=, ctladdr= (1001/1001),
> delay=00:36:14, xdelay=00:00:00, mailer=esmtp, pri=300348,
> relay=kalmar.xxx.ru., dsn=4.0.0, stat=Deferred: Name server:
> kalmar.xxx.ru.: host name lookup failure
>
> Meanwhile, I didn't change anything in resolv.conf and I can't find
> anything wrong when I use nslookup manually. It works. Furthermore,
> when I set to mailertable something like
> xxx.ru  smtp:[192.168.62.209]
> where ip address is address of another server (not kalmar's which is
> mx server) sendmail works but with strange log message
> Jul 30 17:44:17 octans sm-mta[11666]: r6UDiGhD011656:
> to=, ctladdr= (1001/1001),
> delay=00:00:01, xdelay=00:00:01, mailer=smtp, pri=30340,
> relay=[192.168.62.209] [192.168.62.209], dsn=2.0.0, stat=Sent
> (r6UDiG8v018961 Message accepted for delivery)
> Why it says relay's ip address two time in log?
> Is someone experiencing such problems? I mean can someone confirm
> similar behaviour?
> Could you please check on 9.2-BETA2 stuff like "echo bla | mail
> myem...@mydomain.com"?
> I can provide more info that you want. Thanks!
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mark Felder 
On Tue, Jul 30, 2013, at 9:10, Ronald Klop wrote:
> 
> DragonflyBSD also removed BIND from base some time ago.
> http://www.shiningsilence.com/dbsdlog/2010/05/06/5853.html
> 

I was not aware of this; that's worth referencing. I'm not sure where
NetBSD stands but a quick search implies that they still have BIND in
base.

To all: please note that my emails on this subject are personal opinions
of mine and mine only; I have no idea what other @FreeBSD.org people
think. It's merely my own conclusion of where I think FreeBSD should be
headed after several years of FreeBSD administration. There are people
much wiser and informed than I who will be making the decision if this
ever comes to pass before 10.0-RELEASE...
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Michael Grimm 

On 2013-07-30 16:04, Mark Felder wrote:


Unbound/NSD are suitable replacements if we really need something in
base, and they have been picked up by OpenBSD for a good reason --
clean, secure, readable, maintainable codebases and their use across 
the

internet and on the ROOT servers is growing.


+1

I switched two years ago and disabled bind in /etc/src.conf. Thus, I 
could
skip some followup-work regarding SAs in the past multiplied by the 
number

of servers involved.

Regards,
Michael

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread O. Hartmann 
On Tue, 30 Jul 2013 09:07:30 -0500
Mark Felder  wrote:

> On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote:
> > 
> > and every contrib part which is removed, detracts from this.
> > 
> 
> And every contrib part that is added to base is another piece of
> software that rots for the life of a major release and ends up getting
> replaced by frustrated endusers with the latest in ports...
> 
> The tight integration of the base system that everyone appreciates and
> respects is far below high-level software like BIND.

So Linux did already nullify the contributions in the base system by
eleminating ALL contributions but the kernel - the purest way one can
go.



signature.asc
Description: PGP signature

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Royce Williams 
On Tue, Jul 30, 2013 at 6:29 AM, Michael Grimm
 wrote:
>
> On 2013-07-30 16:04, Mark Felder wrote:
>
>> Unbound/NSD are suitable replacements if we really need something in
>> base, and they have been picked up by OpenBSD for a good reason --
>> clean, secure, readable, maintainable codebases and their use across the
>> internet and on the ROOT servers is growing.

I don't know enough about BIND replacements to identify them all by
sight, but according to bsdstats.org's ports/dns category:

http://bsdstats.org/ports.php?category=27

... across all OSes (I'm not sure how to filter on just FreeBSD), of
the 23996 systems reporting , 4966 (~20.71%) are running something
from ports that I roughly recognize as a potential replacement for
BIND in base:

bind84-base 15
bind9 152
bind9-base 187
bind9-dlz+mysql+db41 5
bind9-sdb-ldap 36
bind9-sdb-ldap-base 20
bind94 40
bind94-base 157
bind95 29
bind95-base 54
bind96 146
bind96-base 181
bind97 120
bind97-base 429
bind97-sdb 8
bind97-sdb-base 12
bind98 202
bind98-base 423
bind98-devel 13
bind99 259
bind99-base 405
bind99-devel 12
djbdns 629
djbdns-ipv6 392
nsd 140
powerdns 189
powerdns-devel 17
powerdns-recursor 120
udns 215
unbound 359

4966/23977 = 0.20712

Given how many PC-BSD boxes there are, and how many folks that are
running FreeBSD and bsdstats may not know why (or how) to replace
BIND, ~20% seems like a significant number.

I'm not advocating either way; I'm just providing some data points.

Royce
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread J David 
Half the people will say:

"There should be more stuff in base!"

The other half will say:

"There should be less stuff in base!"

People don't generally change each other's minds about this because
they start from competing definitions of what is good that are 100%
opinion in nature.

(Spoken as a hardcore advocate of "There should be less stuff in base!")

DNS client and DNS server functionality are quite different, and it
would be swell if there were a set of BIND-independent client tools
that were part of the base so that BIND could, at a minimum, be left
out via WITH_BIND=no in src.conf or similar without producing a
crippled system.  And/or people could install the DNS server of their
choice (whether unbound or BIND or whatever) using pkg.

If there isn't one already readily available, I might even volunteer
to help develop that set of client tools at such time as FreeBSD
coding standards allow C++11 in the tree. :)
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread sthaug 
> > and every contrib part which is removed, detracts from this.
> > 
> 
> And every contrib part that is added to base is another piece of
> software that rots for the life of a major release and ends up getting
> replaced by frustrated endusers with the latest in ports...
> 
> The tight integration of the base system that everyone appreciates and
> respects is far below high-level software like BIND.

Speaking only for myself, I disagree rather strongly with this.

Looking at /usr/src/contrib on an 8.4-STABLE system, I use the
following frequently (often several times per day):

bind9
diff
less
libreadline (used by lots of other stuff)
ntp
nvi
tcp_wrappers
tcpdump
tcsh
telnet
top
traceroute

If you remove these contrib parts from FreeBSD, that means at least
12 packages I'd need to install on every new FreeBSD system to get
the system in a (for me) functional state. Certainly not a *major*
hassle - but having these parts integrated is part of the FreeBSD
attraction. I don't think we should work to make FreeBSD less
attractive...

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Ronald Klop 

On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash  wrote:

On 2013-07-30 12:55 AM, "David Demelier"   
wrote:


Hi,

For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?

This will probably free by half the number of FreeBSD SA's in the  
future.


Hasn't this discussion occurred several times already on the -current
mailing list over the past year?


http://lists.freebsd.org/pipermail/freebsd-hackers/2012-July/039830.html


And hadn't unbound and/or ldns been
imported into - current already?


http://lists.freebsd.org/pipermail/svn-src-all/2012-July/056004.html
And next messages.

Regards,
Ronald.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Ronald Klop 
On Tue, 30 Jul 2013 16:55:09 +0200, Ronald Klop  
 wrote:


On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash   
wrote:


On 2013-07-30 12:55 AM, "David Demelier"   
wrote:


Hi,

For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?

This will probably free by half the number of FreeBSD SA's in the  
future.


Hasn't this discussion occurred several times already on the -current
mailing list over the past year?


http://lists.freebsd.org/pipermail/freebsd-hackers/2012-July/039830.html


And hadn't unbound and/or ldns been
imported into - current already?


http://lists.freebsd.org/pipermail/svn-src-all/2012-July/056004.html
And next messages.


Even more:
http://svnweb.freebsd.org/base/head/contrib/ldns/
http://svnweb.freebsd.org/base/head/contrib/unbound/


Regards,
Ronald.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Peter Maxwell 
On 30 July 2013 14:42,  wrote:

> > > For years, a lot of security advisories have been present for bind.
> > > I'm just guessing if it's not a good idea to remove bind from base?
> > >
> > > This will probably free by half the number of FreeBSD SA's in the
> future.
> > >
> >
> > Sure, but no bind in base also implies no dig, nslookup or host.
>
> Exactly. It's a slippery slope - if we continue removing useful
> functionality from FreeBSD there are fewer and fewer arguments for
> why one should use FreeBSD and not Linux.
>

Having lots of third-party software in base is not one of those reasons
however.



>
> Yes, I know everything can be installed from packages/ports. Two of
> *my* main reasons for using FreeBSD is that:
>
> 1. It's an integrated *system*, not just a kernel.
>

That's not an argument for retaining something that is non-essential for
most people and can easily be installed from ports.  There is very little
that is actually essential in base... having to turn sendmail off on every
new installation already does my nut in but having mail facilities is
essential, so it has to be there.

Having bind in base does have one advantage in that it is more carefully
scrutinised that it would likely be in ports.




> 2. The base system contains a lot of the useful functionality I need.
>

So does ports.



>
> and every contrib part which is removed, detracts from this.
>

No, it doesn't.  The base system should be just that - a base minimal
installation.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Daniel Kalchev 


On 30.07.13 18:26, Peter Maxwell wrote:

On 30 July 2013 14:42,  wrote:



Yes, I know everything can be installed from packages/ports. Two of
*my* main reasons for using FreeBSD is that:

1. It's an integrated *system*, not just a kernel.


That's not an argument for retaining something that is non-essential for
most people and can easily be installed from ports.  There is very little
that is actually essential in base... having to turn sendmail off on every
new installation already does my nut in but having mail facilities is
essential, so it has to be there.


I am surprised why so many people insist having an MTA is necessary, but 
having well testes recursive DNS resolver is not.
Even on a typical "client" installation, it is more likely the resolver 
will be useful, than the MTA.


By the way, both sendmail and BIND are off by default...


Having bind in base does have one advantage in that it is more carefully
scrutinised that it would likely be in ports.


This too..

I have always viewed FreeBSD not as an product, but instead as an 
toolkit. A toolkit, from which to build the OS you need.
So far, FreeBSD has worked better for that purpose than any other 
toolkit around (plus, I am biased).


There are a number of knobs, that let you customize FreeBSD to your 
heart's content.


In theory, everything but the absolute minimum of the base system might 
be removed.. and have everything depend on ports. However, the base 
system is just that -- one collection of code that gets built and tested 
together. This brings quality.


Having said this, it is perfectly ok to replace BIND with any other 
resolver + name server as long as there is suitable candidate that 
has passed enough testing. Is there one? Do we know enough of their quirks?


Daniel

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Daniel Kalchev 


On 30.07.13 16:44, Ronald Klop wrote:
On Tue, 30 Jul 2013 15:32:44 +0200, Daniel Kalchev  
wrote:




Back to the topic :)

My take on this is that removing BIND from the base today is.. 
irresponsible. First, most who use FreeBSD expect an DNS server to be 
readily available.


Interesting. What are your statistics of 'most' based on?


Unfortunately, not much objective statistics. The bsdstats sample is 
rather small and obviously biased (towards people who would share their 
config, mostly).


I was hoping for some usable data from the Open Resolver Project 
(http://openresolverproject.org/)but there is not much useful 
information for this purpose there either. It is also very unlikely a 
pool would result in any meaningful data...


But here is an idea: Remove BIND from HEAD overnight and see how many 
will complain ;-)

If nobody complains, don't put it back in.

Daniel
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Freddie Cash 
On 2013-07-30 7:55 AM, "Ronald Klop"  wrote:
>
> On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash 
wrote:
>
>> On 2013-07-30 12:55 AM, "David Demelier" 
wrote:
>>>
>>>
>>> Hi,
>>>
>>> For years, a lot of security advisories have been present for bind.
>>> I'm just guessing if it's not a good idea to remove bind from base?
>>>
>>> This will probably free by half the number of FreeBSD SA's in the
future.
>>
>>
>> Hasn't this discussion occurred several times already on the -current
>> mailing list over the past year?
>
>
> http://lists.freebsd.org/pipermail/freebsd-hackers/2012-July/039830.html
>
>
>> And hadn't unbound and/or ldns been
>> imported into - current already?
>
>
> http://lists.freebsd.org/pipermail/svn-src-all/2012-July/056004.html
> And next messages.

Thanks for the references. I'm mostly mailing my phone these days and
searching for references and copy/paste aren't the easiest things to do. :)
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Peter Maxwell 
On 30 July 2013 16:58, Daniel Kalchev  wrote:

>
> On 30.07.13 18:26, Peter Maxwell wrote:
>
>> On 30 July 2013 14:42,  wrote:
>>
>>
>>  Yes, I know everything can be installed from packages/ports. Two of
>>> *my* main reasons for using FreeBSD is that:
>>>
>>> 1. It's an integrated *system*, not just a kernel.
>>>
>>>  That's not an argument for retaining something that is non-essential for
>> most people and can easily be installed from ports.  There is very little
>> that is actually essential in base... having to turn sendmail off on every
>> new installation already does my nut in but having mail facilities is
>> essential, so it has to be there.
>>
>
> I am surprised why so many people insist having an MTA is necessary, but
> having well testes recursive DNS resolver is not.
> Even on a typical "client" installation, it is more likely the resolver
> will be useful, than the MTA.
>

Sendmail - or something equivalent - is required to handle system mail from
things like system utility scripts, e.g. periodic.  A caching or recursive
DNS resolver, strictly, is not essential.  Given the number of SAs in bind,
it would arguably be better positioned in ports from an upgrade point of
view.




>
> By the way, both sendmail and BIND are off by default...


No, sendmail is on by default, cf.
http://www.freebsd.org/doc/en/books/handbook/mail-changingmta.html

It's only inbound SMTP handling that is default off.  To turn sendmail off
completely, you need to do something like set sendmail_enable="NONE" in
your rc.conf and have a replacement already setup.




>
>
>  Having bind in base does have one advantage in that it is more carefully
>> scrutinised that it would likely be in ports.
>>
>
> This too..
>
> I have always viewed FreeBSD not as an product, but instead as an toolkit.
> A toolkit, from which to build the OS you need.
> So far, FreeBSD has worked better for that purpose than any other toolkit
> around (plus, I am biased).
>

It's less useful as a toolkit when you need to upgrade, say, sshd or
openssl but for whatever reason cannot upgrade the base system... it can be
quite a bit of hassle managing the ports version while you've still got the
base version there.  It's not difficult but it's still a pain; when you're
dealing with hundreds of servers, every corner-case makes ongoing
maintenance harder.

My position would be that if it is third-party and not absolutely
essential, it should be in ports.



>
> There are a number of knobs, that let you customize FreeBSD to your
> heart's content.
>

Eh, hmmm, sort of.  As above, some things require upgrading the base system
which can be a bit of an issue in production environments when you cannot
arrange a suitable maintenance window - a scenario that is very common
indeed.  You are then forced to start using ports to replace the
functionality in base and it all gets rather non-standard and messy.




>
> In theory, everything but the absolute minimum of the base system might be
> removed.. and have everything depend on ports. However, the base system is
> just that -- one collection of code that gets built and tested together.
> This brings quality.
>

Yet, as the OP pointed out: bind is not what I would term "quality",
there's more SAs posted than I've had hot dinners.  Given it is
non-essential, it could quite easily be stripped out.




>
> Having said this, it is perfectly ok to replace BIND with any other
> resolver + name server as long as there is suitable candidate that has
> passed enough testing. Is there one? Do we know enough of their quirks?
>

That's not a good idea: any environment larger than a home network or SME
that relies on bind will not find it easy to migrate.  It's one thing
asking people to tolerate a 2min inconvenience to make a choice to install
bind from ports (when they've can also choose bind or, say, djbdns, etc),
it's quite another to suggest to them they should be using different
software, essentially on a whim.  I personally prefer qmail over sendmail
but I wouldn't suggest qmail should be in base for the reason that sendmail
is the de facto standard on *nix shaped systems.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Wiley, Glen 
Verisign is currently actively developing the getdns API description that
Paul Hoffman put together and documented at http://www.vpnc.org/getdns-api/

This includes a stub resolver, a recursive resolver and could provide
functionality independent of the BIND distribution.  We have adopted the
BSD coding standards for the project and will be making the github
repository public later this year.

On 7/30/13 11:58 AM, "Daniel Kalchev"  wrote:

>

>Having said this, it is perfectly ok to replace BIND with any other
>resolver + name server as long as there is suitable candidate that
>has passed enough testing. Is there one? Do we know enough of their
>quirks?
>
>Daniel
>
>___
>freebsd-stable@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Daniel Kalchev 

On 30.07.2013, at 19:49, Peter Maxwell  wrote:

> I personally prefer qmail over sendmail
> but I wouldn't suggest qmail should be in base for the reason that sendmail
> is the de facto standard on *nix shaped systems.
> 

One can argue that BIND is the de facto standard on *nix shaped systems too.

Daniel
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Peter Maxwell 
On 30 July 2013 21:03, Daniel Kalchev  wrote:

>
> On 30.07.2013, at 19:49, Peter Maxwell  wrote:
>
> > I personally prefer qmail over sendmail
> > but I wouldn't suggest qmail should be in base for the reason that
> sendmail
> > is the de facto standard on *nix shaped systems.
> >
>
> One can argue that BIND is the de facto standard on *nix shaped systems too


Yes, that is precisely my point, the preceding sentences to what you
quoted...

"That's not a good idea: any environment larger than a home network or SME
that relies on bind will not find it easy to migrate. It's one thing asking
people to tolerate a 2min inconvenience to make a choice to install bind
from ports (when they've can also choose bind or, say, djbdns, etc), it's
quite another to suggest to them they should be using different software,
essentially on a whim."
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Chris H 
> On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:
>>
>>
>> This is very much an situation like replacing gcc with clang/llvm.
>> However, in the case of BIND we have no licensing problems, stability
>> problems, performance problems etc --- just concerns that BIND generates
>> many SAs -- which might be actually good indicator, as it demonstrates
>> that BIND is worked on.
>>
>
> There's a man with a name whose initials match DJB that would strongly
> disagree. Now he's not always the best person to reference, but he's
> made a succinct point with his own software, whether or not you like
> using it.
>
> Unbound/NSD are suitable replacements if we really need something in
> base, and they have been picked up by OpenBSD for a good reason --
> clean, secure, readable, maintainable codebases and their use across the
> internet and on the ROOT servers is growing.
>
>> I personally see no reason to remove BIND from base. If someone does not
>> want BIND in their system, they could always use the WITHOUT_BIND build
>> switch.
>
> I'd be inclined to agree if it wasn't such a wholly insecure chunk of
> code. You don't see people whining about Sendmail in base when they
> prefer Postfix or Exim, but Sendmail doesn't have a new exploit every
> week. You do tend to need an MTA for getting messages off the system
> more than you need a local recursor/cache, but at least it's not causing
> you maintenance headaches. If you consider the possibility that a large
> enough percentage of users really desire a local recursor/cache it
> should be our duty to give them the best option available.

+1
Sorry to do that. But I simply couldn't have expressed it better, myself.

> ___
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
>

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Chris H 
>
> On 30.07.2013, at 19:49, Peter Maxwell  wrote:
>
>> I personally prefer qmail over sendmail
>> but I wouldn't suggest qmail should be in base for the reason that sendmail
>> is the de facto standard on *nix shaped systems.
>>
>
> One can argue that BIND is the de facto standard on *nix shaped systems too.

Considering the topic, and how many times it's come up. I'm not sure that's 
anything to
be proud of. ;)

>
> Daniel
> ___
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
>

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Mark Andrews 

In message <9b0056db5b760c755dd4acc45bfbd1ad.authentica...@ultimatedns.net>, "C
hris H" writes:
> >
> > On 30.07.2013, at 19:49, Peter Maxwell  wrote:
> >
> >> I personally prefer qmail over sendmail
> >> but I wouldn't suggest qmail should be in base for the reason that sendmai
> l
> >> is the de facto standard on *nix shaped systems.
> >>
> >
> > One can argue that BIND is the de facto standard on *nix shaped systems too
> .
> 
> Considering the topic, and how many times it's come up. I'm not sure that's a
> nything to
> be proud of. ;)

Given not all CVE's are created equal and given the amount of
internal self consistancy checks (all of which kill the server if
they don't pass (and push the CVSS score to 7.x)) there are in BIND
the number of advisaries is actually very small.

Yes, this was a internal self consistancy check failing.

We are human and despite code reviews, unit and system tests, static
analysis checkers etc. some errors do make it through.

Mark

> > Daniel
> > ___
> > freebsd-stable@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
> >
> 
> ___
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Does the image on isc.portsnap.freebsd.org have a virus?

2013-07-30 Thread Chris H 
Greetings,
 I know this sounds crazy, and apologies if I am. But I have 2 RELENG_8 servers;
1 amd64, and 1 i386. about 3 wks ago, I migrated from cv(sup) updating, to svn 
on
the amd64 box.
After removing cv(sup) related folders, and the ports folder, I used:
portsnap fetch
After the fetch completed I ran:
portsnap extract
which verified/patched && extracted the image to /usr/ports.
Tonight, I initiated the same procedure on the i386 server. _BUT_ upon 
completion of
the fetch, it proceeded to verify/patch && extract; _not_ to /usr/ports, but to
/var/db/portsnap/ports. re-examining /etc/portsnap.conf, and re-reading the 
portsnap(8) man
page, reveals that _both_ .conf files are identical, as were the version(s) 
used on both
boxes. An additional attempt to portsnap fetch, resulted in the same 
(unorthodox) behavior.
What gives?!

Thank you for all your time, and consideration.

--chris

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread Shane Ambler 

On 31/07/2013 01:31, Daniel Kalchev wrote:


But here is an idea: Remove BIND from HEAD overnight and see how many
 will complain ;-) If nobody complains, don't put it back in.


Or change the default to off. If you want bind add WITH_BIND=yes to src.conf

It's hard to say FreeBSD is a safe and secure OS when part of the base
install is always being shown to have security flaws. New features need
to prove they are reliable before they are accepted into a release yet
we allow something that has a long proven history of being a source of
security concerns.

For something that needs to be constantly updated in between system
updates then ports is the place to install it from.

I think it is less about whether bind is useful and needs to be in base
and more about should every user of FreeBSD be open to security issues
or should a user have the option to say "yes I want potentially insecure
software on my machine". The ports system allows messages that make it
obvious to the user about security concerns.

Yes many users know the bind utilities and rely on them but a lot of
users have no idea how to use them. I expect that the bind tools are
used by a number of users that know what they are doing and need them
for testing and debugging issues, they also know how to install them
when they need them. I believe most users would not need or use these tools.

How many people setup and use a FreeBSD machine without adding something
from ports or packages?

And yes I setup my own dns server to resolve internal host names instead
of filling /etc/hosts with entries. As for the tools like dig and host,
I rarely use them.


___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Bind in FreeBSD, security advisories

2013-07-30 Thread sthaug 
> > Considering the topic, and how many times it's come up. I'm not sure that's 
> > a
> > nything to
> > be proud of. ;)
> 
> Given not all CVE's are created equal and given the amount of
> internal self consistancy checks (all of which kill the server if
> they don't pass (and push the CVSS score to 7.x)) there are in BIND
> the number of advisaries is actually very small.
> 
> Yes, this was a internal self consistancy check failing.
> 
> We are human and despite code reviews, unit and system tests, static
> analysis checkers etc. some errors do make it through.

I'm also more than a little surprised about people dragging out
sendmail as a shining example of *good* (bug-free?) software. Does
nobody remember any history here? It wasn't *that* many years ago
that we seemed to have "sendmail-bug-of-the-day"...

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"