On 31/07/2013 01:31, Daniel Kalchev wrote:
But here is an idea: Remove BIND from HEAD overnight and see how many
will complain ;-) If nobody complains, don't put it back in.
Or change the default to off. If you want bind add WITH_BIND=yes to src.conf
It's hard to say FreeBSD is a safe and
Considering the topic, and how many times it's come up. I'm not sure that's
a
nything to
be proud of. ;)
Given not all CVE's are created equal and given the amount of
internal self consistancy checks (all of which kill the server if
they don't pass (and push the CVSS score to 7.x))
David Demelier demelier.da...@gmail.com writes:
For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?
There are plans to do so. It's not as trivial as people seem to think.
DES
--
Dag-Erling Smørgrav -
On 31.07.13 09:38, Shane Ambler wrote:
On 31/07/2013 01:31, Daniel Kalchev wrote:
But here is an idea: Remove BIND from HEAD overnight and see how many
will complain ;-) If nobody complains, don't put it back in.
Or change the default to off. If you want bind add WITH_BIND=yes to
src.conf
On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote:
On 31.07.13 09:38, Shane Ambler wrote:
For something that needs to be constantly updated in between system
updates then ports is the place to install it from.
You don't have to update BIND constantly, especially if you are not
On Wed, Jul 31, 2013 at 07:22:20AM -0500, Mark Felder wrote:
Let's take a moment and consider the state of the internet and DNS
attacks. The RRL and RPZ2 patchsets[1] are newer developments that
successfully add additional security and features to BIND. It was also
recently announced that
On Wed, Jul 31, 2013, at 7:37, Erwin Lansing wrote:
3rd party, and especially those that are still being distributed as
experimental, will not be part of the base BIND code. It will only
contain a direct import from the vendor sources.
I agree, experimental patches have no place in base.
On 31.07.13 15:22, Mark Felder wrote:
On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote:
On 31.07.13 09:38, Shane Ambler wrote:
For something that needs to be constantly updated in between system
updates then ports is the place to install it from.
You don't have to update BIND constantly,
On Wed, July 31, 2013 02:55, sth...@nethelp.no wrote:
I'm also more than a little surprised about people dragging out
sendmail as a shining example of *good* (bug-free?) software. Does
nobody remember any history here? It wasn't *that* many years ago
that we seemed to have
Hi,
For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?
This will probably free by half the number of FreeBSD SA's in the future.
Regards,
--
Demelier David
___
People don't seem upset about not having a webserver, IMAP/POP daemon,
or LDAP server in base, so I don't understand what the big deal is about
removing BIND. If the concern is over the rare case when you absolutely
need a DNS recursor and there are none you can reach I suppose we should
just
On Tue, Jul 30, 2013 at 8:55 AM, David Demelier
demelier.da...@gmail.com wrote:
Hi,
For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?
This will probably free by half the number of FreeBSD SA's in the
I think you could conceptually differentiate between DNS clients and
servers and remove bind without removing the DNS clients.
On 7/30/13 8:39 AM, Tom Evans tevans...@googlemail.com wrote:
On Tue, Jul 30, 2013 at 8:55 AM, David Demelier
demelier.da...@gmail.com wrote:
Hi,
For years, a lot of
In article
1375186900.23467.3223791.24cb3...@webmail.messagingengine.com,
f...@freebsd.org writes:
just import Unbound. However, if you can't reach any DNS servers I
assume you can't reach the roots either, so I don't understand what a
local recursor will gain you.
There are plenty of situations
On 30.07.13 15:21, Mark Felder wrote:
People don't seem upset about not having a webserver, IMAP/POP daemon,
or LDAP server in base, so I don't understand what the big deal is about
removing BIND.
I believe the primary reason these things are not in the base system is
that they have plenty
On Tue, Jul 30, 2013, at 7:45, Garrett Wollman wrote:
There are plenty of situations in which a remote recursive resolver is
untrustworthy. (Some would say any situation.) It doesn't have to be
BIND, but people do legitimately want the normal DNS diagnostic
utilities, which sadly have been
On Tue, Jul 30, 2013, at 7:47, Daniel Kalchev wrote:
We could in theory remove the BIND's authoritative name server
executable... if that is attracting the SAs.
It's the same executable, that's the problem :-)
___
freebsd-stable@freebsd.org
On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev dan...@digsys.bg wrote:
On 30.07.13 15:21, Mark Felder wrote:
People don't seem upset about not having a webserver, IMAP/POP daemon,
or LDAP server in base, so I don't understand what the big deal is about
removing BIND.
I believe the
On 30.07.13 16:13, Mehmet Erol Sanliturk wrote:
On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev dan...@digsys.bg
mailto:dan...@digsys.bg wrote:
Going that direction, we should consider Comrade Stalin's maxim
FreeBSD exists, there are problems, here is the solution -- no
On Tue, 30 Jul 2013 15:32:44 +0200, Daniel Kalchev dan...@digsys.bg
wrote:
On 30.07.13 16:13, Mehmet Erol Sanliturk wrote:
On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev dan...@digsys.bg
mailto:dan...@digsys.bg wrote:
Going that direction, we should consider Comrade Stalin's
For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?
This will probably free by half the number of FreeBSD SA's in the future.
Sure, but no bind in base also implies no dig, nslookup or host.
Exactly.
On Tue, Jul 30, 2013, at 8:44, Ronald Klop wrote:
Interesting. What are your statistics of 'most' based on?
Yes, this shouldn't be left to conjecture. A large community poll should
be the first step IMHO.
___
freebsd-stable@freebsd.org mailing list
The package would have to be reworked to remove the name server - not an
impossible task and you could make a case for it from an ideological
perspective, but is it worth the work?
On 7/30/13 8:59 AM, Mark Felder f...@freebsd.org wrote:
On Tue, Jul 30, 2013, at 7:47, Daniel Kalchev wrote:
We
On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:
This is very much an situation like replacing gcc with clang/llvm.
However, in the case of BIND we have no licensing problems, stability
problems, performance problems etc --- just concerns that BIND generates
many SAs -- which might
On 07/30/2013 08:13 AM, Mehmet Erol Sanliturk wrote:
On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev dan...@digsys.bg wrote:
On 30.07.13 15:21, Mark Felder wrote:
People don't seem upset about not having a webserver, IMAP/POP daemon,
or LDAP server in base, so I don't understand what the
On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote:
and every contrib part which is removed, detracts from this.
And every contrib part that is added to base is another piece of
software that rots for the life of a major release and ends up getting
replaced by frustrated endusers with
On Tue, 30 Jul 2013 16:04:46 +0200, Mark Felder f...@freebsd.org wrote:
On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:
This is very much an situation like replacing gcc with clang/llvm.
However, in the case of BIND we have no licensing problems, stability
problems, performance problems
On Tue, 30 Jul 2013 15:53:08 +0200, Tim Daneliuk tun...@tundraware.com
wrote:
On 07/30/2013 08:13 AM, Mehmet Erol Sanliturk wrote:
On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev dan...@digsys.bg
wrote:
On 30.07.13 15:21, Mark Felder wrote:
People don't seem upset about not having a
On Jul 30, 2013, at 10:07 , Mark Felder wrote:
On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote:
and every contrib part which is removed, detracts from this.
And every contrib part that is added to base is another piece of
software that rots for the life of a major release and ends
On Tue, 30 Jul 2013 16:07:30 +0200, Mark Felder f...@freebsd.org wrote:
On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote:
and every contrib part which is removed, detracts from this.
And every contrib part that is added to base is another piece of
software that rots for the life of a
On 2013-07-30 12:55 AM, David Demelier demelier.da...@gmail.com wrote:
Hi,
For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?
This will probably free by half the number of FreeBSD SA's in the future.
On Tue, Jul 30, 2013, at 9:10, Ronald Klop wrote:
DragonflyBSD also removed BIND from base some time ago.
http://www.shiningsilence.com/dbsdlog/2010/05/06/5853.html
I was not aware of this; that's worth referencing. I'm not sure where
NetBSD stands but a quick search implies that they still
On 2013-07-30 16:04, Mark Felder wrote:
Unbound/NSD are suitable replacements if we really need something in
base, and they have been picked up by OpenBSD for a good reason --
clean, secure, readable, maintainable codebases and their use across
the
internet and on the ROOT servers is growing.
On Tue, 30 Jul 2013 09:07:30 -0500
Mark Felder f...@freebsd.org wrote:
On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote:
and every contrib part which is removed, detracts from this.
And every contrib part that is added to base is another piece of
software that rots for the life
On Tue, Jul 30, 2013 at 6:29 AM, Michael Grimm
trash...@odo.in-berlin.de wrote:
On 2013-07-30 16:04, Mark Felder wrote:
Unbound/NSD are suitable replacements if we really need something in
base, and they have been picked up by OpenBSD for a good reason --
clean, secure, readable,
Half the people will say:
There should be more stuff in base!
The other half will say:
There should be less stuff in base!
People don't generally change each other's minds about this because
they start from competing definitions of what is good that are 100%
opinion in nature.
(Spoken as a
and every contrib part which is removed, detracts from this.
And every contrib part that is added to base is another piece of
software that rots for the life of a major release and ends up getting
replaced by frustrated endusers with the latest in ports...
The tight integration of the
On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash fjwc...@gmail.com wrote:
On 2013-07-30 12:55 AM, David Demelier demelier.da...@gmail.com
wrote:
Hi,
For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?
This
On Tue, 30 Jul 2013 16:55:09 +0200, Ronald Klop
ronald-freeb...@klop.yi.org wrote:
On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash fjwc...@gmail.com
wrote:
On 2013-07-30 12:55 AM, David Demelier demelier.da...@gmail.com
wrote:
Hi,
For years, a lot of security advisories have been
On 30 July 2013 14:42, sth...@nethelp.no wrote:
For years, a lot of security advisories have been present for bind.
I'm just guessing if it's not a good idea to remove bind from base?
This will probably free by half the number of FreeBSD SA's in the
future.
Sure, but no bind
On 30.07.13 18:26, Peter Maxwell wrote:
On 30 July 2013 14:42, sth...@nethelp.no wrote:
Yes, I know everything can be installed from packages/ports. Two of
*my* main reasons for using FreeBSD is that:
1. It's an integrated *system*, not just a kernel.
That's not an argument for retaining
On 30.07.13 16:44, Ronald Klop wrote:
On Tue, 30 Jul 2013 15:32:44 +0200, Daniel Kalchev dan...@digsys.bg
wrote:
Back to the topic :)
My take on this is that removing BIND from the base today is..
irresponsible. First, most who use FreeBSD expect an DNS server to be
readily available.
On 2013-07-30 7:55 AM, Ronald Klop ronald-freeb...@klop.yi.org wrote:
On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash fjwc...@gmail.com
wrote:
On 2013-07-30 12:55 AM, David Demelier demelier.da...@gmail.com
wrote:
Hi,
For years, a lot of security advisories have been present for bind.
On 30 July 2013 16:58, Daniel Kalchev dan...@digsys.bg wrote:
On 30.07.13 18:26, Peter Maxwell wrote:
On 30 July 2013 14:42, sth...@nethelp.no wrote:
Yes, I know everything can be installed from packages/ports. Two of
*my* main reasons for using FreeBSD is that:
1. It's an integrated
Verisign is currently actively developing the getdns API description that
Paul Hoffman put together and documented at http://www.vpnc.org/getdns-api/
This includes a stub resolver, a recursive resolver and could provide
functionality independent of the BIND distribution. We have adopted the
BSD
On 30.07.2013, at 19:49, Peter Maxwell pe...@allicient.co.uk wrote:
I personally prefer qmail over sendmail
but I wouldn't suggest qmail should be in base for the reason that sendmail
is the de facto standard on *nix shaped systems.
One can argue that BIND is the de facto standard on *nix
On 30 July 2013 21:03, Daniel Kalchev dan...@digsys.bg wrote:
On 30.07.2013, at 19:49, Peter Maxwell pe...@allicient.co.uk wrote:
I personally prefer qmail over sendmail
but I wouldn't suggest qmail should be in base for the reason that
sendmail
is the de facto standard on *nix shaped
On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote:
This is very much an situation like replacing gcc with clang/llvm.
However, in the case of BIND we have no licensing problems, stability
problems, performance problems etc --- just concerns that BIND generates
many SAs -- which might be
On 30.07.2013, at 19:49, Peter Maxwell pe...@allicient.co.uk wrote:
I personally prefer qmail over sendmail
but I wouldn't suggest qmail should be in base for the reason that sendmail
is the de facto standard on *nix shaped systems.
One can argue that BIND is the de facto standard on *nix
In message 9b0056db5b760c755dd4acc45bfbd1ad.authentica...@ultimatedns.net, C
hris H writes:
On 30.07.2013, at 19:49, Peter Maxwell pe...@allicient.co.uk wrote:
I personally prefer qmail over sendmail
but I wouldn't suggest qmail should be in base for the reason that sendmai
l
is the
50 matches
Mail list logo