Re: Bind in FreeBSD, security advisories

On Wed, July 31, 2013 02:55, sth...@nethelp.no wrote: > I'm also more than a little surprised about people dragging out > sendmail as a shining example of *good* (bug-free?) software. Does > nobody remember any history here? It wasn't *that* many years ago > that we seemed to have "sendmail-bug-of

Re: Bind in FreeBSD, security advisories

On 31.07.13 15:22, Mark Felder wrote: On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote: On 31.07.13 09:38, Shane Ambler wrote: For something that needs to be constantly updated in between system updates then ports is the place to install it from. You don't have to update BIND constantly, e

Re: Bind in FreeBSD, security advisories

On Wed, Jul 31, 2013, at 7:37, Erwin Lansing wrote: > > 3rd party, and especially those that are still being distributed as > experimental, will not be part of the base BIND code. It will only > contain a direct import from the vendor sources. > I agree, experimental patches have no place in ba

Re: Bind in FreeBSD, security advisories

On Wed, Jul 31, 2013 at 07:22:20AM -0500, Mark Felder wrote: > > Let's take a moment and consider the state of the internet and DNS > attacks. The RRL and RPZ2 patchsets[1] are newer developments that > successfully add additional security and features to BIND. It was also > recently announced tha

Re: Bind in FreeBSD, security advisories

On Wed, Jul 31, 2013, at 6:15, Daniel Kalchev wrote: > > On 31.07.13 09:38, Shane Ambler wrote: > > > > For something that needs to be constantly updated in between system > > updates then ports is the place to install it from. > > You don't have to update BIND constantly, especially if you are n

Re: Bind in FreeBSD, security advisories

On 31.07.13 09:38, Shane Ambler wrote: On 31/07/2013 01:31, Daniel Kalchev wrote: But here is an idea: Remove BIND from HEAD overnight and see how many will complain ;-) If nobody complains, don't put it back in. Or change the default to off. If you want bind add WITH_BIND=yes to src.conf

Re: Bind in FreeBSD, security advisories

David Demelier writes: > For years, a lot of security advisories have been present for bind. > I'm just guessing if it's not a good idea to remove bind from base? There are plans to do so. It's not as trivial as people seem to think. DES -- Dag-Erling Smørgrav - d...@des.no ___

Re: Bind in FreeBSD, security advisories

> > Considering the topic, and how many times it's come up. I'm not sure that's > > a > > nything to > > be proud of. ;) > > Given not all CVE's are created equal and given the amount of > internal self consistancy checks (all of which kill the server if > they don't pass (and push the CVSS score

Re: Bind in FreeBSD, security advisories

On 31/07/2013 01:31, Daniel Kalchev wrote: But here is an idea: Remove BIND from HEAD overnight and see how many will complain ;-) If nobody complains, don't put it back in. Or change the default to off. If you want bind add WITH_BIND=yes to src.conf It's hard to say FreeBSD is a safe and se

Re: Bind in FreeBSD, security advisories

In message <9b0056db5b760c755dd4acc45bfbd1ad.authentica...@ultimatedns.net>, "C hris H" writes: > > > > On 30.07.2013, at 19:49, Peter Maxwell wrote: > > > >> I personally prefer qmail over sendmail > >> but I wouldn't suggest qmail should be in base for the reason that sendmai > l > >> is the de

Re: Bind in FreeBSD, security advisories

> > On 30.07.2013, at 19:49, Peter Maxwell wrote: > >> I personally prefer qmail over sendmail >> but I wouldn't suggest qmail should be in base for the reason that sendmail >> is the de facto standard on *nix shaped systems. >> > > One can argue that BIND is the de facto standard on *nix shaped s

Re: Bind in FreeBSD, security advisories

> On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote: >> >> >> This is very much an situation like replacing gcc with clang/llvm. >> However, in the case of BIND we have no licensing problems, stability >> problems, performance problems etc --- just concerns that BIND generates >> many SAs -- whic

Re: Bind in FreeBSD, security advisories

On 30 July 2013 21:03, Daniel Kalchev wrote: > > On 30.07.2013, at 19:49, Peter Maxwell wrote: > > > I personally prefer qmail over sendmail > > but I wouldn't suggest qmail should be in base for the reason that > sendmail > > is the de facto standard on *nix shaped systems. > > > > One can argu

Re: Bind in FreeBSD, security advisories

On 30.07.2013, at 19:49, Peter Maxwell wrote: > I personally prefer qmail over sendmail > but I wouldn't suggest qmail should be in base for the reason that sendmail > is the de facto standard on *nix shaped systems. > One can argue that BIND is the de facto standard on *nix shaped systems too

Re: Bind in FreeBSD, security advisories

Verisign is currently actively developing the getdns API description that Paul Hoffman put together and documented at http://www.vpnc.org/getdns-api/ This includes a stub resolver, a recursive resolver and could provide functionality independent of the BIND distribution. We have adopted the BSD c

Re: Bind in FreeBSD, security advisories

On 30 July 2013 16:58, Daniel Kalchev wrote: > > On 30.07.13 18:26, Peter Maxwell wrote: > >> On 30 July 2013 14:42, wrote: >> >> >> Yes, I know everything can be installed from packages/ports. Two of >>> *my* main reasons for using FreeBSD is that: >>> >>> 1. It's an integrated *system*, not j

Re: Bind in FreeBSD, security advisories

On 2013-07-30 7:55 AM, "Ronald Klop" wrote: > > On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash wrote: > >> On 2013-07-30 12:55 AM, "David Demelier" wrote: >>> >>> >>> Hi, >>> >>> For years, a lot of security advisories have been present for bind. >>> I'm just guessing if it's not a good idea t

Re: Bind in FreeBSD, security advisories

On 30.07.13 16:44, Ronald Klop wrote: On Tue, 30 Jul 2013 15:32:44 +0200, Daniel Kalchev wrote: Back to the topic :) My take on this is that removing BIND from the base today is.. irresponsible. First, most who use FreeBSD expect an DNS server to be readily available. Interesting. What

Re: Bind in FreeBSD, security advisories

On 30.07.13 18:26, Peter Maxwell wrote: On 30 July 2013 14:42, wrote: Yes, I know everything can be installed from packages/ports. Two of *my* main reasons for using FreeBSD is that: 1. It's an integrated *system*, not just a kernel. That's not an argument for retaining something that is

Re: Bind in FreeBSD, security advisories

On 30 July 2013 14:42, wrote: > > > For years, a lot of security advisories have been present for bind. > > > I'm just guessing if it's not a good idea to remove bind from base? > > > > > > This will probably free by half the number of FreeBSD SA's in the > future. > > > > > > > Sure, but no bind

Re: Bind in FreeBSD, security advisories

On Tue, 30 Jul 2013 16:55:09 +0200, Ronald Klop wrote: On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash wrote: On 2013-07-30 12:55 AM, "David Demelier" wrote: Hi, For years, a lot of security advisories have been present for bind. I'm just guessing if it's not a good idea to remove

Re: Bind in FreeBSD, security advisories

On Tue, 30 Jul 2013 16:14:57 +0200, Freddie Cash wrote: On 2013-07-30 12:55 AM, "David Demelier" wrote: Hi, For years, a lot of security advisories have been present for bind. I'm just guessing if it's not a good idea to remove bind from base? This will probably free by half the number of

Re: Bind in FreeBSD, security advisories

> > and every contrib part which is removed, detracts from this. > > > > And every contrib part that is added to base is another piece of > software that rots for the life of a major release and ends up getting > replaced by frustrated endusers with the latest in ports... > > The tight integrati

Re: Bind in FreeBSD, security advisories

Half the people will say: "There should be more stuff in base!" The other half will say: "There should be less stuff in base!" People don't generally change each other's minds about this because they start from competing definitions of what is good that are 100% opinion in nature. (Spoken as a

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013 at 6:29 AM, Michael Grimm wrote: > > On 2013-07-30 16:04, Mark Felder wrote: > >> Unbound/NSD are suitable replacements if we really need something in >> base, and they have been picked up by OpenBSD for a good reason -- >> clean, secure, readable, maintainable codebases and t

Re: Bind in FreeBSD, security advisories

On Tue, 30 Jul 2013 09:07:30 -0500 Mark Felder wrote: > On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote: > > > > and every contrib part which is removed, detracts from this. > > > > And every contrib part that is added to base is another piece of > software that rots for the life of a m

Re: Bind in FreeBSD, security advisories

On 2013-07-30 16:04, Mark Felder wrote: Unbound/NSD are suitable replacements if we really need something in base, and they have been picked up by OpenBSD for a good reason -- clean, secure, readable, maintainable codebases and their use across the internet and on the ROOT servers is growing.

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013, at 9:10, Ronald Klop wrote: > > DragonflyBSD also removed BIND from base some time ago. > http://www.shiningsilence.com/dbsdlog/2010/05/06/5853.html > I was not aware of this; that's worth referencing. I'm not sure where NetBSD stands but a quick search implies that they st

Re: Bind in FreeBSD, security advisories

On 2013-07-30 12:55 AM, "David Demelier" wrote: > > Hi, > > For years, a lot of security advisories have been present for bind. > I'm just guessing if it's not a good idea to remove bind from base? > > This will probably free by half the number of FreeBSD SA's in the future. Hasn't this discussio

Re: Bind in FreeBSD, security advisories

On Tue, 30 Jul 2013 16:07:30 +0200, Mark Felder wrote: On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote: and every contrib part which is removed, detracts from this. And every contrib part that is added to base is another piece of software that rots for the life of a major release an

Re: Bind in FreeBSD, security advisories

On Jul 30, 2013, at 10:07 , Mark Felder wrote: > On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote: >> >> and every contrib part which is removed, detracts from this. > > And every contrib part that is added to base is another piece of > software that rots for the life of a major release an

Re: Bind in FreeBSD, security advisories

On Tue, 30 Jul 2013 15:53:08 +0200, Tim Daneliuk wrote: On 07/30/2013 08:13 AM, Mehmet Erol Sanliturk wrote: On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev wrote: On 30.07.13 15:21, Mark Felder wrote: People don't seem upset about not having a webserver, IMAP/POP daemon, or LDAP ser

Re: Bind in FreeBSD, security advisories

On Tue, 30 Jul 2013 16:04:46 +0200, Mark Felder wrote: On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote: This is very much an situation like replacing gcc with clang/llvm. However, in the case of BIND we have no licensing problems, stability problems, performance problems etc --- just con

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013, at 8:42, sth...@nethelp.no wrote: > > and every contrib part which is removed, detracts from this. > And every contrib part that is added to base is another piece of software that rots for the life of a major release and ends up getting replaced by frustrated endusers with

Re: Bind in FreeBSD, security advisories

On 07/30/2013 08:13 AM, Mehmet Erol Sanliturk wrote: On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev wrote: On 30.07.13 15:21, Mark Felder wrote: People don't seem upset about not having a webserver, IMAP/POP daemon, or LDAP server in base, so I don't understand what the big deal is about r

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013, at 8:32, Daniel Kalchev wrote: > > > This is very much an situation like replacing gcc with clang/llvm. > However, in the case of BIND we have no licensing problems, stability > problems, performance problems etc --- just concerns that BIND generates > many SAs -- which m

Re: Bind in FreeBSD, security advisories

The package would have to be reworked to remove the name server - not an impossible task and you could make a case for it from an ideological perspective, but is it worth the work? On 7/30/13 8:59 AM, "Mark Felder" wrote: >On Tue, Jul 30, 2013, at 7:47, Daniel Kalchev wrote: >> >> We could in t

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013, at 8:44, Ronald Klop wrote: > > Interesting. What are your statistics of 'most' based on? > Yes, this shouldn't be left to conjecture. A large community poll should be the first step IMHO. ___ freebsd-stable@freebsd.org mailing li

Re: Bind in FreeBSD, security advisories

> > For years, a lot of security advisories have been present for bind. > > I'm just guessing if it's not a good idea to remove bind from base? > > > > This will probably free by half the number of FreeBSD SA's in the future. > > > > Sure, but no bind in base also implies no dig, nslookup or host.

Re: Bind in FreeBSD, security advisories

On Tue, 30 Jul 2013 15:32:44 +0200, Daniel Kalchev wrote: On 30.07.13 16:13, Mehmet Erol Sanliturk wrote: On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev > wrote: Going that direction, we should consider Comrade Stalin's maxim "FreeBSD exists, there ar

Re: Bind in FreeBSD, security advisories

On 30.07.13 16:13, Mehmet Erol Sanliturk wrote: On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev > wrote: Going that direction, we should consider Comrade Stalin's maxim "FreeBSD exists, there are problems, here is the solution -- no FreeBSD, no problems

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013 at 8:47 AM, Daniel Kalchev wrote: > > On 30.07.13 15:21, Mark Felder wrote: > >> People don't seem upset about not having a webserver, IMAP/POP daemon, >> or LDAP server in base, so I don't understand what the big deal is about >> removing BIND. >> > > I believe the primary r

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013, at 7:47, Daniel Kalchev wrote: > > We could in theory remove the BIND's authoritative name server > executable... if that is attracting the SAs. > It's the same executable, that's the problem :-) ___ freebsd-stable@freebsd.org ma

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013, at 7:45, Garrett Wollman wrote: > > There are plenty of situations in which a remote recursive resolver is > untrustworthy. (Some would say any situation.) It doesn't have to be > BIND, but people do legitimately want the normal DNS diagnostic > utilities, which sadly have

Re: Bind in FreeBSD, security advisories

On 30.07.13 15:21, Mark Felder wrote: People don't seem upset about not having a webserver, IMAP/POP daemon, or LDAP server in base, so I don't understand what the big deal is about removing BIND. I believe the primary reason these things are not in the base system is that they have plenty of

Re: Bind in FreeBSD, security advisories

In article <1375186900.23467.3223791.24cb3...@webmail.messagingengine.com>, f...@freebsd.org writes: >just import Unbound. However, if you can't reach any DNS servers I >assume you can't reach the roots either, so I don't understand what a >local recursor will gain you. There are plenty of situat

Re: Bind in FreeBSD, security advisories

I think you could conceptually differentiate between DNS clients and servers and remove bind without removing the DNS clients. On 7/30/13 8:39 AM, "Tom Evans" wrote: >On Tue, Jul 30, 2013 at 8:55 AM, David Demelier > wrote: >> Hi, >> >> For years, a lot of security advisories have been present f

Re: Bind in FreeBSD, security advisories

On Tue, Jul 30, 2013 at 8:55 AM, David Demelier wrote: > Hi, > > For years, a lot of security advisories have been present for bind. > I'm just guessing if it's not a good idea to remove bind from base? > > This will probably free by half the number of FreeBSD SA's in the future. > Sure, but no b

Re: Bind in FreeBSD, security advisories

People don't seem upset about not having a webserver, IMAP/POP daemon, or LDAP server in base, so I don't understand what the big deal is about removing BIND. If the concern is over the rare case when you absolutely need a DNS recursor and there are none you can reach I suppose we should just impor

Bind in FreeBSD, security advisories

Hi, For years, a lot of security advisories have been present for bind. I'm just guessing if it's not a good idea to remove bind from base? This will probably free by half the number of FreeBSD SA's in the future. Regards, -- Demelier David ___ freeb