Waiting for BIND security announcement

[Jeffrey Goldberg]

On Aug 1, 2007, at 3:47 PM, Doug Barton wrote:

> I can't speak for the security team, but I'm pretty sure that this
> change is forthcoming.

As someone has already noted in this thread, the wait is over.

>>> When it comes to BIND stuff in particular, I always update the ports
>>> first, so anyone with a mission critical DNS operation can get fixes
>>> ASAP. There is even an option in the port to overwrite the base BIND
>>> if you so desire.
>>
>> Ah-ha.  That makes a big difference.  OK.  If I'm going to expose my
>> name server to the big bad world while tracking RELENG_N_M ("release
>> with patches") I'll use bind from ports.
>
> In addition to security issues, the ports give you a greater degree of
> flexibility in how BIND is configured. If you're going to be offering
> a public name server (and by that I hope you mean authoritative, not
> recursive) on 6-stable you're probably better off using 9.4.x anyway,
> with the threading option disabled.

Yes, I do mean a (low volume) authoritative name server for a small  
handful of low traffic vanity domains.  My intention is to set it up  
as a master which will transfer zone information to a professional  
DNS hosting service (dnspark.net whom I'm very happy with).

Currently I have to modify my zone information through DNSPark's web  
interface (which is very good and seems to allow everything except  
"generate" rules).  But since I'm masochistic, I figure that I should  
inflict problems on myself like remembering to update the serial  
numbers myself.  (Big shouting reminder comments at both ends of the  
zone files seem to do the trick)

Also, while I'm extremely happy with dnspark.net, having one instance  
of the authoritative zone data fully under my control makes me feel  
better.

-j


-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/