What about BIND 9.3.4 in FreeBSD in base system ?
Chuck Swiger
cswiger at mac.com
Thu Feb 1 22:33:53 UTC 2007
Doug Barton wrote:
> Chuck Swiger wrote:
>> Doug Barton wrote:
>> [ ... ]
>> I've been bitten by CVE-2006-4096, and have applied the workaround to
>> limit the # of outstanding queries.
>
> I have no doubt that users who have active name servers in a production
> environment _will_ need to update their name servers to the latest and
> greatest versions. The ports exist in part to facilitate using the
> latest BIND on older versions of FreeBSD that will not be updated.
I see. Well, thanks for the information.
>> I've got two nameservers tracking 5-STABLE
>
> I am not sure how to respond to that.
[ ...comments about moving to 6 snipped for brevity... ]
That's OK, I wasn't soliciting advice on which platform or OS version a given
set of machines ought to run. When the number of machines one deals with in a
given environment changes from single-digit, to dozens, to hundreds, to tens
of thousands, keeping machines updated to a bug-free, stable environment is
more important than chasing features off the latest branch.
As always, your mileage may vary.
>> I'm starting to feel thankful that my important domains include
>> off-site secondaries which are running djbdns.
>
> EGRATUITOUSBINDBASHING
You seem to be disposed to believe it so, but regardless of opinions, I've had
named crash under moderate loads and it concerns me enough to evaluate
switching to a heterogenous nameserver environment to gain more stability from
a critical service.
If I wanted to indulge in gratuitous bashing of BIND, I wouldn't do so on a
FreeBSD mailing list, nor would I make an effort to be tactful even when it
seems that a bug report or any criticism (direct or implied) would be
misinterpreted as "gratuitous bashing" regardless of whether it concerns a
legitimate problem.
>> Does the FreeBSD security team have a position with regard to whether
>> the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch?
>
> They are actually reviewing the issue as we speak. As I've said, I'll
> abide by the secteam's request either way, I am simply stating a
> preference.
Very good.
--
-Chuck
More information about the freebsd-security
mailing list