What about BIND 9.3.4 in FreeBSD in base system ?

Chuck Swiger cswiger at mac.com
Thu Feb 1 22:33:53 UTC 2007


Doug Barton wrote:
> Chuck Swiger wrote:
>> Doug Barton wrote:
>> [ ... ]
>> I've been bitten by CVE-2006-4096, and have applied the workaround to 
>> limit the # of outstanding queries.
> 
> I have no doubt that users who have active name servers in a production 
> environment _will_ need to update their name servers to the latest and 
> greatest versions. The ports exist in part to facilitate using the 
> latest BIND on older versions of FreeBSD that will not be updated.

I see.  Well, thanks for the information.

>> I've got two nameservers tracking 5-STABLE
> 
> I am not sure how to respond to that.
[ ...comments about moving to 6 snipped for brevity... ]

That's OK, I wasn't soliciting advice on which platform or OS version a given 
set of machines ought to run.  When the number of machines one deals with in a 
given environment changes from single-digit, to dozens, to hundreds, to tens 
of thousands, keeping machines updated to a bug-free, stable environment is 
more important than chasing features off the latest branch.

As always, your mileage may vary.

>> I'm starting to feel thankful that my important domains include 
>> off-site secondaries which are running djbdns.
> 
> EGRATUITOUSBINDBASHING

You seem to be disposed to believe it so, but regardless of opinions, I've had 
named crash under moderate loads and it concerns me enough to evaluate 
switching to a heterogenous nameserver environment to gain more stability from 
a critical service.

If I wanted to indulge in gratuitous bashing of BIND, I wouldn't do so on a 
FreeBSD mailing list, nor would I make an effort to be tactful even when it 
seems that a bug report or any criticism (direct or implied) would be 
misinterpreted as "gratuitous bashing" regardless of whether it concerns a 
legitimate problem.

>> Does the FreeBSD security team have a position with regard to whether 
>> the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch?
> 
> They are actually reviewing the issue as we speak. As I've said, I'll 
> abide by the secteam's request either way, I am simply stating a 
> preference.

Very good.

-- 
-Chuck


More information about the freebsd-security mailing list