From owner-freebsd-stable@FreeBSD.ORG Tue Jul 30 15:58:14 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6D53C970 for ; Tue, 30 Jul 2013 15:58:14 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.21.123]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C90632C5E for ; Tue, 30 Jul 2013 15:58:13 +0000 (UTC) Received: from dcave.digsys.bg (dcave.digsys.bg [193.68.6.1]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.6/8.14.6) with ESMTP id r6UFwA1J099474 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 30 Jul 2013 18:58:11 +0300 (EEST) (envelope-from daniel@digsys.bg) Message-ID: <51F7E292.90608@digsys.bg> Date: Tue, 30 Jul 2013 18:58:10 +0300 From: Daniel Kalchev User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130627 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories References: <20130730.154208.41672901.sthaug@nethelp.no> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 15:58:14 -0000 On 30.07.13 18:26, Peter Maxwell wrote: > On 30 July 2013 14:42, wrote: > > >> Yes, I know everything can be installed from packages/ports. Two of >> *my* main reasons for using FreeBSD is that: >> >> 1. It's an integrated *system*, not just a kernel. >> > That's not an argument for retaining something that is non-essential for > most people and can easily be installed from ports. There is very little > that is actually essential in base... having to turn sendmail off on every > new installation already does my nut in but having mail facilities is > essential, so it has to be there. I am surprised why so many people insist having an MTA is necessary, but having well testes recursive DNS resolver is not. Even on a typical "client" installation, it is more likely the resolver will be useful, than the MTA. By the way, both sendmail and BIND are off by default... > Having bind in base does have one advantage in that it is more carefully > scrutinised that it would likely be in ports. This too.. I have always viewed FreeBSD not as an product, but instead as an toolkit. A toolkit, from which to build the OS you need. So far, FreeBSD has worked better for that purpose than any other toolkit around (plus, I am biased). There are a number of knobs, that let you customize FreeBSD to your heart's content. In theory, everything but the absolute minimum of the base system might be removed.. and have everything depend on ports. However, the base system is just that -- one collection of code that gets built and tested together. This brings quality. Having said this, it is perfectly ok to replace BIND with any other resolver + name server.... as long as there is suitable candidate that has passed enough testing. Is there one? Do we know enough of their quirks? Daniel