From owner-freebsd-stable@FreeBSD.ORG Tue Jul 30 16:49:35 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1B391C74 for ; Tue, 30 Jul 2013 16:49:35 +0000 (UTC) (envelope-from allicient3141@gmail.com) Received: from mail-oa0-x22f.google.com (mail-oa0-x22f.google.com [IPv6:2607:f8b0:4003:c02::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D6B882F12 for ; Tue, 30 Jul 2013 16:49:34 +0000 (UTC) Received: by mail-oa0-f47.google.com with SMTP id m6so9700880oag.20 for ; Tue, 30 Jul 2013 09:49:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=TwIjFR47i4JPSXo6cnPNHOLwT04bUFsj5oXM1g7yGwk=; b=WWEsXZflSGWZfcslrMhSs4S+d+s6GsDelmnXSxcu8B7YJwNi72jYUDD8lYtPtaJQk9 Wz5zEhHm8yJpaTTHsFj3L9vB0zWb7qjQOt1t3FfCiTNJTlm2T6FJxOOcH1nQY9kDWjxm mdBnmwGxwUM3+nnBuPFdN4gYiUsGYxMrzqVXm3HBOv3bN+2rqbTK0RcxmWGZHqTw+W4T 8icB0q7NVq3Td4eTe88PCmAr6DdA0t/Zr8HJcLN3pVyznbQP5mVPbBO0trp7XuAIhwkx bowH0REszXQQB7Fmp3fYZahmhP0euZXX/Mo1LsDqo8aaXtO+lLYOdWDDbuuxhqewSvNa bZ3Q== X-Received: by 10.182.39.168 with SMTP id q8mr57565607obk.72.1375202974178; Tue, 30 Jul 2013 09:49:34 -0700 (PDT) MIME-Version: 1.0 Sender: allicient3141@gmail.com Received: by 10.182.144.200 with HTTP; Tue, 30 Jul 2013 09:49:04 -0700 (PDT) In-Reply-To: <51F7E292.90608@digsys.bg> References: <20130730.154208.41672901.sthaug@nethelp.no> <51F7E292.90608@digsys.bg> From: Peter Maxwell Date: Tue, 30 Jul 2013 17:49:04 +0100 X-Google-Sender-Auth: 6mmswdDYYx2Iu-5WmMI9A1T4Ks8 Message-ID: Subject: Re: Bind in FreeBSD, security advisories To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 16:49:35 -0000 On 30 July 2013 16:58, Daniel Kalchev wrote: > > On 30.07.13 18:26, Peter Maxwell wrote: > >> On 30 July 2013 14:42, wrote: >> >> >> Yes, I know everything can be installed from packages/ports. Two of >>> *my* main reasons for using FreeBSD is that: >>> >>> 1. It's an integrated *system*, not just a kernel. >>> >>> That's not an argument for retaining something that is non-essential for >> most people and can easily be installed from ports. There is very little >> that is actually essential in base... having to turn sendmail off on every >> new installation already does my nut in but having mail facilities is >> essential, so it has to be there. >> > > I am surprised why so many people insist having an MTA is necessary, but > having well testes recursive DNS resolver is not. > Even on a typical "client" installation, it is more likely the resolver > will be useful, than the MTA. > Sendmail - or something equivalent - is required to handle system mail from things like system utility scripts, e.g. periodic. A caching or recursive DNS resolver, strictly, is not essential. Given the number of SAs in bind, it would arguably be better positioned in ports from an upgrade point of view. > > By the way, both sendmail and BIND are off by default... No, sendmail is on by default, cf. http://www.freebsd.org/doc/en/books/handbook/mail-changingmta.html It's only inbound SMTP handling that is default off. To turn sendmail off completely, you need to do something like set sendmail_enable="NONE" in your rc.conf and have a replacement already setup. > > > Having bind in base does have one advantage in that it is more carefully >> scrutinised that it would likely be in ports. >> > > This too.. > > I have always viewed FreeBSD not as an product, but instead as an toolkit. > A toolkit, from which to build the OS you need. > So far, FreeBSD has worked better for that purpose than any other toolkit > around (plus, I am biased). > It's less useful as a toolkit when you need to upgrade, say, sshd or openssl but for whatever reason cannot upgrade the base system... it can be quite a bit of hassle managing the ports version while you've still got the base version there. It's not difficult but it's still a pain; when you're dealing with hundreds of servers, every corner-case makes ongoing maintenance harder. My position would be that if it is third-party and not absolutely essential, it should be in ports. > > There are a number of knobs, that let you customize FreeBSD to your > heart's content. > Eh, hmmm, sort of. As above, some things require upgrading the base system which can be a bit of an issue in production environments when you cannot arrange a suitable maintenance window - a scenario that is very common indeed. You are then forced to start using ports to replace the functionality in base and it all gets rather non-standard and messy. > > In theory, everything but the absolute minimum of the base system might be > removed.. and have everything depend on ports. However, the base system is > just that -- one collection of code that gets built and tested together. > This brings quality. > Yet, as the OP pointed out: bind is not what I would term "quality", there's more SAs posted than I've had hot dinners. Given it is non-essential, it could quite easily be stripped out. > > Having said this, it is perfectly ok to replace BIND with any other > resolver + name server.... as long as there is suitable candidate that has > passed enough testing. Is there one? Do we know enough of their quirks? > That's not a good idea: any environment larger than a home network or SME that relies on bind will not find it easy to migrate. It's one thing asking people to tolerate a 2min inconvenience to make a choice to install bind from ports (when they've can also choose bind or, say, djbdns, etc), it's quite another to suggest to them they should be using different software, essentially on a whim. I personally prefer qmail over sendmail but I wouldn't suggest qmail should be in base for the reason that sendmail is the de facto standard on *nix shaped systems.