From owner-freebsd-stable@FreeBSD.ORG Wed Jul 31 12:37:50 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id B2B409A0 for ; Wed, 31 Jul 2013 12:37:50 +0000 (UTC) (envelope-from erwin@mail.droso.net) Received: from mail.droso.net (koala.droso.dk [213.239.220.246]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7195A2FDA for ; Wed, 31 Jul 2013 12:37:50 +0000 (UTC) Received: by mail.droso.net (Postfix, from userid 1001) id 266CE11F27; Wed, 31 Jul 2013 14:37:42 +0200 (CEST) Date: Wed, 31 Jul 2013 14:37:42 +0200 From: Erwin Lansing To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories Message-ID: <20130731123741.GO84587@droso.dk> References: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <51F7B5C7.6050008@digsys.bg> <51F7C07C.9060606@digsys.bg> <51F7E352.30300@digsys.bg> <51F8B0E8.8090608@ShaneWare.Biz> <51F8F1CB.20707@digsys.bg> <1375273340.22504.3655263.0DFF1E05@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <1375273340.22504.3655263.0DFF1E05@webmail.messagingengine.com> X-Operating-System: FreeBSD/amd64 9.1-RELEASE User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 12:37:50 -0000 On Wed, Jul 31, 2013 at 07:22:20AM -0500, Mark Felder wrote: > > Let's take a moment and consider the state of the internet and DNS > attacks. The RRL and RPZ2 patchsets[1] are newer developments that > successfully add additional security and features to BIND. It was also > recently announced that due to the success of this work the RRL[2] patch > will be accepted by ISC into BIND mainline. > > How many users of BIND on FreeBSD are going to realize they need to run > a copy of BIND from ports to get this extremely important protection? It > certainly isn't going to get backported to 8-STABLE or 9-STABLE; I don't > even know if it will show up in 10.0-RELEASE as a quick grep shows it's > not there. To put some perspective on it, FreeBSD 8.x users are > literally 6 years behind CURRENT... > 3rd party, and especially those that are still being distributed as experimental, will not be part of the base BIND code. It will only contain a direct import from the vendor sources. After a -STABLE branche is branched into a -RELEASE branch, the latter will only get security updates, sometimes backported depending on the upstream life cycle. For feature update, users have always been dependent on ports as the BIND versions included in -RELEASE are quickly falling behind. On a side note, BIND 10 introduces a large number of 3rd party dependencies, none of which are very attractive to include in the FreeBSD base system by default. This means that we can use BIND9 so far, but for the long term, we'll have to look into a more viable alternative anyway. Erwin -- Erwin Lansing http://droso.dk erwin@FreeBSD.org http:// www.FreeBSD.org