From owner-freebsd-stable@FreeBSD.ORG Wed Dec 4 21:37:18 2013 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 310E5ABF for ; Wed, 4 Dec 2013 21:37:18 +0000 (UTC) Received: from mail-yh0-f48.google.com (mail-yh0-f48.google.com [209.85.213.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E0DE61306 for ; Wed, 4 Dec 2013 21:37:17 +0000 (UTC) Received: by mail-yh0-f48.google.com with SMTP id f73so11817202yha.21 for ; Wed, 04 Dec 2013 13:37:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=eHAX36YQpTL7FGvh2XvdHIxQJxhFu5Ikq2V9LYq/I/o=; b=B560NXqc7C6aSw6If42us4qeoezQxsYrbd5SVfEGHT8+IRUukTEhUG/r+0phZiUI6d xH78Yvd24508KqlW6oLcKozEv2tJ8AoZ//+v0L3px3zA693Akb8qi1qqTgnnb41b71t4 54nkV1tE9vRBNHBr5j5E7m8cSUHR3hO92xq/sfXALgmiX3EhxzZDStlSTuODNyyRzKra m0gnxW+sKhgVVkhoUDCe9vwsQTy5OSwDLd4gkdHkKwoHsIeimPpI4dKau1c6s0Qm4fH0 bbnnOGaJzOOoBNBDz5jT0GfYiWDFr4gbxBMJ1Y2t+VVmusbrgOaNjOIC8t3JJK/FGVmE 1v9A== X-Gm-Message-State: ALoCoQnZ0eKcGTyQHY1c8A1Ki14CNmTt/9GhdJSMFBqug9+yBEAEkkQ3KZLCNkNvKshlyz4A2FQi X-Received: by 10.236.125.102 with SMTP id y66mr8192169yhh.58.1386192589106; Wed, 04 Dec 2013 13:29:49 -0800 (PST) Received: from [192.168.1.4] (pool-72-84-124-111.nrflva.fios.verizon.net. [72.84.124.111]) by mx.google.com with ESMTPSA id b30sm29840867yhm.5.2013.12.04.13.29.48 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 04 Dec 2013 13:29:48 -0800 (PST) Message-ID: <529F9ECB.9080406@ohlste.in> Date: Wed, 04 Dec 2013 16:29:47 -0500 From: Jim Ohlstein User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Erwin Lansing Subject: Re: BIND chroot environment in 10-RELEASE...gone? References: <529D9CC5.8060709@rancid.berkeley.edu> <529DF7FA.7050207@passap.ru> <529E179D.7030701@rancid.berkeley.edu> <20131203211606.F2E17B100EB@rock.dv.isc.org> <20131204094730.GX29825@droso.dk> In-Reply-To: <20131204094730.GX29825@droso.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: stable@freebsd.org, freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 21:37:18 -0000 On 12/4/13, 4:47 AM, Erwin Lansing wrote: > On Wed, Dec 04, 2013 at 08:16:06AM +1100, Mark Andrews wrote: >> >> As for 9.9.x ESV it will be support for to at least June 2017, which >> is 5+ years from BIND 9.9.0, and 4 years after 9.9.x was announced >> as the ESV series with BIND 9.9.3. >> >> BIND 9.6 went ESV in Mar 2010 and will be EoL in Jan 2014. >> >> BIND 9.10 in is alpha at the moment. >> >> BIND 10 is still in development. >> > > Thanks for chiming in Mark. As you can see, there's some confusion > about BIND9's lifetime, so getting this straight from the horse's mouth > is good. With due respect, I don't see any confusion at all. BIND 9.9 will be supported for at least another 3.5 years. Had anyone actually asked that question they would have known the answer. It's right here at https://www.isc.org/downloads/software-support-policy/. There's really no excuse for not having gotten this right. As a result, everyone will now see at least two changes from 9 -> 10 -> 11 instead of perhaps just one, even if you accept the wisdom of removing BIND at all. > > I did a presentation at the recent ICANN meeting about why BIND was > removed from base, slides are at > http://people.freebsd.org/~erwin/presentations/20131118-ICANN-FreeBSD-DNS.pdf > > Note that most of the reasons all fall back to reducing code base and > complexity, and some of the other bullets all follow from that. It has > more to do with how BIND was integrated into FreeBSD than BIND itself > and unbound just has the advantage that it does not have an authoritatve > part (and key management etc), with associated options and potential > security vulnerabilities, and thus hopefully will be easier to maintain > in the base system. > I get this but from a security point of view, the changes make a system at best as secure (with a lot of work for each individual user) and at worst, a whole lot *less* secure if chroot(8) is not properly configured. I know that people are concerned about the number of security advisories but as you and others have pointed out, it's a highly scrutinized piece of software, and also, I'd add, one which is a frequent object of attack due to its widespread use. For the people who are so concerned about the SA's, they still have the option to set WITHOUT_BIND_NAMED in src.conf, or at least they did before it was deprecated. Even if they were tracking RELEASE they did not need to enable BIND in rc.conf. A program that never runs is rarely a security risk. Now a bit of a rant about 10 in general: I think it's clear that 10 is a departure from previous versions in several ways. There's a new default compiler. The iconv/libiconv change. The removal of BIND from base (which was not as it was billed to us earlier). There are of course others as well. The compiler has not been a problem for me yet. I've been using clang for awhile now since this was planned awhile ago. The other two changes caused a great deal of trouble in my test box. Ports did not want to rebuild because libiconv would not build. I prefer to set my own options for a lot of ports and so packages often do not work for me. I had to resort to installing all of my ports as packages, rebuilding them with my options and then removing the unneeded packages that were installed as dependencies for the pre-built packages' options that I didn't need. That has (so far) solved the libiconv/iconv issue but it will put a machine that depends on custom configurations of ports out of business for hours or more in the process. And that's before I installed a jail (and all of the necessary bits for that jail to communicate with the outside world) and installed BIND in that jail, and moved all of my zones, etc from /var/named/etc/named in the host to /usr/local/etc/named in the jail and reconfigured named.conf. A lot of work. And the sad part is that part of the reason for BIND being removed from base in 10 was because of a "misunderstanding". -- Jim Ohlstein