From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 22:33:53 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9CC1316A401; Thu, 1 Feb 2007 22:33:53 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 72DC413C4A6; Thu, 1 Feb 2007 22:33:53 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id D653660CB; Thu, 1 Feb 2007 17:33:52 -0500 (EST) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ClbNhJL1DWE; Thu, 1 Feb 2007 17:33:49 -0500 (EST) Received: from [192.168.1.251] (pool-68-161-114-230.ny325.east.verizon.net [68.161.114.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 4AE495F31; Thu, 1 Feb 2007 17:33:49 -0500 (EST) Message-ID: <45C26ACC.9020702@mac.com> Date: Thu, 01 Feb 2007 17:33:48 -0500 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Doug Barton References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> <45C25696.10806@FreeBSD.org> In-Reply-To: <45C25696.10806@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 22:33:53 -0000 Doug Barton wrote: > Chuck Swiger wrote: >> Doug Barton wrote: >> [ ... ] >> I've been bitten by CVE-2006-4096, and have applied the workaround to >> limit the # of outstanding queries. > > I have no doubt that users who have active name servers in a production > environment _will_ need to update their name servers to the latest and > greatest versions. The ports exist in part to facilitate using the > latest BIND on older versions of FreeBSD that will not be updated. I see. Well, thanks for the information. >> I've got two nameservers tracking 5-STABLE > > I am not sure how to respond to that. [ ...comments about moving to 6 snipped for brevity... ] That's OK, I wasn't soliciting advice on which platform or OS version a given set of machines ought to run. When the number of machines one deals with in a given environment changes from single-digit, to dozens, to hundreds, to tens of thousands, keeping machines updated to a bug-free, stable environment is more important than chasing features off the latest branch. As always, your mileage may vary. >> I'm starting to feel thankful that my important domains include >> off-site secondaries which are running djbdns. > > EGRATUITOUSBINDBASHING You seem to be disposed to believe it so, but regardless of opinions, I've had named crash under moderate loads and it concerns me enough to evaluate switching to a heterogenous nameserver environment to gain more stability from a critical service. If I wanted to indulge in gratuitous bashing of BIND, I wouldn't do so on a FreeBSD mailing list, nor would I make an effort to be tactful even when it seems that a bug report or any criticism (direct or implied) would be misinterpreted as "gratuitous bashing" regardless of whether it concerns a legitimate problem. >> Does the FreeBSD security team have a position with regard to whether >> the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch? > > They are actually reviewing the issue as we speak. As I've said, I'll > abide by the secteam's request either way, I am simply stating a > preference. Very good. -- -Chuck