From owner-freebsd-stable@FreeBSD.ORG  Tue Jul 30 12:45:58 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id C79086D6;
 Tue, 30 Jul 2013 12:45:58 +0000 (UTC)
 (envelope-from wollman@hergotha.csail.mit.edu)
Received: from hergotha.csail.mit.edu
 (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 864F42FA7;
 Tue, 30 Jul 2013 12:45:58 +0000 (UTC)
Received: from hergotha.csail.mit.edu (localhost [127.0.0.1])
 by hergotha.csail.mit.edu (8.14.5/8.14.5) with ESMTP id r6UCju77028256;
 Tue, 30 Jul 2013 08:45:56 -0400 (EDT)
 (envelope-from wollman@hergotha.csail.mit.edu)
Received: (from wollman@localhost)
 by hergotha.csail.mit.edu (8.14.5/8.14.4/Submit) id r6UCjuYs028255;
 Tue, 30 Jul 2013 08:45:56 -0400 (EDT) (envelope-from wollman)
Date: Tue, 30 Jul 2013 08:45:56 -0400 (EDT)
From: Garrett Wollman <wollman@hergotha.csail.mit.edu>
Message-Id: <201307301245.r6UCjuYs028255@hergotha.csail.mit.edu>
To: feld@freebsd.org
Subject: Re: Bind in FreeBSD, security advisories
X-Newsgroups: mit.lcs.mail.freebsd-stable
In-Reply-To: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com>
References: <CAO+PfDctepQY0mGH7H+gOSm4HJwhe-RCND+mxAArnRxpWiCsjg@mail.gmail.com>
 <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com>
Organization: none
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (hergotha.csail.mit.edu [127.0.0.1]); Tue, 30 Jul 2013 08:45:56 -0400 (EDT)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
 autolearn=disabled version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
 hergotha.csail.mit.edu
Cc: stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 12:45:58 -0000

In article
<1375186900.23467.3223791.24CB348A@webmail.messagingengine.com>,
feld@freebsd.org writes:

>just import Unbound. However, if you can't reach any DNS servers I
>assume you can't reach the roots either, so I don't understand what a
>local recursor will gain you.

There are plenty of situations in which a remote recursive resolver is
untrustworthy.  (Some would say any situation.)  It doesn't have to be
BIND, but people do legitimately want the normal DNS diagnostic
utilities, which sadly have been tied together with BIND for some
years now.  (I don't know why anyone would ever use nslookup(1), but
host(1) and dig(1) are pretty much essential.)

It is a little bit disconcerting to see that big chunks of our BSD
heritage have turned into someone else's commercial product, but that
seems to be the way of the world these days.

-GAWollman