From owner-freebsd-stable@FreeBSD.ORG Tue Jul 30 12:48:45 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 45B74948 for ; Tue, 30 Jul 2013 12:48:45 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.21.123]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C12DA3000 for ; Tue, 30 Jul 2013 12:48:44 +0000 (UTC) Received: from dcave.digsys.bg (dcave.digsys.bg [193.68.6.1]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.6/8.14.6) with ESMTP id r6UCl3SL074760 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 30 Jul 2013 15:47:03 +0300 (EEST) (envelope-from daniel@digsys.bg) Message-ID: <51F7B5C7.6050008@digsys.bg> Date: Tue, 30 Jul 2013 15:47:03 +0300 From: Daniel Kalchev User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130627 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories References: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> In-Reply-To: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 12:48:45 -0000 On 30.07.13 15:21, Mark Felder wrote: > People don't seem upset about not having a webserver, IMAP/POP daemon, > or LDAP server in base, so I don't understand what the big deal is about > removing BIND. I believe the primary reason these things are not in the base system is that they have plenty of dependencies, with possibly conflicting licenses etc. > If the concern is over the rare case when you absolutely > need a DNS recursor and there are none you can reach I suppose we should > just import Unbound. There are many and good reasons to include an fully featured name server, or at least full recursive resolver. For example, for properly supporting DNSSEC. We could in theory remove the BIND's authoritative name server executable... if that is attracting the SAs. The justification "reduce the number of SA's", that is, "the bad PR" is probably not enough. Going that direction, we should consider Comrade Stalin's maxim "FreeBSD exists, there are problems, here is the solution -- no FreeBSD, no problems!" :-) Daniel