Date: Sat, 25 Jan 2014 21:03:52 +0000 From: Frank Leonhardt <frank2@fjl.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Why was nslookup removed from FreeBSD 10? Message-ID: <52E426B8.3080905@fjl.co.uk> In-Reply-To: <20140125202038.125a4264@gumby.homeunix.com> References: <52E40CC4.6090401@fjl.co.uk> <201401252137.50132.mark.tinka@seacom.mu> <52E41619.1000505@fjl.co.uk> <20140125202038.125a4264@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25/01/2014 20:20, RW wrote: > On Sat, 25 Jan 2014 19:52:57 +0000 > Frank Leonhardt wrote: > > >> As you and Waitman both pointed out, nslookup IS part of BIND, yet as >> I said in the diatribe following the question in my post, so is >> "host" and that's still there. > >From the host manpage: > > COMPATIBILITY > host aims to be reasonably compatible with `host' utility from > BIND9 distribution, Yes - I read that too, and assumed it means it's a derived work until I'd checked the source code. It's contributed, but part of ldns and not bind. By removing bind from the base system in favour of ldns based stuff, it could mean that its just the case that no one wrote an ldns version of nslookup or dig; only host. This is one of my theories as to the answer. It's worth noting that one of the criticisms I've heard of nslookup has been that it DOESN'T use BIND as a resolver and works in its self-contained way, and is therefore not valid as a DNS (meaning BIND) debugging tool. However, it should mean that it's stand-alone - hence the Windoze port (which used to contain incriminating strings showing it was pinched from BSD!) So if you prefer a slightly rephrased question: Why has someone written "host" for FreeBSD 10.0 but neglected to provide nslookup (or dig)? As to Matt's comment that "almost half of all the security vulnerabilities in the entire lifetime of the FreeBSD project have been from BIND. Personally, I'd say that's "pretty spectacular."" - I'd say that's these security vulnerabilities are more to do with DNS the protocol rather than BIND the implementation. Whoever would have thought that criminals would have got their hands on computers? By removing BIND and not replacing it with anything (apart from a local resolver) will, I guess, meet your security needs. But I'm talking about nslookup, not the whole of BIND and all its utilities. I've never heard of a security problem with nslookup. Except, of course, with the Micro$soft version ;-) There must be a discussion about how the decision was taken somewhere, mustn't there? If there isn't, its looking like an accident. Regards, Frank.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52E426B8.3080905>