Re: What about BIND 9.3.4 in FreeBSD in base system ?

Thu, 01 Feb 2007 14:35:19 -0800 

Doug Barton wrote:

Chuck Swiger wrote:

Doug Barton wrote:
[ ... ]
I've been bitten by CVE-2006-4096, and have applied the workaround to limit the # of outstanding queries. 


I have no doubt that users who have active name servers in a production 
environment _will_ need to update their name servers to the latest and 
greatest versions. The ports exist in part to facilitate using the 
latest BIND on older versions of FreeBSD that will not be updated.


I see.  Well, thanks for the information.


I've got two nameservers tracking 5-STABLE


I am not sure how to respond to that.

[ ...comments about moving to 6 snipped for brevity... ]


That's OK, I wasn't soliciting advice on which platform or OS version a given 
set of machines ought to run.  When the number of machines one deals with in a 
given environment changes from single-digit, to dozens, to hundreds, to tens 
of thousands, keeping machines updated to a bug-free, stable environment is 
more important than chasing features off the latest branch.


As always, your mileage may vary.


I'm starting to feel thankful that my important domains include 
off-site secondaries which are running djbdns.


EGRATUITOUSBINDBASHING



You seem to be disposed to believe it so, but regardless of opinions, I've had 
named crash under moderate loads and it concerns me enough to evaluate 
switching to a heterogenous nameserver environment to gain more stability from 
a critical service.



If I wanted to indulge in gratuitous bashing of BIND, I wouldn't do so on a 
FreeBSD mailing list, nor would I make an effort to be tactful even when it 
seems that a bug report or any criticism (direct or implied) would be 
misinterpreted as "gratuitous bashing" regardless of whether it concerns a 
legitimate problem.



Does the FreeBSD security team have a position with regard to whether 
the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch?



They are actually reviewing the issue as we speak. As I've said, I'll 
abide by the secteam's request either way, I am simply stating a 
preference.


Very good.

--
-Chuck
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to