Re: Waiting for BIND security announcement

Jeffrey Goldberg wrote:
On Aug 1, 2007, at 2:13 PM, Doug Barton wrote:

If you want to stay as close as possible to 6.2-RELEASE but also
include the fixes that the security officer deems important enough to
release widely, use the tag RELENG_6_2 (usually in your supfile for
cvsup or csup). If you want the latest code for 6-stable, which will
eventually become 6.3-RELEASE, use just RELENG_6.

Thank you. I wasn't clear in my original message. I meant to talk
about RELENG_6_2 which is what I meant when I said "6.2 Release with
patches". But I fully acknowledge that while I've used RCS for ages, I
still don't fully grok branches and trunks (or HEADs in CVS), so I do
state things badly and can always use the reminder of how things work.

I had a feeling that was what you meant, but I wanted to be sure it
was clear for other readers, and for the archives.

Anyway, I was disappointed that the BIND fix didn't make it into
RELENG_6_2.

I can't speak for the security team, but I'm pretty sure that this
change is forthcoming.

When it comes to BIND stuff in particular, I always update the ports
first, so anyone with a mission critical DNS operation can get fixes
ASAP. There is even an option in the port to overwrite the base BIND
if you so desire.

Ah-ha. That makes a big difference. OK. If I'm going to expose my
name server to the big bad world while tracking RELENG_N_M ("release
with patches") I'll use bind from ports.

In addition to security issues, the ports give you a greater degree of
flexibility in how BIND is configured. If you're going to be offering
a public name server (and by that I hope you mean authoritative, not
recursive) on 6-stable you're probably better off using 9.4.x anyway,
with the threading option disabled.

If you're going to be doing a high-capacity authoritative server (or a
high load resolver for an internal network) your BEST bet is to
evaluate FreeBSD 7 (soon to be release) and BIND 9.4.x with threading
_enabled_. You'll get better performance by far in a high load situation.

Are there other things in /usr/src/contrib that follow this pattern?

Sure, lots. Too many for me to list without having to think hard about
it and potentially leave something out.

hth,

Yes, it helps a great deal. Thank you very much for your work on this
and your patience with me.

My pleasure. :)

Doug

--

This .signature sanitized for your protection

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • MS Service Packs
    ... Has anyone had any luck decyphering what security ... fixes are include in what MS service packs. ... until the release of SP3. ... about an hour, with no client, server changes, or ongoing maintenance. ...
    (Security-Basics)
  • Mysterious entries in kernel log relating to DNS
    ... I have Bind 9.02 running on my box. ... resolution within my server ... am authoratavie on from another ISP etc). ... Periodically I get these entries in the security ...
    (FreeBSD-Security)
  • Re: DNS checking, any volunteers?
    ... > I am running my own public primary & secondary dns servers. ... > The primary is running on an AD Server. ... It is not MS DNS, but BIND, and is ... running MS DNS virtually irrelevant (to security). ...
    (microsoft.public.windows.server.dns)
  • Re: libc flaw: BIND 9 closes most holes but also opens one
    ... > I know that there were earlier fixes to prevent buffer overrruns. ... that if you're running BIND 8, you're better off with the 8.3.3 version. ... > I want to run a BIND 9 server, ...
    (FreeBSD-Security)
  • Re: DNS checking, any volunteers?
    ... >> DNS Report run on dnsstuff.com shows satisafactory results. ... >> The primary is running on an AD Server. ... It is not MS DNS, but BIND, and ... > running MS DNS virtually irrelevant (to security). ...
    (microsoft.public.windows.server.dns)