Re: What about BIND 9.3.4 in FreeBSD in base system ?
- From: Chuck Swiger <cswiger@xxxxxxx>
- Date: Thu, 01 Feb 2007 17:33:48 -0500
Doug Barton wrote:
Chuck Swiger wrote:Doug Barton wrote:
[ ... ]
I've been bitten by CVE-2006-4096, and have applied the workaround to limit the # of outstanding queries.
I have no doubt that users who have active name servers in a production environment _will_ need to update their name servers to the latest and greatest versions. The ports exist in part to facilitate using the latest BIND on older versions of FreeBSD that will not be updated.
I see. Well, thanks for the information.
[ ...comments about moving to 6 snipped for brevity... ]I've got two nameservers tracking 5-STABLE
I am not sure how to respond to that.
That's OK, I wasn't soliciting advice on which platform or OS version a given set of machines ought to run. When the number of machines one deals with in a given environment changes from single-digit, to dozens, to hundreds, to tens of thousands, keeping machines updated to a bug-free, stable environment is more important than chasing features off the latest branch.
As always, your mileage may vary.
I'm starting to feel thankful that my important domains include off-site secondaries which are running djbdns.
EGRATUITOUSBINDBASHING
You seem to be disposed to believe it so, but regardless of opinions, I've had named crash under moderate loads and it concerns me enough to evaluate switching to a heterogenous nameserver environment to gain more stability from a critical service.
If I wanted to indulge in gratuitous bashing of BIND, I wouldn't do so on a FreeBSD mailing list, nor would I make an effort to be tactful even when it seems that a bug report or any criticism (direct or implied) would be misinterpreted as "gratuitous bashing" regardless of whether it concerns a legitimate problem.
Does the FreeBSD security team have a position with regard to whether the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch?
They are actually reviewing the issue as we speak. As I've said, I'll abide by the secteam's request either way, I am simply stating a preference.
Very good.
--
-Chuck
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
- From: Peter Jeremy
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
- From: Doug Barton
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
- References:
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
- From: Doug Barton
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
- From: Chuck Swiger
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
- From: Doug Barton
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
- Prev by Date: Security Officer-supported branches update
- Next by Date: Re: What about BIND 9.3.4 in FreeBSD in base system ?
- Previous by thread: Re: What about BIND 9.3.4 in FreeBSD in base system ?
- Next by thread: Re: What about BIND 9.3.4 in FreeBSD in base system ?
- Index(es):
Relevant Pages
|
|
