Re: What about BIND 9.3.4 in FreeBSD in base system ?

Doug Barton wrote:
Chuck Swiger wrote:
Doug Barton wrote:
[ ... ]
Right. As I understood it, you were arguing in favor of MFC'ing a fix to RELENG_5 because you have machines from that branch in a production setting. If I misunderstood your point, I apologize.

I would like CVE-2007-0493 fixed in RELENG_5 and RELENG_5_5, specifically, yes please.

More generally, I would like BIND to deal with hundreds (or-- preferably but not required-- thousands) of outstanding recursive queries without dumping core or becoming non-responsive. Have you attempted to reproduce the issue via the adns port or anything else which generates lots of queries?

When the number of machines one deals with in a given environment changes from single-digit, to dozens, to hundreds, to tens of thousands, keeping machines updated to a bug-free, stable environment is more important than chasing features off the latest branch.

Yes, I understand those issues quite well. I used to manage hundreds of name servers for a company that had many 10s of thousands of machines. And I think that you are basically making my point, which is that users in a serious production environment are probably not using the BIND that comes with FreeBSD in an off the shelf configuration.

It would be safe to say that almost all people using BIND are not using a completely off-the-shelf configuration, unless you count the few only running as "caching-only".

--
-Chuck
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: What about BIND 9.3.4 in FreeBSD in base system ?
    ... you were arguing in favor of MFC'ing a fix to RELENG_5 because you have machines from that branch in a production setting. ... deals with in a given environment changes from single-digit, to dozens, to hundreds, to tens of thousands, keeping machines updated to a bug-free, stable environment is more important than chasing features off the latest branch. ... I used to manage hundreds of name servers for a company that had many 10s of thousands of machines. ...
    (FreeBSD-Security)
  • Re: Nameserver
    ... >I'd like to set up BIND locally to resolve names between machines on my ... >primary nameserver. ... configure your local machines to point to this box as their DNS server. ... Or you can read the DNS HOWTO at The Linux Documentation Project ...
    (RedHat)
  • Re: /var partition overflow (due to spyware?) in FreeBSD default install
    ... > FreeBSD machines with default installs of the operating system. ... > verified it yet) that the problem is due to the New.Net spyware, ... It may also pay to patch BIND to limit the overhead that is ... log files and rotate them when needed and turn off logging to syslog. ...
    (FreeBSD-Security)
  • Re: Unable to bind with new ADAM accounts
    ... These machines are not in a domain so they are using the local password ... > You do not say how you are attempting to bind, ... >> Recently we've noticed that whenever we create a new ADAM account and then ...
    (microsoft.public.windows.server.active_directory)
  • Re: [opensuse] Server cannot connect to itself
    ... One is running Bind 9.3.2 and the other is running ... Apache 2.1 and MySQL 5.0. ... Apache and Mysql from remote machines and ...
    (SuSE)