Re: bind -> unbound/nsd

[John Nemeth <jnemeth%cue.bc.ca@localhost>]

On Aug 21,  9:47pm, coypu%SDF.ORG@localhost wrote:
} On Thu, Aug 18, 2016 at 11:10:18AM -0400, Christos Zoulas wrote:
} > 
} > The recent change of ISC/bind licensing from BSD to MPL for the
} > next release has provided us with an opportunity to re-evaluate
} > the preferred daemon status for NetBSD and DNS resolution. Board/Core
} > have decided not to import the next version of bind, and instead
} > import the current version of unbound/nsd.
} > 
} > If you feel that this creates problems for you, let us know.
} > Also you should be able to use newer versions of bind from pkgsrc.
} > We are not planning to de-support or remove bind for NetBSD-8.
} 
} This may not be 100% factually correct (I'm trying my best, but not too
} familiar with BIND):
} 
} NetBSD 6.0 was released in Oct 2012. If we had done such a decision
} several months before the release, the version of BIND we would have in
} base for 6.x is ~9.9.0.
} 
} This is a list of the vulnerabilities that our 6.x base BIND would
} contain in this scenario, which would resemble what we will see towards
} the end of the 8.x supported life.

     There are regular pullups for security issues.  Thus your list
would only be correct for 6.0 itself, and not for subsequent 6.x
releases.  And, if one didn't update from 6.0 at all, there would
be plenty of other issues (both OpenSSL and OpenSSH regularly get
CVEs for example).

} # 	CVE Number 	Short Description
} 75	2016-2775	A query name which is too long can cause a segmentation fault in lwresd
} [list elided]
} 
} Obtained from https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
}-- End of excerpt from coypu%SDF.ORG@localhost