Subject: Re: BIND
To: NetBSD Networking Technical Discussion List <tech-net@NetBSD.ORG>
From: Patrick Welche <>
List: tech-net
Date: 11/13/2002 15:36:55
On Tue, Nov 12, 2002 at 05:56:13PM -0500, Greg A. Woods wrote:
> [ On Tuesday, November 12, 2002 at 13:59:25 (-0800), Jon Buller wrote: ]
> > Subject: BIND
> >
> > After seeing the new BIND vulnerabilities, I curious to know if
> > there is a reason our in-tree version is 8 and hasn't been upgraded
> > to 9.
> > 
> > Are we still waiting for all the bugs to be shook out of the new
> > BIND codebase?  Is there some other upgrade problem or difficulty?
> > Or is it just lack of volunteer time/effort?
> I don't know about BIND-9 vs. NetBSD, but I do know that BIND-9 isn't
> quite up to par with BIND-8 for the very purposes it's being suggested
> (i.e. to run as a recursive caching server).  It lacks a range of
> related features that I find critical in a production environment.  I'll
> probably soon put it into production on some auth-only non-recursive
> nameservers though.

The other thing being that /etc/rc.d/named makes it trivially easy to run
named in a chroot cage as named:named, which colours the risk "It is then
possible to execute code with the privileges of named".