Re: bind -> unbound/nsd

To: Christos Zoulas <christos%zoulas.com@localhost>
Subject: Re: bind -> unbound/nsd
From: coypu%SDF.ORG@localhost
Date: Sun, 21 Aug 2016 21:47:55 +0000

On Thu, Aug 18, 2016 at 11:10:18AM -0400, Christos Zoulas wrote:
> 
> Hello,
> 
> The recent change of ISC/bind licensing from BSD to MPL for the
> next release has provided us with an opportunity to re-evaluate
> the preferred daemon status for NetBSD and DNS resolution. Board/Core
> have decided not to import the next version of bind, and instead
> import the current version of unbound/nsd.
> 
> If you feel that this creates problems for you, let us know.
> Also you should be able to use newer versions of bind from pkgsrc.
> We are not planning to de-support or remove bind for NetBSD-8.
> 
> Best,
> 
> christos

Hi,

This may not be 100% factually correct (I'm trying my best, but not too
familiar with BIND):

NetBSD 6.0 was released in Oct 2012. If we had done such a decision
several months before the release, the version of BIND we would have in
base for 6.x is ~9.9.0.

This is a list of the vulnerabilities that our 6.x base BIND would
contain in this scenario, which would resemble what we will see towards
the end of the 8.x supported life.

# 	CVE Number 	Short Description
75	2016-2775	A query name which is too long can cause a segmentation fault in lwresd
73	2016-1286	A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c
72	2016-1285	An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
69	2015-8704	Specific APL data could trigger an INSIST in apl_42.c
67 	2015-8000	Responses with a malformed class attribute can trigger an assertion failure in db.c
65	2015-5722 	Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
64	2015-5477	An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
63	2015-4620	Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating
62 	2015-1349 	A Problem with Trust Anchor Management Can Cause named to Crash
60 	2014-8500 	A Defect in Delegation Handling Can Be Exploited to Crash BIND
57 	2014-0591 	A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
56 	2013-6230 	A Winsock API Bug can cause a side-effect affecting BIND ACLs
55 	2013-4854	A specially crafted query can cause BIND to terminate abnormally
53 	2013-2266 	A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
52 	2012-5689 	BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ
51 	2012-5688 	BIND 9 servers using DNS64 can be crashed by a crafted query
50 	2012-5166 	Specially crafted DNS data can cause a lockup in named
49 	2012-4244 	A specially crafted Resource Record could cause named to terminate
48 	2012-3868 	High TCP query load can trigger a memory leak
47 	2012-3817 	Heavy DNSSEC validation load can cause a "bad cache" assertion failure
46 	2012-1667 	Handling of zero length rdata can cause named to terminate unexpectedly

Obtained from https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html

Follow-Ups:
- Re: bind -> unbound/nsd
  - From: John Nemeth

References:
- bind -> unbound/nsd
  - From: Christos Zoulas

Prev by Date: re: xorg-server 1.18 ready for testing on x86 and shark
Next by Date: Re: bind -> unbound/nsd
Previous by Thread: Re: bind -> unbound/nsd
Next by Thread: Re: bind -> unbound/nsd
Indexes:

Home | Main Index | Thread Index | Old Index