Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bind -> unbound/nsd

On Thu, Aug 18, 2016 at 11:10:18AM -0400, Christos Zoulas wrote:
> Hello,
> The recent change of ISC/bind licensing from BSD to MPL for the
> next release has provided us with an opportunity to re-evaluate
> the preferred daemon status for NetBSD and DNS resolution. Board/Core
> have decided not to import the next version of bind, and instead
> import the current version of unbound/nsd.
> If you feel that this creates problems for you, let us know.
> Also you should be able to use newer versions of bind from pkgsrc.
> We are not planning to de-support or remove bind for NetBSD-8.
> Best,
> christos


This may not be 100% factually correct (I'm trying my best, but not too
familiar with BIND):

NetBSD 6.0 was released in Oct 2012. If we had done such a decision
several months before the release, the version of BIND we would have in
base for 6.x is ~9.9.0.

This is a list of the vulnerabilities that our 6.x base BIND would
contain in this scenario, which would resemble what we will see towards
the end of the 8.x supported life.

# 	CVE Number 	Short Description
75	2016-2775	A query name which is too long can cause a segmentation fault in lwresd
73	2016-1286	A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c
72	2016-1285	An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
69	2015-8704	Specific APL data could trigger an INSIST in apl_42.c
67 	2015-8000	Responses with a malformed class attribute can trigger an assertion failure in db.c
65	2015-5722 	Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
64	2015-5477	An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
63	2015-4620	Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating
62 	2015-1349 	A Problem with Trust Anchor Management Can Cause named to Crash
60 	2014-8500 	A Defect in Delegation Handling Can Be Exploited to Crash BIND
57 	2014-0591 	A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
56 	2013-6230 	A Winsock API Bug can cause a side-effect affecting BIND ACLs
55 	2013-4854	A specially crafted query can cause BIND to terminate abnormally
53 	2013-2266 	A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
52 	2012-5689 	BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ
51 	2012-5688 	BIND 9 servers using DNS64 can be crashed by a crafted query
50 	2012-5166 	Specially crafted DNS data can cause a lockup in named
49 	2012-4244 	A specially crafted Resource Record could cause named to terminate
48 	2012-3868 	High TCP query load can trigger a memory leak
47 	2012-3817 	Heavy DNSSEC validation load can cause a "bad cache" assertion failure
46 	2012-1667 	Handling of zero length rdata can cause named to terminate unexpectedly

Obtained from

Home | Main Index | Thread Index | Old Index