OT: Re: WANAL (Re: What could have been done differently?)

Scott Francis darkuncle at darkuncle.net
Wed Jan 29 02:06:47 UTC 2003


On Tue, Jan 28, 2003 at 08:53:59PM +0200, rafi-nanog at meron.openu.ac.il said:
[snip]
> Hi Paul,
> 
>  What do you think of OpenBSD still installing BIND4 as part of the
> default base system and  recommended as secure by the OpenBSD FAQ ?
> (See Section 6.8.3 in <http://www.openbsd.org/faq/faq6.html#DNS> )

OpenBSD ships a highly-audited, chrooted version of BIND4 that bears little
resemblance to the original code (I'm sure Paul can correct me here if I'm
off-base). The reasons for the team's decision are well-documented on various
lists and FAQs. Given the choices at hand (use the exhaustively audited,
chrooted BIND4 already in production; go with a newer BIND version that
hasn't been through the wringer yet; write their own dns daemon; use tinydns
(licensing issues); use some other less well-known dns software), I think
they made the right one. I'm sure they'll move to a newer version when
somebody on the team gets a chance to give it a thorough code audit, and run
it through sufficient testing prior to release.
-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030128/e1a58585/attachment.sig>


More information about the NANOG mailing list