On Thu, Aug 18, 2016 at 11:10:18AM -0400, Christos Zoulas wrote: > > Hello, > > The recent change of ISC/bind licensing from BSD to MPL for the > next release has provided us with an opportunity to re-evaluate > the preferred daemon status for NetBSD and DNS resolution. Board/Core > have decided not to import the next version of bind, and instead > import the current version of unbound/nsd. > > If you feel that this creates problems for you, let us know. > Also you should be able to use newer versions of bind from pkgsrc. > We are not planning to de-support or remove bind for NetBSD-8. > > Best, > > christos
Hi, This may not be 100% factually correct (I'm trying my best, but not too familiar with BIND): NetBSD 6.0 was released in Oct 2012. If we had done such a decision several months before the release, the version of BIND we would have in base for 6.x is ~9.9.0. This is a list of the vulnerabilities that our 6.x base BIND would contain in this scenario, which would resemble what we will see towards the end of the 8.x supported life. # CVE Number Short Description 75 2016-2775 A query name which is too long can cause a segmentation fault in lwresd 73 2016-1286 A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c 72 2016-1285 An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c 69 2015-8704 Specific APL data could trigger an INSIST in apl_42.c 67 2015-8000 Responses with a malformed class attribute can trigger an assertion failure in db.c 65 2015-5722 Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c 64 2015-5477 An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure 63 2015-4620 Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating 62 2015-1349 A Problem with Trust Anchor Management Can Cause named to Crash 60 2014-8500 A Defect in Delegation Handling Can Be Exploited to Crash BIND 57 2014-0591 A Crafted Query Against an NSEC3-signed Zone Can Crash BIND 56 2013-6230 A Winsock API Bug can cause a side-effect affecting BIND ACLs 55 2013-4854 A specially crafted query can cause BIND to terminate abnormally 53 2013-2266 A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named 52 2012-5689 BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ 51 2012-5688 BIND 9 servers using DNS64 can be crashed by a crafted query 50 2012-5166 Specially crafted DNS data can cause a lockup in named 49 2012-4244 A specially crafted Resource Record could cause named to terminate 48 2012-3868 High TCP query load can trigger a memory leak 47 2012-3817 Heavy DNSSEC validation load can cause a "bad cache" assertion failure 46 2012-1667 Handling of zero length rdata can cause named to terminate unexpectedly Obtained from https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
