On Aug 1, 2007, at 3:47 PM, Doug Barton wrote:

I can't speak for the security team, but I'm pretty sure that this
change is forthcoming.

As someone has already noted in this thread, the wait is over.

When it comes to BIND stuff in particular, I always update the ports
first, so anyone with a mission critical DNS operation can get fixes
ASAP. There is even an option in the port to overwrite the base BIND
if you so desire.

Ah-ha.  That makes a big difference.  OK.  If I'm going to expose my
name server to the big bad world while tracking RELENG_N_M ("release
with patches") I'll use bind from ports.

In addition to security issues, the ports give you a greater degree of
flexibility in how BIND is configured. If you're going to be offering
a public name server (and by that I hope you mean authoritative, not
recursive) on 6-stable you're probably better off using 9.4.x anyway,
with the threading option disabled.

Yes, I do mean a (low volume) authoritative name server for a small handful of low traffic vanity domains. My intention is to set it up as a master which will transfer zone information to a professional DNS hosting service (dnspark.net whom I'm very happy with).

Currently I have to modify my zone information through DNSPark's web interface (which is very good and seems to allow everything except "generate" rules). But since I'm masochistic, I figure that I should inflict problems on myself like remembering to update the serial numbers myself. (Big shouting reminder comments at both ends of the zone files seem to do the trick)

Also, while I'm extremely happy with dnspark.net, having one instance of the authoritative zone data fully under my control makes me feel better.


Jeffrey Goldberg                        http://www.goldmark.org/jeff/

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to