bind9 question.

[Will Yardley]

In article <a5egjo$pln at pub3.rc.vix.com>, Kevin Darcy wrote:
> 
> The fact that the OpenBSD box uses named.boot is a bigger cause for
> concern. It means that it is using a nameserver based on old BIND 4
> code, which is likely to have all sorts of security as well as
> usability issues.

well, FWIW, if it's in the openbsd base install, i'd expect that it's
been fairly well audited; the fact that they haven't switched to bind8
or bind9 yet indicates that they (at least) are more comfortable with
their audited version of 4.x than later versions.

whether their confidence is well founded, i cannot say (and of course,
the usability options are a concern).  i would bet that it's a bit more
safe than most versions of 4.x though.

> If you care about security, your first order of business should be to
> upgrade the OpenBSD to a more modern version of BIND -- BIND 8.3.1 or,
> preferably, BIND 9.2.0. Note that rndc only works with BIND 9.

yup. see my other mail for my suggestions on what most likely happened
here.

it's unfortunate that openbsd and freebsd don't allow you to "remove"
packages that are part of the base system cleanly.  i know that there
has been talk of doing this for freebsd; however it would take a lot of
time and work to get this done (and would also make it easier for people
to fsck up their own machines by removing an essential package
unwittingly.