On Tue, Jan 28, 2003 at 08:53:59PM +0200, rafi-nanog@meron.openu.ac.il said: [snip]
Hi Paul,
What do you think of OpenBSD still installing BIND4 as part of the default base system and recommended as secure by the OpenBSD FAQ ? (See Section 6.8.3 in <http://www.openbsd.org/faq/faq6.html#DNS> )
OpenBSD ships a highly-audited, chrooted version of BIND4 that bears little resemblance to the original code (I'm sure Paul can correct me here if I'm off-base). The reasons for the team's decision are well-documented on various lists and FAQs. Given the choices at hand (use the exhaustively audited, chrooted BIND4 already in production; go with a newer BIND version that hasn't been through the wringer yet; write their own dns daemon; use tinydns (licensing issues); use some other less well-known dns software), I think they made the right one. I'm sure they'll move to a newer version when somebody on the team gets a chance to give it a thorough code audit, and run it through sufficient testing prior to release. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui