Contributed by dwc on from the in-a-BIND dept.
Darren Spruell writes:
ISC announced End of Life status for BIND 8 on 27 August, 2007. While most OpenBSD users will not find this news noteworthy, there are undoubtedly many users who may work for organizations that are running BIND 8 in their environment. End of life status for this critical application should result in immediate consideration by those running it to investigate upgrade paths to BIND 9. This should provide an extremely easy opportunity for presenting OpenBSD as a platform to migrate to for hosting new BIND 9 rollouts.
OpenBSD ships with a BIND 9 build in the core OS distribution, meaning that no additional packages are required to host a fully featured nameserver. OpenBSD's implementation can be used easily for either a caching resolver or an authoritative content server for a domain. OpenBSD's BIND 9 also works on IPv6 networks out of the box.
OpenBSD maintains BIND 9 in-tree and implements a number of best practice security measures. The code has been audited and updated by the project, using safer string functions. named(8) runs in a chroot and under privilege seperation by default. DNS query IDs are reliably randomized. The OpenBSD project's focus on proactive security enables it to provide a resilient platform for hosting critical DNS services. As a recent example, OpenBSD users were not affected by the DNS cache poisoning weakness in BIND (CVE-2007-2926) thanks to foresight and attention by the developers years ago.
Easy to use
Running a caching resolver on OpenBSD is as simple as echo named_flags="" >> /etc/rc.conf.local and running an authoritative server for a DNS zone is only minimally more complicated. The full suite of DNS/BIND utilities ship with the operating system, including utilities such as named-checkconf(8), named-checkzone(8) and dig(1) for troubleshooting configurations.
If you're looking for an easy win to introduce OpenBSD into your environment (or increase its footprint if you have already), this EOL notice is the perfect opportunity. Take the chance to suggest it and outline a case for its use. Even if you are not able to sell leadership on OpenBSD, use it as an opportunity to upgrade your aged and exposed BIND infrastructure to a new release. While it's certainly possible that some users may want to suggest alternate DNS implementations such as djbdns, migrating configurations and zone files to BIND 9 is usually an easier sell.
(Comments are closed)