On Jan 19, 2010, at 12:12 AM, Matthias Scheler wrote:
On 18 Jan 2010, at 17:39, Joerg Sonnenberger wrote:net/bind9 Two versions of bind (9.5 and 9.6) should be good enough, so IMO 9.4 can go.No, objections. But there are packages like "mediatomb" (which I just fixed) that include "pkgsrc/net/bind9/buildlink3.mk" e.g. to get the "lwres" library. Please make sure that those get changed as well.
This version of bind9 is vulnerable to CVE2009-4022 anyway. (https://www.isc.org/advisories/CVE2009-4022)I notified NetBSD Security-Officer about this, since netbsd-4(-0) also are affected.
Well, yes, most part of the world probably isn't running DNSSEC validation on there (NetBSD) resolvers, but the DNS root will (at least start to) be signed this year according to ICANN & Verisigns plan.
(For more info, see http://www.root-dnssec.org/). And DNSSEC in the .SE ccTLD has been active some years now. Regards, /P