Date: Sat, 12 Jul 2008 21:00:55 -0700 From: Doug Barton <dougb@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: BIND update? Message-ID: <48797DF7.9050402@FreeBSD.org> In-Reply-To: <C4990135.1A0907%astorms@ncircle.com> References: <C4990135.1A0907%astorms@ncircle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 This is an interesting thread, so I'm going to try to respond to what I think are the reasonable points all in one post so as not to single anyone out. Again, thanks to those who chose to give thanks, encouragement, or criticism with a positive approach. This issue is complicated because it both is, and is not a "serious" security issue. As others stated rather eloquently, the fact that DNS is an "insecure" service is (or certainly should be) well known. What is also (or certainly should be) well known is that almost all of the other services on the Internet are also insecure, even those with "secure" in the name. :) The problem with this particular vulnerability is that it grabbed the media's attention, and since they think they understand it they are banging the drum pretty loudly. This creates FUD in normally rational people, and hilarity ensues. There are a large number of steps that network operators can and should already have been taking to mitigate damage from this attack. Ingress/egress filtering (ala BCP 38), secure ACLs on your name servers and/or firewalls, splitting authoritative and resolving name services to separate instances, restricting availability of recursive services to only those users who should have them, etc. The danger (and this is a BIG danger in the DNS world) is that most networks are not taking the basic steps that they should be taking to secure their name service (it works, why touch it?), and this upcoming exploit is going to hit them right between the eyes. Changing topics, the BIND installation in the base is not intended to be an out of the box solution to those for whom DNS is part of their critical infrastructure. The BIND bits, along with the sample named.conf file, are set up to run by default as a fairly secure local resolver (and by local I mean really local: only listening on the loopback address). The fact that for many purposes (for instance a "medium" sized ISP, etc.) it works well out of the box is not totally accidental, but like any other service if it's important to your business you need to invest the time and effort to make sure it's working the way you need it to, not rely on others to do that work for you. Jeremy asked why the ports are updated before the BIND in the base. Someone else gave part of the answer, that a lot more QA is involved in dealing with stuff in the base. There are patches to create, security advisories (including instructions, etc.) to write, FreeBSD update stuff to prep, etc. By contrast updating the ports is easy, and gives users for whom a given security issue is critical a simple path to upgrade, and just as importantly, to back out from when/if they deem what's in the base suitable for their needs. However, there is a more fundamental reason that goes to the heart of my philosophy as BIND maintainer. When I was the DNS admen at Yahoo! I _never_ used the BIND that came with the base system. There were a variety of reasons for this, the two most important being that I had a lot of custom tweaks/patches for our version of BIND, and the fact that I needed to update stuff more often than the boxes were updated. This lead to the "replace the base" option in the ports way back when. There is another meta-issue that seems to be coming up a lot lately, which is users who seem to be paralyzed, unable to take any action to help themselves, totally dependent on the FreeBSD developers to make things happen for them. I'm not going to get dragged into that topic again, but I will say that Mark was right, the BIND ports are pretty easy to update if you ever have to do it yourself. And, you don't even have to go out of your way to check the PGP signature, there is a 'make verify' target that will do that for you. :) Seriously though, one user wrote to me (and others) privately and said in so many words, "The things I run on FreeBSD are critically important to me, therefore making them run smoothly must be critically important to you." If you have that mindset, you really, really need to take a reality check. (Go ahead, we'll wait for you.) The vast majority of people who work on FreeBSD do it for FUN, as VOLUNTEERS. If you need a commercial level of support, you're going to have to pay for it, it's that simple. And NO, please do not go off into the woods on this topic. I believe that there is a market for commercial FreeBSD support, but unfortunately it hasn't reached critical mass yet. (Chicken, meet egg. Why don't you two go off and talk for a while?) So, the short version is, "Don't Panic." Well, wok, panic a little, but don't let it distract you from actually getting something useful done, like upgrading your servers, firewall rules, etc. And, if anyone has a business that relies heavily on DNS and needs a good DNS consultant, I know where to find one. :) hope this helps, Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkh5ffcACgkQyIakK9Wy8Ps9YwCgtl80hRIuMkMqcRf9gWLP2dwA fUIAoOsWRsXAYIMotlgC/yS1RQdp2g6E =TLjy -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48797DF7.9050402>