From owner-freebsd-security@FreeBSD.ORG Mon Jul 2 17:39:26 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3FE9F106564A; Mon, 2 Jul 2012 17:39:26 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BD30E8FC16; Mon, 2 Jul 2012 17:39:25 +0000 (UTC) Message-ID: <4FF1DCCD.6060109@FreeBSD.org> Date: Mon, 02 Jul 2012 13:39:25 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120626 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , Stanislav Sedov , "Bjoern A. Zeeb" Subject: [PATCH] Switch to OpenSSL 1.0.1 branch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2012 17:39:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have upgraded OpenSSL in the base to 0.9.8x for all supported branches. Now it is time to move *head* to OpenSSL 1.0.1 branch[1]. Here is the patch to switch OpenSSL from 0.9.8x to 1.0.1c: http://people.freebsd.org/~jkim/openssl-1.0.1c.diff.bz2 I had to compress it because the patch was too big, unfortunately. :-( Some notes: - - Configuration is relatively close to what you'd expect when you run config script with the following options[2]: enable-rc5 enable-rfc3779 shared - - MD2 was removed because a) it was deprecated by OpenSSL team and disabled by default and b) we did the same for libmd. - - Optimized i386 asm files are updated and new files are added. Optimized amd64 asm files are added. - - opensslconf-amd64.h and opensslconf-i386.h are merged to a new opensslconf-x86.h[3]. - - A small change to libfetch was necessary to avoid buildworld breakage: - --- lib/libfetch/common.h +++ lib/libfetch/common.h @@ -63,7 +63,7 @@ struct fetchconn { SSL *ssl; /* SSL handle */ SSL_CTX *ssl_ctx; /* SSL context */ X509 *ssl_cert; /* server certificate */ - - SSL_METHOD *ssl_meth; /* SSL method */ + const SSL_METHOD *ssl_meth; /* SSL method */ #endif int ref; /* reference count */ }; - - Another small change to OpenSSL was necessary to avoid buildworld breakage: - --- crypto/openssl/ssl/srtp.h +++ crypto/openssl/ssl/srtp.h @@ -135,7 +135,6 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s); STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl); - -SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s); #ifdef __cplusplus } It was very briefly tested on amd64 (and on i386 chroot). Cheers, Jung-uk Kim 1. We have no plan to switch stable branches to 1.0.X. 2. Add "no-asm" for non-x86 platforms. I believe rc5 and rfc3779 were forcefully enabled on FreeBSD for POLA. 3. Very minimal changes were done for non-x86 platforms. They need platform maintainers' attention. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/x3M0ACgkQmlay1b9qnVMClwCdEL1Vq2+r6fm3UAcMXqG0lUeB +lMAnj9thNnXcgTd8JbzBzdlvfL59i7C =tJYx -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jul 3 02:08:41 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDD7E106566C; Tue, 3 Jul 2012 02:08:41 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5D91B8FC0A; Tue, 3 Jul 2012 02:08:41 +0000 (UTC) Received: by vcbfy7 with SMTP id fy7so4791393vcb.13 for ; Mon, 02 Jul 2012 19:08:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=N85mXg7Dolrj09rXycLImLqcAZGEnVfakB/aJywAo4Y=; b=VBgp1wctU4oeIRFxqIV8/EjuPekbwShP39LprotfiUpnliCvqfIA9TKOw84UKjDlmN QVkNWgpQuiNPjIJQzF2D84HHYtJpzus4un8xgPIg+OjHzhbuwib3mX5791B2sCIJcQbw nXwcKiQsO0227UxUW47kqUm8OxsxQ3yTwubiL39YDkF5xF59y0I+w5tJU5Lbi3YXHmU5 ebHFCuIl2TwkBsqvlcG/1PILbxGBoJBc93b74UCj3reutpZZ2By22EPZ6xI/RVGg+nuY M4BaBHl3Q3QAPZP/zITjuAciSbf3vZ0sT8BaUmFT8z0Nx1NJ9we3FEERH5NNxKBk5NC4 oCSw== MIME-Version: 1.0 Received: by 10.52.100.36 with SMTP id ev4mr5805792vdb.43.1341281320670; Mon, 02 Jul 2012 19:08:40 -0700 (PDT) Received: by 10.52.180.168 with HTTP; Mon, 2 Jul 2012 19:08:40 -0700 (PDT) Date: Mon, 2 Jul 2012 22:08:40 -0400 Message-ID: From: Robert Simmons To: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 02:08:41 -0000 Are there plans to pull the following into head before the code freeze for 9.1? BIND 9.9.1p1 OpenSSH 6.0p1 IPFilter 5.1.1 From owner-freebsd-security@FreeBSD.ORG Tue Jul 3 10:32:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 063F51065670; Tue, 3 Jul 2012 10:32:28 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id BA8DB8FC0A; Tue, 3 Jul 2012 10:32:27 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 89DD765F2; Tue, 3 Jul 2012 10:32:20 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 0CF928367; Tue, 3 Jul 2012 12:32:19 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Robert Simmons References: Date: Tue, 03 Jul 2012 12:32:16 +0200 In-Reply-To: (Robert Simmons's message of "Mon, 2 Jul 2012 22:08:40 -0400") Message-ID: <86fw99p233.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 10:32:28 -0000 Robert Simmons writes: > OpenSSH 6.0p1 No. It doesn't build cleanly on FreeBSD (I reported two issues during the pre-release cycle, one was fixed but the other was not), and even if it did, it's too big a change to push through on such short notice. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jul 3 12:05:34 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id EAF41106564A; Tue, 3 Jul 2012 12:05:34 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 8548F14FA6C; Tue, 3 Jul 2012 12:05:34 +0000 (UTC) Message-ID: <4FF2E00E.2030502@FreeBSD.org> Date: Tue, 03 Jul 2012 05:05:34 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: Robert Simmons References: In-Reply-To: X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 12:05:35 -0000 On 07/02/2012 19:08, Robert Simmons wrote: > Are there plans to pull the following into head before the code freeze for 9.1? > > BIND 9.9.1p1 We never change the version of BIND in a release branch. The 9.8 version that's there is up to date. The correct solution to this problem is to remove BIND from the base altogether, but I have no energy for all the whinging that would happen if I tried (again) to do that. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Tue Jul 3 12:39:36 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BB45106566B; Tue, 3 Jul 2012 12:39:36 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 3D3E28FC1B; Tue, 3 Jul 2012 12:39:36 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id F26956644; Tue, 3 Jul 2012 12:39:34 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id AC7DE8387; Tue, 3 Jul 2012 14:39:34 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Doug Barton References: <4FF2E00E.2030502@FreeBSD.org> Date: Tue, 03 Jul 2012 14:39:34 +0200 In-Reply-To: <4FF2E00E.2030502@FreeBSD.org> (Doug Barton's message of "Tue, 03 Jul 2012 05:05:34 -0700") Message-ID: <86bojxow6x.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers@freebsd.org, Robert Simmons , freebsd-security@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 12:39:36 -0000 Doug Barton writes: > The correct solution to this problem is to remove BIND from the base > altogether, but I have no energy for all the whinging that would happen > if I tried (again) to do that. I don't think there will be as much whinging as you expect. Times have changed. I'm willing to import and maintain unbound (BSD-licensed validating, recursive, and caching DNS resolver) if you remove BIND. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jul 3 17:04:41 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FFCF106566B; Tue, 3 Jul 2012 17:04:41 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailout.jr-hosting.nl (mailout.jr-hosting.nl [78.47.69.236]) by mx1.freebsd.org (Postfix) with ESMTP id BDF4F8FC0C; Tue, 3 Jul 2012 17:04:40 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:141:5ffd::25]) by mailout.jr-hosting.nl (Postfix) with ESMTP id 7B2103902633; Tue, 3 Jul 2012 19:04:34 +0200 (CEST) Received: from [10.0.2.10] (a44084.upc-a.chello.nl [62.163.44.84]) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 032BA38B3330; Tue, 3 Jul 2012 19:04:33 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=iso-8859-1 From: Remko Lodder In-Reply-To: <86bojxow6x.fsf@ds4.des.no> Date: Tue, 3 Jul 2012 19:04:31 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= X-Mailer: Apple Mail (2.1278) Cc: freebsd-hackers@freebsd.org, Doug Barton , Robert Simmons , freebsd-security@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 17:04:41 -0000 On Jul 3, 2012, at 2:39 PM, Dag-Erling Sm=F8rgrav wrote: > Doug Barton writes: >> The correct solution to this problem is to remove BIND from the base >> altogether, but I have no energy for all the whinging that would = happen >> if I tried (again) to do that. >=20 > I don't think there will be as much whinging as you expect. Times = have > changed. >=20 > I'm willing to import and maintain unbound (BSD-licensed validating, > recursive, and caching DNS resolver) if you remove BIND. >=20 > DES > --=20 > Dag-Erling Sm=F8rgrav - des@des.no >=20 +1 for unbound :-) --=20 /"\ With kind regards, | remko@elvandar.org \ / Remko Lodder | remko@FreeBSD.org X FreeBSD | = http://www.evilcoder.org / \ The Power to Serve | Quis custodiet ipsos custodes From owner-freebsd-security@FreeBSD.ORG Tue Jul 3 20:39:01 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id 1EEBF106566C; Tue, 3 Jul 2012 20:39:01 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 75B3D14E213; Tue, 3 Jul 2012 20:39:00 +0000 (UTC) Message-ID: <4FF35864.5030109@FreeBSD.org> Date: Tue, 03 Jul 2012 13:39:00 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> In-Reply-To: <86bojxow6x.fsf@ds4.des.no> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 20:39:01 -0000 On 07/03/2012 05:39, Dag-Erling Smørgrav wrote: > Doug Barton writes: >> The correct solution to this problem is to remove BIND from the base >> altogether, but I have no energy for all the whinging that would happen >> if I tried (again) to do that. > > I don't think there will be as much whinging as you expect. Times have > changed. > > I'm willing to import and maintain unbound (BSD-licensed validating, > recursive, and caching DNS resolver) if you remove BIND. You've got a deal! Unbound requires ldns, which is a good thing. Part of this project would also be to enable drill so that we have a command-line dns lookup tool in the base, but that's trivial once you've got ldns imported. After you get those 3 elements in the base I'm happy to pull BIND out by the roots. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Tue Jul 3 23:08:19 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDF6E1065670 for ; Tue, 3 Jul 2012 23:08:19 +0000 (UTC) (envelope-from sbrabez@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 553DF8FC17 for ; Tue, 3 Jul 2012 23:08:19 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so6632043wgb.31 for ; Tue, 03 Jul 2012 16:08:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=VSf+jOppGGLVXJhsXkyf1h6pE4pHuyDIoQHwHht2d20=; b=ErMP/C5sHuILnEHzcM10zUNd4iLz2/pnT2smoAtWaSKlTT0UoMyasfRabZWqiDbcg0 3n5PzvD9BuvPcKqgun/MIxQkVHHBnbPLQUPP1qkRfm0nHKpi1o1MsL+6nzAe1q9/iAwy B6bSmagwmFkBLzcXgqqmxoouku48NWedGOsodLYhb48bni3i/3d3kg6mCRF/0rQ8Tq2F M4hJ31wEzNjA3s3sBboEZVXz4xPE99+T7lfhYEog7GUL+k3OENbxf1Ux8ZHZ+g+icWIs gsnv9ug0J/TXqANtCtzW3fOtByMap1qfPs/09nNZRqK019bfLG/XTCvPbMa30rouBTGB aktQ== Received: by 10.180.86.226 with SMTP id s2mr35526917wiz.9.1341356895814; Tue, 03 Jul 2012 16:08:15 -0700 (PDT) Received: from freebsd.ifr.lan (bob75-6-82-238-72-219.fbx.proxad.net. [82.238.72.219]) by mx.google.com with ESMTPS id fb20sm40272772wid.1.2012.07.03.16.08.13 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 03 Jul 2012 16:08:14 -0700 (PDT) Sender: Sofian Brabez Date: Wed, 4 Jul 2012 01:33:27 +0200 From: Sofian Brabez To: =?iso-8859-1?Q?Cl=E9ment?= Lecigne Message-ID: <20120703233327.GA58368@freebsd.ifr.lan> References: <20110830033854.GA1064@faust> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org, Zoran Kolic Subject: Re: turtle rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 23:08:20 -0000 --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Tue, Aug 30, 2011 at 11:53:12AM +0200, Cl=E9ment Lecigne wrote: > > What do you want? It's just a basic rootkit that hooks some specific > entries inside the sysent table. It can be detected by checking if a > device /dev/turtle2dev exists or by sending an ICMP echo request with > a payload starting with a double '_' and if rootkit is loaded no reply > will be returned. > > [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1 > HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes > [main] memlockall(): No such file or directory > Warning: can't disable memory paging! > > --- 127.0.0.1 hping statistic --- > 1 packets tramitted, 0 packets received, 100% packet loss > > These tricks can be implemented inside rkhunter or/and chkrootkit. > It's implemented since rkhunter 1.4.0 [1], and now security/rkhunter port v= ersion [2] is able to detect it during the check scan: % sudo rkhunter --version | head -1 Rootkit Hunter 1.4.0 % sudo rkhunter --list rootkits | grep -i turtle2 trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire, % sudo rkhunter --check --sk =2E.. Turtle Rootkit [ Not found ] Btw, the best way to avoid such rootkit is to use sysctl kern.securelevel in order to avoid untrusted kernel modules loading at runtime (but can be bypa= ssed at boot time...) Regards [1] http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHAN= GELOG?revision=3D1.226&view=3Dmarkup [2] http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D471258+0+current/cvs-all -- Sofian Brabez --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk/zgUYACgkQc2NR9CSH5X5NfQCfZ+benj+haRonNBzbraik9wPE KmEAoMx3F/xnN3bzU9jCu1QbqH3YnVJP =u3Op -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- From owner-freebsd-security@FreeBSD.ORG Wed Jul 4 16:51:53 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE76D1065670 for ; Wed, 4 Jul 2012 16:51:53 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6708A8FC08 for ; Wed, 4 Jul 2012 16:51:52 +0000 (UTC) Received: by yenl8 with SMTP id l8so7828867yen.13 for ; Wed, 04 Jul 2012 09:51:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=6CyPwBbCn5BorhtyovamEMpDQiFfjXdap5yjb9FMBNA=; b=Kkj+uIchxG3/2a0rJUkvLXaburA2C++XBQYIkhTn9RfF4nPB1SraiSBZ5o30nyck7h afXGUNMzOjXs7FGzf0DGP0wj6iRoZscM56rpPt7eA8yqjDp4Zf24XGFn6yHLiXMcSBGy iyj9i+boDb+E3khCA5m8eW+x5A9txNZMRawcg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding:x-gm-message-state; bh=6CyPwBbCn5BorhtyovamEMpDQiFfjXdap5yjb9FMBNA=; b=Kg079Fm/+lASEvES/vix7s3ozcriPc6YibElI8QrTBmBttdoUksm/jzcoC93a6+eQv BL6gZ1arKVq5bz04SBdDfxDrwlGMDviteqiuxJLO+5zLbHugF6t6+fhrXNq/lH64EyNl jVrxGHMvqzQLNLF08416tAi7VAQoq/SmU82mGvkyK+AqHb6aq2cSp4UAAbq9alXlTwoZ oSc+/V6ie7yUeU3SdlwEFqtorf3gmFPSh8zZeRPwaGH/xp/vphRC6Rztf8+lPoltLrCZ hli15Y1Ch/kGZ4yFnyaT3mPARz9LcABV2F77F5r2QKP3NaYhA9nmWqeOxrQWoIElINRA u6FQ== MIME-Version: 1.0 Received: by 10.50.153.161 with SMTP id vh1mr13834319igb.3.1341420712341; Wed, 04 Jul 2012 09:51:52 -0700 (PDT) Sender: simon@qxnitro.org Received: by 10.64.18.206 with HTTP; Wed, 4 Jul 2012 09:51:52 -0700 (PDT) X-Originating-IP: [2620:0:1040:201:6d04:4bfa:a90:43d6] In-Reply-To: <4FF35864.5030109@FreeBSD.org> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <4FF35864.5030109@FreeBSD.org> Date: Wed, 4 Jul 2012 17:51:52 +0100 X-Google-Sender-Auth: f6TMIXHKUy4GJL00uXKAxQ20aIc Message-ID: From: "Simon L. B. Nielsen" To: Doug Barton Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkE8xZJmuq8Xh9QcZWIUhqSHllqQemC1ncQwdlF6K92w0/HxsnJ9YnyTdq8nfAAnVlXgbsN Cc: freebsd-security@freebsd.org, =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , freebsd-hackers@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 16:51:53 -0000 On Tue, Jul 3, 2012 at 9:39 PM, Doug Barton wrote: > On 07/03/2012 05:39, Dag-Erling Sm=C3=B8rgrav wrote: >> Doug Barton writes: >>> The correct solution to this problem is to remove BIND from the base >>> altogether, but I have no energy for all the whinging that would happen >>> if I tried (again) to do that. >> >> I don't think there will be as much whinging as you expect. Times have >> changed. >> >> I'm willing to import and maintain unbound (BSD-licensed validating, >> recursive, and caching DNS resolver) if you remove BIND. > > You've got a deal! > > Unbound requires ldns, which is a good thing. Part of this project would How's the security support for ldns / unbound? For third party software sitting in the 'frontline' that part is rather important. > also be to enable drill so that we have a command-line dns lookup tool > in the base, but that's trivial once you've got ldns imported. Does that means loosing host(1) ? That would be somewhat annoying. --=20 Simon From owner-freebsd-security@FreeBSD.ORG Wed Jul 4 18:51:15 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF28F106564A for ; Wed, 4 Jul 2012 18:51:15 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4BB868FC18 for ; Wed, 4 Jul 2012 18:51:15 +0000 (UTC) Received: by yhfs35 with SMTP id s35so1643965yhf.13 for ; Wed, 04 Jul 2012 11:51:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=0Toe4k1uoeShD/JW9NkD4QVxqlXqZxN17UX8zFSryrE=; b=PIBFcCSnKy7pIG/+8HI4ocBa/mYqMyM9V+q79hkUrdj4Ivdcdcr93XRQkELl4RKuo8 TUcA/B+K1IjY+WkP+Ya/gKdpusnm2N3uNIfcMkQs6YuTXCP/AhQS524R2XFT34txWK29 9moQHRJ3ygYR8tlexraN0wPHS2ylFsQDHJ9wU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:x-gm-message-state; bh=0Toe4k1uoeShD/JW9NkD4QVxqlXqZxN17UX8zFSryrE=; b=oX/lVRc1Qdv5SxGttKU50roEoEtByC6egiFEFtlF5prI7ZSwQxMir5XKxRbZm4KxaY +YJCK7cQa87wYiHae0Pr98TrfBUL3sqmjvQo/Ywg+jVI5/4GfQJ1H61PTDShOruepFzO 4PGv/YrppMOGSXwtwKwBgbamKqgJhoHlXu61lHXgYuyWE2R4kFIg6ABwVK9nq4nNaBGS bMxK8JjtHpUFtpUs9Ob7MzAbFRpNj/wpOuV080fiNg9//dUVsYRMpJm6LrIzRXUGY1j9 IpkSqHaYzqpG7c4Kmn3AviTnNi+Dik/l1POWWZwVIZMV/hQo97ch7l3jpQgn/rhOY2dQ NuSA== Received: by 10.42.140.4 with SMTP id i4mr5103318icu.18.1341427868890; Wed, 04 Jul 2012 11:51:08 -0700 (PDT) Received: from DataIX.net (adsl-108-195-138-67.dsl.klmzmi.sbcglobal.net. [108.195.138.67]) by mx.google.com with ESMTPS id v17sm30973163igv.7.2012.07.04.11.51.07 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 04 Jul 2012 11:51:08 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q64Ip5sZ059550 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 4 Jul 2012 14:51:05 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q64Ip4ct059549; Wed, 4 Jul 2012 14:51:04 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Wed, 4 Jul 2012 14:51:04 -0400 From: Jason Hellenthal To: Freddie Cash Message-ID: <20120704185104.GA42355@DataIX.net> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <4FF35864.5030109@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Gm-Message-State: ALoCoQlezgjS9FmquxbQ3AhqSW7NCeczXjJ18YWcqAuas7IwwPSzZhyBG2NeT7XBK8B9WT0PeErF Cc: freebsd-security@freebsd.org, Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , Doug Barton , "Simon L. B. Nielsen" , freebsd-hackers@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 18:51:15 -0000 On Wed, Jul 04, 2012 at 10:01:04AM -0700, Freddie Cash wrote: > On Wed, Jul 4, 2012 at 9:51 AM, Simon L. B. Nielsen wrote: > > On Tue, Jul 3, 2012 at 9:39 PM, Doug Barton wrote: > >> On 07/03/2012 05:39, Dag-Erling Smørgrav wrote: > >>> Doug Barton writes: > >>>> The correct solution to this problem is to remove BIND from the base > >>>> altogether, but I have no energy for all the whinging that would happen > >>>> if I tried (again) to do that. > >>> > >>> I don't think there will be as much whinging as you expect. Times have > >>> changed. > >>> > >>> I'm willing to import and maintain unbound (BSD-licensed validating, > >>> recursive, and caching DNS resolver) if you remove BIND. > >> > >> You've got a deal! > >> > >> Unbound requires ldns, which is a good thing. Part of this project would > > > > How's the security support for ldns / unbound? For third party > > software sitting in the 'frontline' that part is rather important. > > > >> also be to enable drill so that we have a command-line dns lookup tool > >> in the base, but that's trivial once you've got ldns imported. > > > > Does that means loosing host(1) ? That would be somewhat annoying. > > There's a version of host based on unbound. At least, there's an > unbound-host package for Debian Linux: > > http://packages.debian.org/search?keywords=unbound-host > What would be really nice here is a command wrapper hooked into the shell so that when you type a command and it does not exist it presents you with a question for suggestions to install somewhat like Fedora has done. You type nmap in the root shell and it will ask you if you would like to install it. With that said, given this is FreeBSD, it could offer ... Would you like to install base package [y/N] ?: N Would you like to install ports package [y/N] ?: N Would you like to compile this from ports [y/N] ?: Y You have these options available: 1) BIND 2) LDNS 3) DJBDNS Which would you like [0-3]: I entirely dislike the idea of including something other than bind-tools within base that are installed, but fully support the idea of providing a way to allow the user to install a "base package" one that is meant to install into the base system and have as many as are seen suited to support the community. I currently buildworld WITHOUT_BIND and use bind from ports and cannot justify the time to go through learning/using another instance or at least at this time when BIND has been perfect for everything I needed to do. -- - (2^(N-1)) From owner-freebsd-security@FreeBSD.ORG Wed Jul 4 17:01:07 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 446D5106564A; Wed, 4 Jul 2012 17:01:07 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1E0DB8FC0A; Wed, 4 Jul 2012 17:01:05 +0000 (UTC) Received: by lbon10 with SMTP id n10so13393464lbo.13 for ; Wed, 04 Jul 2012 10:01:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=aHw47E1E5xZlQ15DCRjENszanWd986Ud1CfkaHytyAg=; b=jXnsiJ5AXGQ/Ro5wq2VRHPjoFZa9zZpo7ebvlmeRACVXmwOKnVSEnYbBBcZuxqVpBr O23irFBEY6HxUKf08bWnJlItHZZZNdANXOfi0bMHY2vPqwznYgblwxOhLg7JPVQOGkOK py28+gQ96DqtPrpVb5Asg9qiRbdD5nnzZg9U2IRzzXyD/jEGnEshH1kIvibN9YdBxaPS FzTWpeG8ctJwl74R5w3e+AhGm7R8Y9YNe6ma5k3yW5cvl4IafCOajfkFbSuQ2ZPCrPI+ 8FfvYKvOvCjjXDl+Ze4L5VBV8ru5sixKrIOh2ne7zf9bRqO8bqOrMmVP99/Qk+KKKAE0 sVnA== MIME-Version: 1.0 Received: by 10.152.48.37 with SMTP id i5mr22441192lan.36.1341421264720; Wed, 04 Jul 2012 10:01:04 -0700 (PDT) Received: by 10.114.37.74 with HTTP; Wed, 4 Jul 2012 10:01:04 -0700 (PDT) In-Reply-To: References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <4FF35864.5030109@FreeBSD.org> Date: Wed, 4 Jul 2012 10:01:04 -0700 Message-ID: From: Freddie Cash To: "Simon L. B. Nielsen" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Wed, 04 Jul 2012 19:42:15 +0000 Cc: freebsd-security@freebsd.org, Doug Barton , freebsd-hackers@freebsd.org, =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 17:01:07 -0000 On Wed, Jul 4, 2012 at 9:51 AM, Simon L. B. Nielsen wro= te: > On Tue, Jul 3, 2012 at 9:39 PM, Doug Barton wrote: >> On 07/03/2012 05:39, Dag-Erling Sm=C3=B8rgrav wrote: >>> Doug Barton writes: >>>> The correct solution to this problem is to remove BIND from the base >>>> altogether, but I have no energy for all the whinging that would happe= n >>>> if I tried (again) to do that. >>> >>> I don't think there will be as much whinging as you expect. Times have >>> changed. >>> >>> I'm willing to import and maintain unbound (BSD-licensed validating, >>> recursive, and caching DNS resolver) if you remove BIND. >> >> You've got a deal! >> >> Unbound requires ldns, which is a good thing. Part of this project would > > How's the security support for ldns / unbound? For third party > software sitting in the 'frontline' that part is rather important. > >> also be to enable drill so that we have a command-line dns lookup tool >> in the base, but that's trivial once you've got ldns imported. > > Does that means loosing host(1) ? That would be somewhat annoying. There's a version of host based on unbound. At least, there's an unbound-host package for Debian Linux: http://packages.debian.org/search?keywords=3Dunbound-host --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-security@FreeBSD.ORG Wed Jul 4 21:15:56 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id 7597D1065676; Wed, 4 Jul 2012 21:15:56 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 846C61505F4; Wed, 4 Jul 2012 21:14:49 +0000 (UTC) Message-ID: <4FF4B249.4010107@FreeBSD.org> Date: Wed, 04 Jul 2012 14:14:49 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:13.0) Gecko/20120624 Thunderbird/13.0.1 MIME-Version: 1.0 To: Freddie Cash References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <4FF35864.5030109@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org, "Simon L. B. Nielsen" , =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 21:15:56 -0000 On 07/04/2012 10:01, Freddie Cash wrote: > On Wed, Jul 4, 2012 at 9:51 AM, Simon L. B. Nielsen wrote: >> On Tue, Jul 3, 2012 at 9:39 PM, Doug Barton wrote: >>> On 07/03/2012 05:39, Dag-Erling Smørgrav wrote: >>>> Doug Barton writes: >>>>> The correct solution to this problem is to remove BIND from the base >>>>> altogether, but I have no energy for all the whinging that would happen >>>>> if I tried (again) to do that. >>>> >>>> I don't think there will be as much whinging as you expect. Times have >>>> changed. >>>> >>>> I'm willing to import and maintain unbound (BSD-licensed validating, >>>> recursive, and caching DNS resolver) if you remove BIND. >>> >>> You've got a deal! >>> >>> Unbound requires ldns, which is a good thing. Part of this project would >> >> How's the security support for ldns / unbound? For third party >> software sitting in the 'frontline' that part is rather important. Other than my followup where I expressed total confidence in the folks that produce these tools, I'll leave the advocacy to Dag-Erling. >>> also be to enable drill so that we have a command-line dns lookup tool >>> in the base, but that's trivial once you've got ldns imported. >> >> Does that means loosing host(1) ? Yes! Code must be free!!!!!11!!!! :) >> That would be somewhat annoying. Again, see my followup. > There's a version of host based on unbound. At least, there's an > unbound-host package for Debian Linux: Yes, it's a SMOP. If we produced a BSDL version I'm fairly sure the NLnet Labs guys would be interested. Dag-Erling probably wants to contact them first to see if they are already working on something similar. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Wed Jul 4 21:20:19 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 9E0FA10656AD; Wed, 4 Jul 2012 21:20:19 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 1278415826E; Wed, 4 Jul 2012 21:19:39 +0000 (UTC) Message-ID: <4FF4B36A.2040608@FreeBSD.org> Date: Wed, 04 Jul 2012 14:19:38 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:13.0) Gecko/20120624 Thunderbird/13.0.1 MIME-Version: 1.0 To: Jason Hellenthal References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <4FF35864.5030109@FreeBSD.org> <20120704185104.GA42355@DataIX.net> In-Reply-To: <20120704185104.GA42355@DataIX.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 21:20:19 -0000 On 07/04/2012 11:51, Jason Hellenthal wrote: > What would be really nice here is a command wrapper hooked into the > shell so that when you type a command and it does not exist it presents > you with a question for suggestions to install somewhat like Fedora has > done. I would also like to see this feature, which is pretty much universal in linux at this point. It's very handy. I look forward to reviewing your patches to implement it. :) Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Wed Jul 4 21:56:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F1373106564A; Wed, 4 Jul 2012 21:56:16 +0000 (UTC) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 6A44E8FC17; Wed, 4 Jul 2012 21:56:16 +0000 (UTC) Received: from WildRover.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id PAA09080; Wed, 4 Jul 2012 15:56:03 -0600 (MDT) Message-Id: <201207042156.PAA09080@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 04 Jul 2012 15:55:54 -0600 To: Dag-Erling Smørgrav , Doug Barton From: Brett Glass In-Reply-To: <86bojxow6x.fsf@ds4.des.no> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Cc: freebsd-hackers@freebsd.org, Robert Simmons , freebsd-security@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 21:56:17 -0000 At 06:39 AM 7/3/2012, Dag-Erling Smørgrav wrote: >I'm willing to import and maintain unbound (BSD-licensed validating, >recursive, and caching DNS resolver) if you remove BIND. I've been using djb, and -- despite its quirks -- I'm very happy with it. I'd like to have the option of installing dnscache, with the so-called "Jumbo" patch, as the default resolver. I beleive that the code has been released into the public domain. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Wed Jul 4 22:04:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id 1515D106566C; Wed, 4 Jul 2012 22:04:25 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 2D2B61A6930; Wed, 4 Jul 2012 22:03:21 +0000 (UTC) Message-ID: <4FF4BDA8.50303@FreeBSD.org> Date: Wed, 04 Jul 2012 15:03:20 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:13.0) Gecko/20120624 Thunderbird/13.0.1 MIME-Version: 1.0 To: Brett Glass References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <201207042156.PAA09080@lariat.net> In-Reply-To: <201207042156.PAA09080@lariat.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , Robert Simmons , freebsd-hackers@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 22:04:25 -0000 On 07/04/2012 14:55, Brett Glass wrote: > At 06:39 AM 7/3/2012, Dag-Erling Smørgrav wrote: > >> I'm willing to import and maintain unbound (BSD-licensed validating, >> recursive, and caching DNS resolver) if you remove BIND. > > I've been using djb, and -- despite its quirks -- I'm very happy with > it. Completely aside from its "quirks," djbdns is wholly unsuitable in the modern DNS world due to it's poor and/or total lack of support for IDNs and DNSSEC. > I'd like to have the option of installing dnscache, with the > so-called "Jumbo" patch, as the default resolver. As soon as you start talking about "with/without $option" you are talking about a ports install, which is perfectly fine. Other than that, if whoever actually pushes all the rocks uphill to make the installer more modular in this regard decides to include djbdns, more power to them. :) Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Thu Jul 5 04:08:12 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 819ED106566C; Thu, 5 Jul 2012 04:08:12 +0000 (UTC) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 1279A8FC1E; Thu, 5 Jul 2012 04:08:11 +0000 (UTC) Received: from WildRover.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id WAA11175; Wed, 4 Jul 2012 22:08:06 -0600 (MDT) Message-Id: <201207050408.WAA11175@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 04 Jul 2012 22:08:02 -0600 To: Doug Barton From: Brett Glass In-Reply-To: <4FF4BDA8.50303@FreeBSD.org> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <201207042156.PAA09080@lariat.net> <4FF4BDA8.50303@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Dag-Erling Smørgrav , freebsd-security@FreeBSD.org, Robert Simmons , freebsd-hackers@FreeBSD.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2012 04:08:12 -0000 At 04:03 PM 7/4/2012, Doug Barton wrote: >Other than that, if whoever actually pushes all the rocks uphill to make >the installer more modular in this regard decides to include djbdns, >more power to them. :) I'm not suggesting that everyone will prefer djb, and the last thing I want to do is start a religious war regarding the merits of different resolvers or the efficacy of DNSSEC. I'm merely asking that any change to the base system or the installation procedure allow me to choose this or any of the other most popular resolvers, at install time, with as little pain as possible. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Thu Jul 5 04:12:32 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id 415B8106566B; Thu, 5 Jul 2012 04:12:32 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id A3C451623EE; Thu, 5 Jul 2012 04:10:53 +0000 (UTC) Message-ID: <4FF513CD.4090308@FreeBSD.org> Date: Wed, 04 Jul 2012 21:10:53 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:13.0) Gecko/20120624 Thunderbird/13.0.1 MIME-Version: 1.0 To: Brett Glass References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <201207042156.PAA09080@lariat.net> <4FF4BDA8.50303@FreeBSD.org> <201207050408.WAA11175@lariat.net> In-Reply-To: <201207050408.WAA11175@lariat.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , freebsd-security@FreeBSD.org, Robert Simmons , freebsd-hackers@FreeBSD.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2012 04:12:32 -0000 On 07/04/2012 21:08, Brett Glass wrote: > At 04:03 PM 7/4/2012, Doug Barton wrote: > >> Other than that, if whoever actually pushes all the rocks uphill to make >> the installer more modular in this regard decides to include djbdns, >> more power to them. :) > > I'm not suggesting that everyone will prefer djb, and the last thing I > want to do is start a religious war regarding the merits of different > resolvers or the efficacy of DNSSEC. I'm merely asking that any change > to the base system or the installation procedure allow me to choose this > or any of the other most popular resolvers, at install time, with as > little pain as possible. And as usual, your patches to implement that feature are eagerly anticipated. -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Thu Jul 5 14:04:38 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D682B106564A for ; Thu, 5 Jul 2012 14:04:38 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 99BF88FC0A for ; Thu, 5 Jul 2012 14:04:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:To:Content-Type; bh=lZe3X5hwf+Yb1vVUFF8tbXET8nYnxnSgAv9wDps+oY4=; b=PomoSk6ilQ9mA7gHNMeTeSUnbXyLyaktrQ4hBygt8b9FQ3biexyAseq9B9GqMFIqeG5VU3jzjK/E12Mh/nCfxs7f4Fe9ABaRk0PaCHx5hEX1c2/F8nHw0ItV4U56J7fg; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1SmmfY-0002RW-Bk for freebsd-security@freebsd.org; Thu, 05 Jul 2012 09:04:37 -0500 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpa id 1341497066-94480-94479/5/88; Thu, 5 Jul 2012 14:04:26 +0000 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-security@freebsd.org References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <4FF35864.5030109@FreeBSD.org> <20120704185104.GA42355@DataIX.net> <4FF4B36A.2040608@FreeBSD.org> Date: Thu, 5 Jul 2012 09:04:26 -0500 Mime-Version: 1.0 From: Mark Felder Message-Id: In-Reply-To: <4FF4B36A.2040608@FreeBSD.org> User-Agent: Opera Mail/12.00 (FreeBSD) X-SA-Score: -1.5 Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2012 14:04:38 -0000 On Wed, 04 Jul 2012 16:19:38 -0500, Doug Barton wrote: > On 07/04/2012 11:51, Jason Hellenthal wrote: >> What would be really nice here is a command wrapper hooked into the >> shell so that when you type a command and it does not exist it presents >> you with a question for suggestions to install somewhat like Fedora has >> done. > > I would also like to see this feature, which is pretty much universal in > linux at this point. It's very handy. > As long as it's completely optional, that'd be nice. Linux adds too much cruft to their shells. Ever try logging into an extremely highly loaded Ubuntu server? Takes forever to get your shell because of all the crap it runs to make things "pretty" for you. Linux foobar 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ System information as of Thu Jul 5 09:00:57 CDT 2012 System load: 0.08 Memory usage: 47% Processes: 81 Usage of /: 28.2% of 18.82GB Swap usage: 3% Users logged in: 0 Graph this data and manage this system at https://landscape.canonical.com/ 129 packages can be updated. 101 updates are security updates. $ From owner-freebsd-security@FreeBSD.ORG Thu Jul 5 17:37:46 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E904F106566B; Thu, 5 Jul 2012 17:37:46 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8A50B8FC15; Thu, 5 Jul 2012 17:37:46 +0000 (UTC) Received: by vcbfy7 with SMTP id fy7so6887571vcb.13 for ; Thu, 05 Jul 2012 10:37:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=W4oTQQUwk/SIkXdrMKRZ7xU4MzlZfH16B2CfFxmPa84=; b=QfTSV/2M/YjoTgQ1lM5Vv1rhWWy18LWrxCwIACZMzobXj/sBhUGuhgGNhbBfjUAylu UXsGw4o1mr3j42eCB03m8VE7hhuqlUZdzufY6sHl+fLoSi53d0cBQPHPZBFbmEtl1nwe he3s1gFmrlzrCISIpQ8l0ceKhdZnIEwzdZRAHNVeWI8FEffhmS/2SN4p71u7a5QUHDj4 EgGKeslmfNajLyoAhrEtmB87+RZZmQGlqUZB4faurfG9rkZ191z2VlL7gBUq3ys8Zueo bhFDCZQAtE32FdMkYNEvgEdG9+bCwP5Kf6SBClyWhTPVo6Hk6XG4MKJ9EcsQKJ5bp2HR PkrQ== MIME-Version: 1.0 Received: by 10.220.214.139 with SMTP id ha11mr13082224vcb.16.1341509865882; Thu, 05 Jul 2012 10:37:45 -0700 (PDT) Received: by 10.52.180.168 with HTTP; Thu, 5 Jul 2012 10:37:45 -0700 (PDT) In-Reply-To: <86fw99p233.fsf@ds4.des.no> References: <86fw99p233.fsf@ds4.des.no> Date: Thu, 5 Jul 2012 13:37:45 -0400 Message-ID: From: Robert Simmons To: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2012 17:37:47 -0000 On Tue, Jul 3, 2012 at 6:32 AM, Dag-Erling Sm=F8rgrav wrote: > Robert Simmons writes: >> OpenSSH 6.0p1 > > No. It doesn't build cleanly on FreeBSD (I reported two issues during > the pre-release cycle, one was fixed but the other was not), and even if > it did, it's too big a change to push through on such short notice. Understood. What about IPFilter? From owner-freebsd-security@FreeBSD.ORG Sat Jul 7 21:16:58 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 361F9106564A; Sat, 7 Jul 2012 21:16:58 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id E86E28FC08; Sat, 7 Jul 2012 21:16:57 +0000 (UTC) Received: from dhcp-128-232-132-170.eduroam.csx.cam.ac.uk (dhcp-128-232-132-170.eduroam.csx.cam.ac.uk [128.232.132.170]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPSA id 7D77625D3878; Sat, 7 Jul 2012 21:16:56 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=iso-8859-1 From: "Bjoern A. Zeeb" In-Reply-To: <86bojxow6x.fsf@ds4.des.no> Date: Sat, 7 Jul 2012 21:16:55 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= X-Mailer: Apple Mail (2.1084) Cc: FreeBSD Hackers , freebsd-security@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2012 21:16:58 -0000 On 3. Jul 2012, at 12:39 , Dag-Erling Sm=F8rgrav wrote: > Doug Barton writes: >> The correct solution to this problem is to remove BIND from the base >> altogether, but I have no energy for all the whinging that would = happen >> if I tried (again) to do that. >=20 > I don't think there will be as much whinging as you expect. Times = have > changed. >=20 > I'm willing to import and maintain unbound (BSD-licensed validating, > recursive, and caching DNS resolver) if you remove BIND. I'd object to it. Trading one for another without gaining anything does not help us much. Don't get me wrong I have both running for years and even maintain = patches for unbound for 2 years now for functionality they do not provide, which named happily gives me. If you want to do this, I would prefer a properly laid out action plan as the import is by far the easiest but the integration into various parts of the system is harder. /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-security@FreeBSD.ORG Sat Jul 7 23:17:54 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 2A31A106564A; Sat, 7 Jul 2012 23:17:54 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id A849914D8E8; Sat, 7 Jul 2012 23:17:53 +0000 (UTC) Message-ID: <4FF8C3A1.9080805@FreeBSD.org> Date: Sat, 07 Jul 2012 16:17:53 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> In-Reply-To: <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , FreeBSD Hackers Subject: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2012 23:17:54 -0000 On 07/07/2012 14:16, Bjoern A. Zeeb wrote: > > On 3. Jul 2012, at 12:39 , Dag-Erling Smørgrav wrote: > >> Doug Barton writes: >>> The correct solution to this problem is to remove BIND from the base >>> altogether, but I have no energy for all the whinging that would happen >>> if I tried (again) to do that. >> >> I don't think there will be as much whinging as you expect. Times have >> changed. >> >> I'm willing to import and maintain unbound (BSD-licensed validating, >> recursive, and caching DNS resolver) if you remove BIND. > > I'd object to it. Trading one for another without gaining anything does > not help us much. Au contraire. It solves the problem of BIND release cycles not matching up with ours. This is a very important problem to solve. I've already written at length as to what I think the dream solution is, but we don't have anyone willing to code that yet, and even if we did, there is no guarantee that we'd get the buy-in to make it happen. In addition to being a good first step, doing this for DNS will also help us shake out the exact issues you allude to below. > Don't get me wrong I have both running for years and even maintain patches > for unbound for 2 years now for functionality they do not provide, which > named happily gives me. Other than authoritative DNS, what features does unbound lack that you want? > If you want to do this, I would prefer a properly laid out action plan > as the import is by far the easiest but the integration into various > parts of the system is harder. BIND in the base today comes with a full-featured local resolver configuration, which I'm confident that Dag-Erling can do for unbound (and which I would be glad to assist with if needed). Other than that, what integration are you concerned about? ... and just in case, these are sincere "project requirement gathering" questions, I'm not attempting to be snarky in any way. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Sat Jul 7 23:34:49 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0878C1065672; Sat, 7 Jul 2012 23:34:49 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id A338E8FC1B; Sat, 7 Jul 2012 23:34:48 +0000 (UTC) Received: from dhcp-128-232-132-170.eduroam.csx.cam.ac.uk (dhcp-128-232-132-170.eduroam.csx.cam.ac.uk [128.232.132.170]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPSA id 64A7825D3891; Sat, 7 Jul 2012 23:34:46 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=iso-8859-1 From: "Bjoern A. Zeeb" In-Reply-To: <4FF8C3A1.9080805@FreeBSD.org> Date: Sat, 7 Jul 2012 23:34:45 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> To: Doug Barton X-Mailer: Apple Mail (2.1084) Cc: freebsd-security@freebsd.org, =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2012 23:34:49 -0000 On 7. Jul 2012, at 23:17 , Doug Barton wrote: > On 07/07/2012 14:16, Bjoern A. Zeeb wrote: >>=20 >> On 3. Jul 2012, at 12:39 , Dag-Erling Sm=F8rgrav wrote: >>=20 >>> Doug Barton writes: >>>> The correct solution to this problem is to remove BIND from the = base >>>> altogether, but I have no energy for all the whinging that would = happen >>>> if I tried (again) to do that. >>>=20 >>> I don't think there will be as much whinging as you expect. Times = have >>> changed. >>>=20 >>> I'm willing to import and maintain unbound (BSD-licensed validating, >>> recursive, and caching DNS resolver) if you remove BIND. >>=20 >> I'd object to it. Trading one for another without gaining anything = does >> not help us much. >=20 > Au contraire. It solves the problem of BIND release cycles not = matching > up with ours. This is a very important problem to solve. Right and unbound et al are better? Bind at least gives us long term support releases these days. We just need to make sure we pick them for releases. > I've already written at length as to what I think the dream solution = is, > but we don't have anyone willing to code that yet, and even if we did, > there is no guarantee that we'd get the buy-in to make it happen. In > addition to being a good first step, doing this for DNS will also help > us shake out the exact issues you allude to below. >=20 >> Don't get me wrong I have both running for years and even maintain = patches >> for unbound for 2 years now for functionality they do not provide, = which >> named happily gives me. >=20 > Other than authoritative DNS, what features does unbound lack that you = want? DNS64 as a start. I don't care about the auth. support really with what = is in base; it is nice that it comes for free and it is nice, that I'll not run into port 53 conflicts on single-IP systems .... but the only thing = we really need is a caching resolver. >> If you want to do this, I would prefer a properly laid out action = plan >> as the import is by far the easiest but the integration into various >> parts of the system is harder. >=20 > BIND in the base today comes with a full-featured local resolver > configuration, which I'm confident that Dag-Erling can do for unbound > (and which I would be glad to assist with if needed). Other than that, > what integration are you concerned about? startup scripts; resolvconf, named.conf -> unbound.conf guides for our = users, and not solving the issue that we really want a DNSSEC enabled caching resolver with libc APIs for applications to use DNSSEC in base that = people are working on. We will probably need a crpyto and most likely also an external dnssec speaking resolver library for this in the future, but which of the 7 it will be we don't know yet. /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-security@FreeBSD.ORG Sat Jul 7 23:45:58 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id D72FD106566B; Sat, 7 Jul 2012 23:45:58 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 5DB8C14DB28; Sat, 7 Jul 2012 23:45:58 +0000 (UTC) Message-ID: <4FF8CA35.7040209@FreeBSD.org> Date: Sat, 07 Jul 2012 16:45:57 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> In-Reply-To: <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2012 23:45:59 -0000 On 07/07/2012 16:34, Bjoern A. Zeeb wrote: > On 7. Jul 2012, at 23:17 , Doug Barton wrote: > >> On 07/07/2012 14:16, Bjoern A. Zeeb wrote: >>> >>> On 3. Jul 2012, at 12:39 , Dag-Erling Smørgrav wrote: >>> >>>> Doug Barton writes: >>>>> The correct solution to this problem is to remove BIND from the base >>>>> altogether, but I have no energy for all the whinging that would happen >>>>> if I tried (again) to do that. >>>> >>>> I don't think there will be as much whinging as you expect. Times have >>>> changed. >>>> >>>> I'm willing to import and maintain unbound (BSD-licensed validating, >>>> recursive, and caching DNS resolver) if you remove BIND. >>> >>> I'd object to it. Trading one for another without gaining anything does >>> not help us much. >> >> Au contraire. It solves the problem of BIND release cycles not matching >> up with ours. This is a very important problem to solve. > > Right and unbound et al are better? Bind at least gives us long term > support releases these days. We just need to make sure we pick them > for releases. > > >> I've already written at length as to what I think the dream solution is, >> but we don't have anyone willing to code that yet, and even if we did, >> there is no guarantee that we'd get the buy-in to make it happen. In >> addition to being a good first step, doing this for DNS will also help >> us shake out the exact issues you allude to below. >> >>> Don't get me wrong I have both running for years and even maintain patches >>> for unbound for 2 years now for functionality they do not provide, which >>> named happily gives me. >> >> Other than authoritative DNS, what features does unbound lack that you want? > > DNS64 as a start. Personally I would classify that as a highly-specialized request, and would point you to the bind* ports. I acknowledge that others may have a different view. > I don't care about the auth. support really with what is > in base; it is nice that it comes for free and it is nice, that I'll not > run into port 53 conflicts on single-IP systems .... but the only thing we > really need is a caching resolver. It's good that we agree on that bit at least. >>> If you want to do this, I would prefer a properly laid out action plan >>> as the import is by far the easiest but the integration into various >>> parts of the system is harder. >> >> BIND in the base today comes with a full-featured local resolver >> configuration, which I'm confident that Dag-Erling can do for unbound >> (and which I would be glad to assist with if needed). Other than that, >> what integration are you concerned about? > > startup scripts; Obviously that would be part of the import, and it should go without saying that I'm glad to help with that as well, if my help is needed. > resolvconf, There is code in the rc.d/named script that handles this which can be copied pretty much verbatim (or possibly factored out into its own script). Other than that I'm not aware of any BIND integration for this. > named.conf -> unbound.conf guides for our users, ACK > and not solving the issue that we really want a DNSSEC enabled caching > resolver with libc APIs for applications to use DNSSEC in base that people > are working on. We will probably need a crpyto and most likely also an > external dnssec speaking resolver library for this in the future, but > which of the 7 it will be we don't know yet. Yes, but that's a totally different issue. Also re DNSSEC integration in the base, I've stated before that I believe very strongly that any kind of hard-coding of trust anchors as part of the base resolver setup is a bad idea, and should not be done. We need to leverage the ports system for this so that we don't get stuck with a scenario where we have stale stuff in the base that is hard for users to upgrade. I have a POC for this for BIND that I need to finish, and I'm confident that something similar for unbound would not be difficult. Doug -- This .signature sanitized for your protection