From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 00:35:14 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 107FF106567C; Sun, 8 Jul 2012 00:35:14 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 04C0D8FC14; Sun, 8 Jul 2012 00:35:12 +0000 (UTC) Received: by wibhm11 with SMTP id hm11so1501146wib.13 for ; Sat, 07 Jul 2012 17:35:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2CTH9upuzO+LJD76N93BdCTBQgg2aRfHsKhVUB5ciYE=; b=ha/NVrvf9W5ezvevnEri2qY3Oa3tF1Tg2bpvoczrfCfev8bteVwzq+CFvn/QOTt//0 nrziOcAcvhU6b5NkRmJ8mP5zE+ufGR8l3qIvfmQ89OfwDwEnqyVqDgPMz/W6ZG4PvcTe mb/nWy2ReQFHzQwZEuwuyTRv5Zren53dfsCJ7pMDbMbOVmHjk4YBFFoAc1gUMNsCCqRM 9OtHvntAYYx7UHJeKOu8L/NEoy21P34UkM6fBXet94eN7gC1VbN69hj+HBmSeCsdCG3A dIz7Zqv3Mbi+VfqqMBON5jMvHrgJ5eMOfX6wJfRYjTXO4LDsGI6kk9pWtvVi4yR8ZhQp 6Eyw== MIME-Version: 1.0 Received: by 10.180.105.130 with SMTP id gm2mr18539835wib.6.1341707712042; Sat, 07 Jul 2012 17:35:12 -0700 (PDT) Received: by 10.223.88.155 with HTTP; Sat, 7 Jul 2012 17:35:11 -0700 (PDT) In-Reply-To: <4FF8CA35.7040209@FreeBSD.org> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> Date: Sat, 7 Jul 2012 19:35:11 -0500 Message-ID: From: Adam Vande More To: Doug Barton X-Mailman-Approved-At: Sun, 08 Jul 2012 00:38:56 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Bjoern A. Zeeb" , =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= , FreeBSD Hackers , freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 00:35:14 -0000 On Sat, Jul 7, 2012 at 6:45 PM, Doug Barton wrote: > On 07/07/2012 16:34, Bjoern A. Zeeb wrote: > > On 7. Jul 2012, at 23:17 , Doug Barton wrote: > > > >> On 07/07/2012 14:16, Bjoern A. Zeeb wrote: > >>> > >>> On 3. Jul 2012, at 12:39 , Dag-Erling Sm=F8rgrav wrote: > >>> > >>>> Doug Barton writes: > >>>>> The correct solution to this problem is to remove BIND from the bas= e > >>>>> altogether, but I have no energy for all the whinging that would > happen > >>>>> if I tried (again) to do that. > >>>> > >>>> I don't think there will be as much whinging as you expect. Times > have > >>>> changed. > >>>> > >>>> I'm willing to import and maintain unbound (BSD-licensed validating, > >>>> recursive, and caching DNS resolver) if you remove BIND. > >>> > >>> I'd object to it. Trading one for another without gaining anything > does > >>> not help us much. > >> > >> Au contraire. It solves the problem of BIND release cycles not matchin= g > >> up with ours. This is a very important problem to solve. > > > > Right and unbound et al are better? Bind at least gives us long term > > support releases these days. We just need to make sure we pick them > > for releases. > > > > > >> I've already written at length as to what I think the dream solution i= s, > >> but we don't have anyone willing to code that yet, and even if we did, > >> there is no guarantee that we'd get the buy-in to make it happen. In > >> addition to being a good first step, doing this for DNS will also help > >> us shake out the exact issues you allude to below. > >> > >>> Don't get me wrong I have both running for years and even maintain > patches > >>> for unbound for 2 years now for functionality they do not provide, > which > >>> named happily gives me. > >> > >> Other than authoritative DNS, what features does unbound lack that you > want? > > > > DNS64 as a start. > > Personally I would classify that as a highly-specialized request, and > would point you to the bind* ports. I acknowledge that others may have a > different view. I am unclear on how this solves the main problem I think was stated about syncing up with release branches. If it doesn't solve that, isn't this just busy work? --=20 Adam Vande More From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 00:48:48 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31323106566C; Sun, 8 Jul 2012 00:48:48 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from rush.bluerosetech.com (rush.bluerosetech.com [IPv6:2607:fc50:1000:9b00::25]) by mx1.freebsd.org (Postfix) with ESMTP id 05EF88FC12; Sun, 8 Jul 2012 00:48:48 +0000 (UTC) Received: from vivi.cat.pdx.edu (vivi.cat.pdx.edu [131.252.214.6]) by rush.bluerosetech.com (Postfix) with ESMTPSA id E98F711437; Sat, 7 Jul 2012 17:48:40 -0700 (PDT) Received: from [IPv6:2001:470:8643:970:39f4:367d:dc6b:4e95] (unknown [IPv6:2001:470:8643:970:39f4:367d:dc6b:4e95]) by vivi.cat.pdx.edu (Postfix) with ESMTPSA id CD15B24CA6; Sat, 7 Jul 2012 17:48:39 -0700 (PDT) Message-ID: <4FF8D8E7.5060409@bluerosetech.com> Date: Sat, 07 Jul 2012 17:48:39 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.4) Gecko/20120421 Thunderbird/10.0.4 MIME-Version: 1.0 To: Doug Barton References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> In-Reply-To: <4FF8CA35.7040209@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 00:48:48 -0000 On 2012-07-07 16:45, Doug Barton wrote: > Also re DNSSEC integration in the base, I've stated before that I > believe very strongly that any kind of hard-coding of trust anchors as > part of the base resolver setup is a bad idea, and should not be done. > We need to leverage the ports system for this so that we don't get stuck > with a scenario where we have stale stuff in the base that is hard for > users to upgrade. Considering the current root update cert bundle has a 20-year root CA and 5-year DNSSEC and email CAs, I don't think it's unreasonable to maintain a copy of icannbundle.pem in the source tree or simply rely on the copy built into unbound-anchor. From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 03:40:36 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AED42106564A for ; Sun, 8 Jul 2012 03:40:36 +0000 (UTC) (envelope-from holmesmich@gmail.com) Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by mx1.freebsd.org (Postfix) with ESMTP id 41C7D8FC14 for ; Sun, 8 Jul 2012 03:40:36 +0000 (UTC) Received: by wibhq12 with SMTP id hq12so1734794wib.1 for ; Sat, 07 Jul 2012 20:40:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=LUxLTgklnaIgzyeCqsafOFv4t33Dgm3wLIslRHnCvdk=; b=Jqx/tIdjJ7sgr0O1W4mJiaR0r3SIh+RTMnII9DH/X1YqpW622sh6Fm7UIRZcl2f3vA eien+fcvFzYcKDZfrwcLR9Ky9WBMyYvYNE7uHp9hi2sUkAVPcD2UAquz9NzSu7wmhg28 Yr6MIs00vEFtFVzt81GDErb28Vfap+VAMfHIA3bcU/vq0IMhoa3mMylGBUeeL96eYIm9 m8bYKbb6iQYFtKplMTcYDXRHtKMUX050DXuNbim6irGkWBdEbc/2KLopqseAGXgRrsuq vTkV1FBE397KbJWH90RXYVqhC4WTm1LIfvzlgT5ALVO1iJeB5KXqvfUGbQ24q74i1V7S uwJQ== MIME-Version: 1.0 Received: by 10.180.93.68 with SMTP id cs4mr19256391wib.14.1341718829412; Sat, 07 Jul 2012 20:40:29 -0700 (PDT) Received: by 10.216.229.93 with HTTP; Sat, 7 Jul 2012 20:40:29 -0700 (PDT) In-Reply-To: References: Date: Sun, 8 Jul 2012 04:40:29 +0100 Message-ID: From: Michael Holmes To: freebsd-security Content-Type: text/plain; charset=UTF-8 Subject: OpenSSL on 9.0-RELEASE-p3 using Camellia as default TLS cipher? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 03:40:36 -0000 Hi everyone, I'm relatively new to running FreeBSD servers (a few months experience, but mainly run Linux servers), and while setting up a few apps on my server running 9.0-RELEASE-p3, such as Twisted and nginx, I noticed that FreeBSD's OpenSSL implementation seems to default to the Camellia cipher for TLS connections. I was wondering if this was by design or accident? I find it odd that a less well-known cipher with less cryptanalysis performed against it is picked over the well known, hardware accelerated and well tested AES cipher, even if they are of similar design. Thanks, -- Michael Holmes From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 09:29:32 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 05D2E106566C; Sun, 8 Jul 2012 09:29:32 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 68D30161B1B; Sun, 8 Jul 2012 09:29:31 +0000 (UTC) Message-ID: <4FF952FB.10200@FreeBSD.org> Date: Sun, 08 Jul 2012 02:29:31 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: Adam Vande More References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , FreeBSD Hackers , freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 09:29:32 -0000 On 07/07/2012 17:35, Adam Vande More wrote: > I am unclear on how this solves the main problem I think was stated > about syncing up with release branches. I've already explained this at length in the past. ISC has changed both their release schedule and their policy regarding not allowing new features in a release branch. As a result, they release more frequently than we do, and EOL supported branches sooner than we do. Unbound has different policies and release schedules that are more in line with ours. So in the short term (as in, the next few years) we're better off with unbound in the base. The ideal, long-term solution is to re-think what "The Base" is, and give users more flexibility at install time. Unfortunately, there is a knee-jerk "zomg, we don't want to be like linux!" reaction to that idea which (to date) has prevented a rational discussion about it. I hope that changes. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 09:33:29 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id DD388106566B; Sun, 8 Jul 2012 09:33:29 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 5EA501637BC; Sun, 8 Jul 2012 09:31:18 +0000 (UTC) Message-ID: <4FF95365.7010605@FreeBSD.org> Date: Sun, 08 Jul 2012 02:31:17 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: Darren Pilgrim References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> In-Reply-To: <4FF8D89B.1030308@bluerosetech.com> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 09:33:30 -0000 On 07/07/2012 17:47, Darren Pilgrim wrote: > On 2012-07-07 16:45, Doug Barton wrote: >> Also re DNSSEC integration in the base, I've stated before that I >> believe very strongly that any kind of hard-coding of trust anchors as >> part of the base resolver setup is a bad idea, and should not be done. >> We need to leverage the ports system for this so that we don't get stuck >> with a scenario where we have stale stuff in the base that is hard for >> users to upgrade. > > Considering the current root update cert bundle has a 20-year root CA > and 5-year DNSSEC and email CAs, Neither of which has any relevance to the actual root zone ZSK, which could require an emergency roll tomorrow. > I don't think it's unreasonable to > maintain a copy of icannbundle.pem in the source tree Again, that has nothing to do with the actual ZSK, other than providing a way to validate the *existing* one. That's not the issue, at all. -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 09:31:33 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58F6D1065678; Sun, 8 Jul 2012 09:31:33 +0000 (UTC) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Received: from wojtek.tensor.gdynia.pl (wojtek.tensor.gdynia.pl [89.206.35.99]) by mx1.freebsd.org (Postfix) with ESMTP id B0E8D8FC1C; Sun, 8 Jul 2012 09:31:32 +0000 (UTC) Received: from wojtek.tensor.gdynia.pl (localhost [127.0.0.1]) by wojtek.tensor.gdynia.pl (8.14.5/8.14.5) with ESMTP id q689VLBX002039; Sun, 8 Jul 2012 11:31:21 +0200 (CEST) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Received: from localhost (wojtek@localhost) by wojtek.tensor.gdynia.pl (8.14.5/8.14.5/Submit) with ESMTP id q689VL9u002036; Sun, 8 Jul 2012 11:31:21 +0200 (CEST) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Date: Sun, 8 Jul 2012 11:31:21 +0200 (CEST) From: Wojciech Puchar To: Doug Barton In-Reply-To: <4FF952FB.10200@FreeBSD.org> Message-ID: References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF952FB.10200@FreeBSD.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (wojtek.tensor.gdynia.pl [127.0.0.1]); Sun, 08 Jul 2012 11:31:22 +0200 (CEST) X-Mailman-Approved-At: Sun, 08 Jul 2012 12:40:22 +0000 Cc: freebsd-security@freebsd.org, Adam Vande More , =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= , FreeBSD Hackers , "Bjoern A. Zeeb" Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 09:31:33 -0000 > line with ours. So in the short term (as in, the next few years) we're > better off with unbound in the base. > > The ideal, long-term solution is to re-think what "The Base" is, and > give users more flexibility at install time. Unfortunately, there is a making base as minimal as possible give you exactly that! > knee-jerk "zomg, we don't want to be like linux!" reaction to that idea it is proper reaction. From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 12:58:36 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A01D1065670; Sun, 8 Jul 2012 12:58:36 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from rush.bluerosetech.com (rush.bluerosetech.com [IPv6:2607:fc50:1000:9b00::25]) by mx1.freebsd.org (Postfix) with ESMTP id 5E35A8FC15; Sun, 8 Jul 2012 12:58:36 +0000 (UTC) Received: from vivi.cat.pdx.edu (vivi.cat.pdx.edu [IPv6:2610:10:20:214::6]) by rush.bluerosetech.com (Postfix) with ESMTPSA id 2288311437; Sun, 8 Jul 2012 05:58:35 -0700 (PDT) Received: from [IPv6:2001:470:8643:970:d8c4:f522:d6a8:ec14] (unknown [IPv6:2001:470:8643:970:d8c4:f522:d6a8:ec14]) by vivi.cat.pdx.edu (Postfix) with ESMTPSA id 9E36824D87; Sun, 8 Jul 2012 05:58:33 -0700 (PDT) Message-ID: <4FF983F8.5070006@bluerosetech.com> Date: Sun, 08 Jul 2012 05:58:32 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.4) Gecko/20120421 Thunderbird/10.0.4 MIME-Version: 1.0 To: Doug Barton References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org> In-Reply-To: <4FF95365.7010605@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 12:58:36 -0000 On 2012-07-08 02:31, Doug Barton wrote: > On 07/07/2012 17:47, Darren Pilgrim wrote: >> On 2012-07-07 16:45, Doug Barton wrote: >>> Also re DNSSEC integration in the base, I've stated before that I >>> believe very strongly that any kind of hard-coding of trust anchors as >>> part of the base resolver setup is a bad idea, and should not be done. >>> We need to leverage the ports system for this so that we don't get stuck >>> with a scenario where we have stale stuff in the base that is hard for >>> users to upgrade. >> >> Considering the current root update cert bundle has a 20-year root CA >> and 5-year DNSSEC and email CAs, > > Neither of which has any relevance to the actual root zone ZSK, which > could require an emergency roll tomorrow. Emergency root key change is handled by just running unbound-anchor again and have it download the new ZSK. The only thing it can't do is retrieve the root cert chain--it either uses the compiled-in copy or a PEM file passed with the -c flag. Am I missing something in that process? From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 14:41:27 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 607B31065670; Sun, 8 Jul 2012 14:41:27 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) by mx1.freebsd.org (Postfix) with ESMTP id DE2D48FC16; Sun, 8 Jul 2012 14:41:26 +0000 (UTC) Received: from kgw.obluda.cz (kgw.obluda.cz [193.179.199.50]) by smtp1.ms.mff.cuni.cz (8.14.5/8.14.5) with ESMTP id q68EfMPP045644; Sun, 8 Jul 2012 16:41:24 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4FF99C12.8070004@obluda.cz> Date: Sun, 08 Jul 2012 16:41:22 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:12.0) Gecko/20120604 Firefox/12.0 SeaMonkey/2.9.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF952FB.10200@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 14:41:27 -0000 > The ideal, long-term solution is to re-think what "The Base" is, and > give users more flexibility at install time. Flexibility is double-edged sword. Feel free to replace one resolver with another resolver (but don't do it so often, please). Applications can be patched to fit new API, scripts can be modified to use other command-line utilities. It is OK for me, as long as it is rare big bang. But "right to select one from N resolvers at install time" sounds like way to hell for me. FreeBSD is known to be fast and reliable network server. Resolver is critical component. There should be ONE resolver in the base which is guaranteed to work with all other baseline utilities and script. Also, network related ports should compile against selected base resolver. No problem if someone will replace system's resolver with another one from ports, but such administrator is just on it's own. He must be ready to resolve issues related to compatibility and reliability by self. Can we maintain three (or so) resolvers to be perfectly compatible with all utilities and scripts in the base ? I don't think so. I suspect that port maintainers will not maintain their ports compatible with all "recommended" resolvers as well. I'm definitely not interested to make decisions like ... "if I will select resolver A at install time, then utility X will not work correctly with them - it work with resolver B only, unfortunately, port P can't be compiled against resolver B because it's maintainer is using A only" ... in the future. Just my $0.02 Dan P.S. English is not my native language, so look for ideas, not for grammar. From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 17:43:16 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 83D4F106566C; Sun, 8 Jul 2012 17:43:16 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2BC938FC08; Sun, 8 Jul 2012 17:43:15 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.5/8.14.5) with ESMTP id q68HhFMS041049; Sun, 8 Jul 2012 13:43:15 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.5/8.14.4/Submit) id q68HhFwA041046; Sun, 8 Jul 2012 13:43:15 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20473.50867.199081.295841@hergotha.csail.mit.edu> Date: Sun, 8 Jul 2012 13:43:15 -0400 From: Garrett Wollman To: Doug Barton In-Reply-To: <4FF95365.7010605@FreeBSD.org> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (hergotha.csail.mit.edu [127.0.0.1]); Sun, 08 Jul 2012 13:43:15 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sun, 08 Jul 2012 18:49:12 +0000 Cc: freebsd-security@freebsd.org, FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 17:43:16 -0000 < said: > Neither of which has any relevance to the actual root zone ZSK, which > could require an emergency roll tomorrow. Surely that's why there's a separate KSK. The ZSK can be rolled at any time. -GAWollman From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 20:25:50 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DE808106566C; Sun, 8 Jul 2012 20:25:50 +0000 (UTC) (envelope-from gabor@FreeBSD.org) Received: from server.mypc.hu (server.mypc.hu [87.229.73.95]) by mx1.freebsd.org (Postfix) with ESMTP id 8B0828FC12; Sun, 8 Jul 2012 20:25:50 +0000 (UTC) Received: from server.mypc.hu (localhost [127.0.0.1]) by server.mypc.hu (Postfix) with ESMTP id 8475714E7BC5; Sun, 8 Jul 2012 22:25:40 +0200 (CEST) X-Virus-Scanned: amavisd-new at server.mypc.hu Received: from server.mypc.hu ([127.0.0.1]) by server.mypc.hu (server.mypc.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id GbEBOWeVLFD6; Sun, 8 Jul 2012 22:25:40 +0200 (CEST) Received: from [192.168.1.117] (catv-80-98-232-12.catv.broadband.hu [80.98.232.12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by server.mypc.hu (Postfix) with ESMTPSA id AA6F614E7BC4; Sun, 8 Jul 2012 22:25:38 +0200 (CEST) Message-ID: <4FF9ECB5.5090507@FreeBSD.org> Date: Sun, 08 Jul 2012 22:25:25 +0200 From: Gabor Kovesdan User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120604 Thunderbird/14.0a2 MIME-Version: 1.0 To: Doug Barton References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> In-Reply-To: <4FF8C3A1.9080805@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 08 Jul 2012 20:34:28 +0000 Cc: "Bjoern A. Zeeb" , =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , FreeBSD Hackers , freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 20:25:51 -0000 On 2012.07.08. 1:17, Doug Barton wrote: > Other than authoritative DNS, what features does unbound lack that you want? [Picking up a random mail from the thread.] Other than the functionality, when we replace something, it is also important to do some benchmarks and assure that the performance is not reasonably worse. Some time back I committed the error of not carefully pass this requirement with BSD grep but so far it seems it went fine with the recent BSD sort change. It would be nice to also ensure this with the unbound change if it really happens. Gabor From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 21:42:59 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 69EEB106564A; Sun, 8 Jul 2012 21:42:59 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 681EA14DE5A; Sun, 8 Jul 2012 21:41:57 +0000 (UTC) Message-ID: <4FF9FEA5.7060201@FreeBSD.org> Date: Sun, 08 Jul 2012 14:41:57 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: Garrett Wollman References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org> <20473.50867.199081.295841@hergotha.csail.mit.edu> In-Reply-To: <20473.50867.199081.295841@hergotha.csail.mit.edu> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 21:42:59 -0000 On 07/08/2012 10:43, Garrett Wollman wrote: > < said: > >> Neither of which has any relevance to the actual root zone ZSK, which >> could require an emergency roll tomorrow. > > Surely that's why there's a separate KSK. The ZSK can be rolled at > any time. The ZSK is rolled on a regular schedule already. But that's irrelevant to any future need to roll the KSK. -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 21:43:27 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 886C71065702; Sun, 8 Jul 2012 21:43:27 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id ACCEB15702D; Sun, 8 Jul 2012 21:42:51 +0000 (UTC) Message-ID: <4FF9FEDB.5050602@FreeBSD.org> Date: Sun, 08 Jul 2012 14:42:51 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: Gabor Kovesdan References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <4FF9ECB5.5090507@FreeBSD.org> In-Reply-To: <4FF9ECB5.5090507@FreeBSD.org> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , FreeBSD Hackers , freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 21:43:27 -0000 On 07/08/2012 13:25, Gabor Kovesdan wrote: > On 2012.07.08. 1:17, Doug Barton wrote: >> Other than authoritative DNS, what features does unbound lack that you >> want? > [Picking up a random mail from the thread.] > > Other than the functionality, when we replace something, it is also > important to do some benchmarks and assure that the performance is not > reasonably worse. Agreed, and while I have no concerns in that regard, I leave the actual benchmarking in Dag-Erling's capable hands. :) -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 21:55:36 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id 368A61065672; Sun, 8 Jul 2012 21:55:36 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id DD39714DBCD; Sun, 8 Jul 2012 21:55:35 +0000 (UTC) Message-ID: <4FFA01D7.8090807@FreeBSD.org> Date: Sun, 08 Jul 2012 14:55:35 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120621 Thunderbird/13.0.1 MIME-Version: 1.0 To: Dan Lukes References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF952FB.10200@FreeBSD.org> <4FF99C12.8070004@obluda.cz> In-Reply-To: <4FF99C12.8070004@obluda.cz> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 21:55:36 -0000 On 07/08/2012 07:41, Dan Lukes wrote: >> The ideal, long-term solution is to re-think what "The Base" is, and >> give users more flexibility at install time. > > Flexibility is double-edged sword. > > Feel free to replace one resolver with another resolver (but don't do it > so often, please). Applications can be patched to fit new API, scripts > can be modified to use other command-line utilities. It is OK for me, as > long as it is rare big bang. Sorry, you're not understanding what is being proposed. Specifically you're confusing the system stub resolver (the bit that's compiled into libc, and used by binaries) and the resolving name server (BIND). No one is proposing to replace the stub. > I'm definitely not interested to make decisions like ... > > "if I will select resolver A at install time, then utility X will not > work correctly with them - it work with resolver B only, unfortunately, > port P can't be compiled against resolver B because it's maintainer is > using A only" No one is suggesting anything similar to what you're concerned about. -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Sun Jul 8 22:44:33 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B69B106564A; Sun, 8 Jul 2012 22:44:33 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) by mx1.freebsd.org (Postfix) with ESMTP id 23EDC8FC08; Sun, 8 Jul 2012 22:44:32 +0000 (UTC) Received: from kgw.obluda.cz (kgw.obluda.cz [193.179.199.50]) by smtp1.ms.mff.cuni.cz (8.14.5/8.14.5) with ESMTP id q68MiUch055967; Mon, 9 Jul 2012 00:44:31 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4FFA0D4E.3050507@obluda.cz> Date: Mon, 09 Jul 2012 00:44:30 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:12.0) Gecko/20120604 Firefox/12.0 SeaMonkey/2.9.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF952FB.10200@FreeBSD.org> <4FF99C12.8070004@obluda.cz> <4FFA01D7.8090807@FreeBSD.org> In-Reply-To: <4FFA01D7.8090807@FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Hackers Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 22:44:33 -0000 On 07/08/12 23:55, Doug Barton: > On 07/08/2012 07:41, Dan Lukes wrote: ... > Sorry, you're not understanding what is being proposed. Specifically > you're confusing the system stub resolver (the bit that's compiled into > libc, and used by binaries) and the resolving name server (BIND). No one > is proposing to replace the stub. libc stub resolver is BIND code based, so I assumed that arguments against BIND apply to it as well. I'm happy it's not true. In my humble opinion, no resolving name server need to be part of base at all. We have no DHCP, VPN, RADIUS, WWW, ... server in the base as well. Thank you for clarifying. Dan From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 02:22:45 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC8811065672 for ; Mon, 9 Jul 2012 02:22:45 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from nskntqsrv02p.mx.bigpond.com (nskntqsrv02p.mx.bigpond.com [61.9.168.234]) by mx1.freebsd.org (Postfix) with ESMTP id 740EC8FC14 for ; Mon, 9 Jul 2012 02:22:45 +0000 (UTC) Received: from nskntcmgw09p ([61.9.169.169]) by nskntmtas06p.mx.bigpond.com with ESMTP id <20120708232911.BDFG10884.nskntmtas06p.mx.bigpond.com@nskntcmgw09p> for ; Sun, 8 Jul 2012 23:29:11 +0000 Received: from hermes.heuristicsystems.com.au ([58.172.112.105]) by nskntcmgw09p with BigPond Outbound id XzVA1j0062GVmci01zVAec; Sun, 08 Jul 2012 23:29:11 +0000 X-Authority-Analysis: v=2.0 cv=Lam+G0ji c=1 sm=1 a=0GO/22z+lHYfckWJ4naYnw==:17 a=yMcmsga8Mt0A:10 a=twTT4oUKOlYA:10 a=kj9zAlcOel0A:10 a=GHIR_BbyAAAA:8 a=W1k-08ina11HTN3IWz0A:9 a=CjuIK1q_8ugA:10 a=0GO/22z+lHYfckWJ4naYnw==:117 Received: from white (white.hs [10.0.5.2]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id q68NPgcw090451 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 9 Jul 2012 09:25:46 +1000 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) From: "Dewayne Geraghty" To: "'Michael Holmes'" References: Date: Mon, 9 Jul 2012 09:25:43 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Thread-Index: Ac1cu8/ijJNp2O0WR/yTdb1SKtBGwgApFN5g X-Mailman-Approved-At: Mon, 09 Jul 2012 02:34:39 +0000 Cc: 'freebsd-security' Subject: RE: OpenSSL on 9.0-RELEASE-p3 using Camellia as default TLS cipher? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 02:22:46 -0000 Michael, I think you'll find that the cipher selection is based on negotiation between the client & server. Perhaps if you examine the config files, or ascertain the defaults of the applications being used, you'll be able to pin-point the reason for the selection. Regards, Dewayne. From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 04:49:37 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E45A4106566C for ; Mon, 9 Jul 2012 04:49:37 +0000 (UTC) (envelope-from matt@chronos.org.uk) Received: from chronos.org.uk (chronos-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:12b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3412F8FC0A for ; Mon, 9 Jul 2012 04:49:36 +0000 (UTC) Received: from workstation1.local.chronos.org.uk (workstation1.local.chronos.org.uk [IPv6:2001:470:1f09:12b::20]) (authenticated bits=0) by chronos.org.uk (8.14.5/8.14.5) with ESMTP id q694nW9C094754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 9 Jul 2012 05:49:33 +0100 (BST) (envelope-from matt@chronos.org.uk) X-DKIM: OpenDKIM Filter v2.5.2 chronos.org.uk q694nW9C094754 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk; s=mail; t=1341809373; bh=6FRoIIE7gbojGl+o6c6CwKW/eltqQVbe7GTMAJiJr8M=; h=Date:From:To:Subject:In-Reply-To:References; b=gCndW2ewU23t0C5O3bDHD9N02SbzJhe5qgF8TL8s+9EeqmBeWbg5y4ahhfAhirssC UDUYiJGfNiYJcGo26NnRHEX0q6wdT7wL8vUlcyuMAbmGdWeizqJLB7BJjEc3AswdAE +HWBnqBetifnF6sNAECJHiMoeFo4ir1E4PxPH0og= Message-Id: <201207090449.q694nW9C094754@chronos.org.uk> Date: Mon, 9 Jul 2012 05:49:32 +0100 From: Matt Dawson To: freebsd-security@freebsd.org In-Reply-To: <20473.50867.199081.295841@hergotha.csail.mit.edu> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org> <20473.50867.199081.295841@hergotha.csail.mit.edu> X-Face: ZC(F49t2uSJE}/7#!TBN:A\3:0wCZNx7YbLr6|9~$^!V&Q, q&]T:H>?\|ZZUt:{]iKK'f.( g-{z6!F@Wt#^bC-X8J4ZW2}RKBA"ak_zQMGw\YT"R%aL+?kk_mnXchE8VSy^<7I5]Z@p/\B. h"4xoqXS)n^eTJL4BeAz1&b`_Jwb\s3M626%1{X4s>A>56]Sn$b0nRFhfrTk]]Njd|!O Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (chronos.org.uk [IPv6:2001:470:1f09:12b::1]); Mon, 09 Jul 2012 05:49:33 +0100 (BST) X-Spam-Status: No, score=-99.5 required=3.0 tests=BAYES_00, DATE_IN_FUTURE_24_48, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, MISSING_MID, SPF_PASS, T_RP_MATCHES_RCVD, USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on central.local.chronos.org.uk Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 04:49:38 -0000 On Sun, 8 Jul 2012 13:43:15 -0400 Garrett Wollman wrote: > Surely that's why there's a separate KSK. The ZSK can be rolled at > any time. FSVO "any" with a mind to propagation. The KSK is your secure entry point hence, if it is compromised, the tentacles come out if it's included in base by default. Resolver admins need to be aware that these are variables and not constants. Including things like this in base make it look as if it's carved in stone. Doug's point is well made. TBH, even having the root zone in base is a bit daft. -- Matt Dawson MTD15-RIPE GW0VNR From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 10:39:39 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DCC9106564A; Mon, 9 Jul 2012 10:39:39 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id CC62D8FC12; Mon, 9 Jul 2012 10:39:38 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 2AAAE665E; Mon, 9 Jul 2012 10:39:38 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id EA170874B; Mon, 9 Jul 2012 12:39:37 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Gabor Kovesdan References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <4FF9ECB5.5090507@FreeBSD.org> Date: Mon, 09 Jul 2012 12:39:37 +0200 In-Reply-To: <4FF9ECB5.5090507@FreeBSD.org> (Gabor Kovesdan's message of "Sun, 08 Jul 2012 22:25:25 +0200") Message-ID: <863951nrpy.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: "Bjoern A. Zeeb" , Doug Barton , FreeBSD Hackers , freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 10:39:39 -0000 Gabor Kovesdan writes: > Other than the functionality, when we replace something, it is also > important to do some benchmarks and assure that the performance is not > reasonably worse. Some time back I committed the error of not > carefully pass this requirement with BSD grep but so far it seems it > went fine with the recent BSD sort change. It would be nice to also > ensure this with the unbound change if it really happens. What sort of benchmarks do you envision? Unlike named, unbound is intended to serve only one client (localhost) or a small number of clients (a SOHO). With that kind of load, one could be ten times slower than the other and you wouldn't notice, because other factors, like network latency, completely dwarf the time the nameserver itself spends servicing a request. (note that I fully expect unbound to hold its own on corporate networks with thousands of clients, but I doubt my boss is going to let me run performance comparisons on the university's network) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 10:55:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C5DF106567A for ; Mon, 9 Jul 2012 10:55:28 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 146198FC21 for ; Mon, 9 Jul 2012 10:55:27 +0000 (UTC) Received: by ggnm2 with SMTP id m2so11454407ggn.13 for ; Mon, 09 Jul 2012 03:55:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=o4aXdEqovaTe3cUANHwX/PsS8Yl0v619U+HL8YCvmIE=; b=HUg/XYuB1iKFGygeyTc6Fb/WN+Da+YMS3hHw4al4YNyftfQ6gzj9DiOUxofVtzK2wx 84nl0t1En3n7YLh1mlmgY6MsDkg9hTyUuj1aeG5pb60FxT4XWTSPh5aENaZSqT12ciD3 IBO7+IW22l7H/dsvZH90llgm/ZX8v5S7orCII= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=o4aXdEqovaTe3cUANHwX/PsS8Yl0v619U+HL8YCvmIE=; b=gdbBeEchgTiVt0h5rFlvB3zg4QPBSzACpaxhhLH7ckDRHY7fGeyu/P0oBrsrBL9cBB twD6P6Qa1IJF2D0XZpkxAkMedxA8EjfmaC0u4z6wj2CMQ32zMKTqVRjckC8i7zPmhrq0 fe4AQlrnV40Hqxxb3YVsanwZPUYVI3fhgWhd1P8ACF9sLUNC5+osi4ffgLfL/xVfSZ1s 9VhfaKFURBx4CViyMSvdNUltjr+ZHFV6eKuJK/DLH9GP+hjku3kNJYnzUYTLqEi3Tkj3 YH9ZcfV+XYkFyW/ojdkP8RrGPDLp/NVnkyY1B88oIQNECrP6k6pZbPqBRx33pFfbTKIs qIEQ== MIME-Version: 1.0 Received: by 10.42.148.196 with SMTP id s4mr20011186icv.19.1341831327299; Mon, 09 Jul 2012 03:55:27 -0700 (PDT) Sender: simon@qxnitro.org Received: by 10.64.18.206 with HTTP; Mon, 9 Jul 2012 03:55:27 -0700 (PDT) X-Originating-IP: [172.28.125.126] In-Reply-To: <4FF952FB.10200@FreeBSD.org> References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF952FB.10200@FreeBSD.org> Date: Mon, 9 Jul 2012 11:55:27 +0100 X-Google-Sender-Auth: g0yRvJ7WuSAqHvJ0qMzSARQLKaM Message-ID: From: "Simon L. B. Nielsen" To: Doug Barton , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQmuzG1Xv2vG1qEGqBMEjspub2ZPJX3BJ3WHXi6p9io/BDF1yzBLyQ0j2KeljF462ZTHZS5q Cc: freebsd-security@freebsd.org, Adam Vande More , FreeBSD Hackers , "Bjoern A. Zeeb" Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 10:55:28 -0000 On Sun, Jul 8, 2012 at 10:29 AM, Doug Barton wrote: > Unbound has different policies and release schedules that are more in > line with ours. So in the short term (as in, the next few years) we're > better off with unbound in the base. Where is there information about this / what is their support? When I looked at their website I found nothing about security support, branch handling etc. and nobody has replied to that part in these threads (unless I missed it - I just rescanned thread without seeing a reply). -- Simon L. B. Nielsen From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 12:25:04 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2EE18106566C for ; Mon, 9 Jul 2012 12:25:04 +0000 (UTC) (envelope-from andrej@brodnik.org) Received: from svarun.brodnik.org (www.brodnik.org [193.77.156.167]) by mx1.freebsd.org (Postfix) with ESMTP id D92918FC0C for ; Mon, 9 Jul 2012 12:25:03 +0000 (UTC) Received: from [192.168.34.108] (prevod.fri1.uni-lj.si [212.235.188.3]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by svarun.brodnik.org (Postfix) with ESMTPSA id 599D44B2BD for ; Mon, 9 Jul 2012 14:12:26 +0200 (CEST) Message-ID: <4FFACB51.90001@brodnik.org> Date: Mon, 09 Jul 2012 14:15:13 +0200 From: "Andrej (Andy) Brodnik" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20120615 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF952FB.10200@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 09 Jul 2012 12:48:10 +0000 Subject: Re: Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 12:25:04 -0000 Excuse my ignorance - but is there a how-to paper on transition from bind to unbound for SOHO? Thanx and LPA On 12-07-09 12:55 PM, Simon L. B. Nielsen wrote: > On Sun, Jul 8, 2012 at 10:29 AM, Doug Barton wrote: >> Unbound has different policies and release schedules that are more in >> line with ours. So in the short term (as in, the next few years) we're >> better off with unbound in the base. > Where is there information about this / what is their support? When I > looked at their website I found nothing about security support, branch > handling etc. and nobody has replied to that part in these threads > (unless I missed it - I just rescanned thread without seeing a reply). > > -- > Simon L. B. Nielsen > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 13:36:42 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2754B10656EA for ; Mon, 9 Jul 2012 13:36:40 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id CBD598FC18 for ; Mon, 9 Jul 2012 13:36:39 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id D2BD66706; Mon, 9 Jul 2012 13:36:32 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 98BE28768; Mon, 9 Jul 2012 15:36:32 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Matt Dawson References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org> <20473.50867.199081.295841@hergotha.csail.mit.edu> <201207090449.q694nW9C094754@chronos.org.uk> Date: Mon, 09 Jul 2012 15:36:32 +0200 In-Reply-To: <201207090449.q694nW9C094754@chronos.org.uk> (Matt Dawson's message of "Mon, 9 Jul 2012 05:49:32 +0100") Message-ID: <86y5mtm4yn.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 13:36:42 -0000 Matt Dawson writes: > TBH, even having the root zone in base is a bit daft. The root zone we ship is a hint used to bootstrap named. Without it, named is a brick, unless all you want is an authoritative-only nameserver. All named does with that hint file is use it to locate a root server from which it can obtain a fresh copy of the root zone. Feel free to replace it with a fresh copy from InterNIC. Since the root zone is signed, you could even set up a cron job to do automatically update the hint file at regular intervals. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 15:17:08 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B5321065673 for ; Mon, 9 Jul 2012 15:17:08 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2FB928FC1B for ; Mon, 9 Jul 2012 15:17:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Content-Transfer-Encoding:Mime-Version:Date:References:Subject:To:Content-Type; bh=ORLNuOZgTqsZnFIU1L/3cZWJWTTRI4UgDQvDRK2wRBU=; b=nDBWHR4bjn8SLaE2UQ4HhwE0WJb0jgaH5cYU2tYZkgXD88pY6igh4DyMMPCLNoqanPmGMwZ+3NaGJ5cWsR764K8OEa3yRTue/1rYM6q82haU5NHehGuGTBXYFS/+Zsm6; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1SoFhv-000KzF-GE for freebsd-security@freebsd.org; Mon, 09 Jul 2012 10:17:07 -0500 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpa id 1341847017-94480-94479/5/98; Mon, 9 Jul 2012 15:16:57 +0000 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-security@freebsd.org References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <4FF9ECB5.5090507@FreeBSD.org> <863951nrpy.fsf@ds4.des.no> Date: Mon, 9 Jul 2012 10:16:46 -0500 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Mark Felder Message-Id: In-Reply-To: <863951nrpy.fsf@ds4.des.no> User-Agent: Opera Mail/12.00 (FreeBSD) X-SA-Score: -1.5 Subject: Re: Replacing BIND with unbound X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 15:17:08 -0000 On Mon, 09 Jul 2012 05:39:37 -0500, Dag-Erling Sm=C3=B8rgrav = wrote: > What sort of benchmarks do you envision? Unlike named, unbound is > intended to serve only one client (localhost) or a small number of > clients (a SOHO). Highly disagree; we use it (ISP) as our resolving nameserver for all of =20 our customers. From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 18:29:29 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67F73106566C for ; Mon, 9 Jul 2012 18:29:29 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id DC3918FC1D for ; Mon, 9 Jul 2012 18:29:28 +0000 (UTC) Received: by bkcje9 with SMTP id je9so5736715bkc.13 for ; Mon, 09 Jul 2012 11:29:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=CAy11maFoR1pIz+/UH1lvV4b0g9I+eEEiSy6mnFQ9sE=; b=bTXiFf6Qbtq0tsJbM2nxU7HLayRbWRKkN3HMZhV1KwFxb27s2KoC7FeEEOA2eWNlsU imw8muEAnj9+fnysphHtG0GM0MJ9SRCXtBhytkWYlz3uRcO4Kofp6mMk8a0bXO4Xzzdi eTUeLWP9PjDwpuTQrpQM5JiIteYP9NZHXdGIzH8fMihso4s1F3Tp5U/MQdf3ukPnuNuy +geQUy0mdN3iM1ywNg95Ldlw/+mA0PnNhu1eEXsdTJdeNcZ7O4cTh/1uDrMD6IXUJuzp Ff3+ZITQsif+5CU1F+0BiyhzWpxzyNXYj3AxgJ6HN0AygU5Aw3mzPlwYYviKBSGxbOcF MT8w== Received: by 10.204.148.72 with SMTP id o8mr3672516bkv.103.1341858567929; Mon, 09 Jul 2012 11:29:27 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.204.49.87 with HTTP; Mon, 9 Jul 2012 11:28:57 -0700 (PDT) In-Reply-To: References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <4FF9ECB5.5090507@FreeBSD.org> <863951nrpy.fsf@ds4.des.no> From: Chris Rees Date: Mon, 9 Jul 2012 19:28:57 +0100 X-Google-Sender-Auth: e5esZXyfB5ssDb_DIGMXRuXx_ug Message-ID: To: Mark Felder Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 18:29:29 -0000 On 9 July 2012 16:16, Mark Felder wrote: > On Mon, 09 Jul 2012 05:39:37 -0500, Dag-Erling Sm=F8rgrav wr= ote: > >> What sort of benchmarks do you envision? Unlike named, unbound is >> intended to serve only one client (localhost) or a small number of >> clients (a SOHO). > > > Highly disagree; we use it (ISP) as our resolving nameserver for all of o= ur > customers. As Doug has pointed out, you can always get BIND from a port; not every installation requires a heavyweight resolver. Chris From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 19:00:32 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7F0DB106564A for ; Mon, 9 Jul 2012 19:00:32 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 3C1A68FC17 for ; Mon, 9 Jul 2012 19:00:32 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id E6AE867EB; Mon, 9 Jul 2012 19:00:30 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id B06D7879E; Mon, 9 Jul 2012 21:00:30 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Felder References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <4FF9ECB5.5090507@FreeBSD.org> <863951nrpy.fsf@ds4.des.no> Date: Mon, 09 Jul 2012 21:00:30 +0200 In-Reply-To: (Mark Felder's message of "Mon, 9 Jul 2012 10:16:46 -0500") Message-ID: <86pq84n4j5.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Replacing BIND with unbound X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 19:00:32 -0000 Mark Felder writes: > Dag-Erling Sm=C3=B8rgrav writes: > > What sort of benchmarks do you envision? Unlike named, unbound is > > intended to serve only one client (localhost) or a small number of > > clients (a SOHO). > Highly disagree; we use it (ISP) as our resolving nameserver for all > of our customers. Good for you. From what I've read, I should think it works just fine, but I have no personal experience running unbound on large networks. I'd love to try it out on the UiO network, but I doubt they'd let me... My basis for stating that it is intended primarily for localhost and SOHO is its feature set, which seems particularly well suited to that kind of use. Organizations with large networks generally need authoritative nameservers as well, but they can of course have both outward-facing BIND or NSD servers and inward-facing unbound servers, or have their registrar handle the authoritative side. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jul 9 20:58:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 2E3841065674 for ; Mon, 9 Jul 2012 20:58:43 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 256A1203CF0; Mon, 9 Jul 2012 20:56:14 +0000 (UTC) Message-ID: <4FFB456D.8010609@FreeBSD.org> Date: Mon, 09 Jul 2012 13:56:13 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:13.0) Gecko/20120624 Thunderbird/13.0.1 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= References: <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <89AB703D-E075-4AAC-AC1B-B358CC4E4E7F@lists.zabbadoz.net> <4FF8C3A1.9080805@FreeBSD.org> <0AFE3C4A-22DB-4134-949F-4D05BBFC4C6C@lists.zabbadoz.net> <4FF8CA35.7040209@FreeBSD.org> <4FF8D89B.1030308@bluerosetech.com> <4FF95365.7010605@FreeBSD.org> <20473.50867.199081.295841@hergotha.csail.mit.edu> <201207090449.q694nW9C094754@chronos.org.uk> <86y5mtm4yn.fsf@ds4.des.no> In-Reply-To: <86y5mtm4yn.fsf@ds4.des.no> X-Enigmail-Version: 1.4.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, Matt Dawson Subject: Re: Replacing BIND with unbound X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 20:58:43 -0000 On 07/09/2012 06:36, Dag-Erling Smørgrav wrote: > Matt Dawson writes: >> TBH, even having the root zone in base is a bit daft. > > The root zone we ship is a hint used to bootstrap named. Without it, > named is a brick, unless all you want is an authoritative-only > nameserver. The hints file is not actually the root zone, it's a list of name servers and IP addresses. Without it, named would still be able to bootstrap since they long ago included that information in the source. > All named does with that hint file is use it to locate a > root server from which it can obtain a fresh copy of the root zone. This is accurate, and it's worth pointing out that you only need to reach one working server to bootstrap, and the change rate for the existing server addresses is anywhere from years to decades. hth, Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Thu Jul 12 18:04:58 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC0FB106566B; Thu, 12 Jul 2012 18:04:58 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 89E288FC08; Thu, 12 Jul 2012 18:04:58 +0000 (UTC) Message-ID: <4FFF11CA.60004@FreeBSD.org> Date: Thu, 12 Jul 2012 14:04:58 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120626 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-current@freebsd.org X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , freebsd-security@FreeBSD.org Subject: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2012 18:04:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL 1.0.1c will be merged to head today. There will be several important changes to note. - - Several crypto/engine modules will be added or enabled by default to closely match OpenSSL default, e.g., Camellia (crypto), SEED (crypto), CHIL (engine), GOST (engine), etc. - - MD2 will be removed because a) it is disabled by default and b) we removed it from libmd. - - Optimized amd64 asm files will be added and enabled by default. - - Optimized i386 asm files will be updated and new files will be added. - - opensslconf.h for amd64 and i386 will be merged. Unfortunately, library versions will be bumped, i.e., libcrypto.so.6 -> libcrypto.so.7 libssl.so.6 -> libssl.so.7 Therefore, all binaries depending on these need to be recompiled. Also, you may have to merge your /etc/ssl/openssl.conf changes. Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk//EckACgkQmlay1b9qnVN0PQCgwtUHNK7iEdKpTi3TmWD5W4UK smUAnAxcPa+OtZQe4HKifeaVm+ybdRIH =T9Oc -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 12 18:30:05 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C15CE1065670; Thu, 12 Jul 2012 18:30:05 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2598F8FC19; Thu, 12 Jul 2012 18:30:05 +0000 (UTC) Message-ID: <4FFF17AC.6080907@FreeBSD.org> Date: Thu, 12 Jul 2012 14:30:04 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120626 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-current@freebsd.org References: <4FFF11CA.60004@FreeBSD.org> In-Reply-To: <4FFF11CA.60004@FreeBSD.org> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , freebsd-security@freebsd.org Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2012 18:30:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-12 14:04:58 -0400, Jung-uk Kim wrote: > - Several crypto/engine modules will be added or enabled by default > to closely match OpenSSL default, e.g., Camellia (crypto), SEED > (crypto), CHIL (engine), GOST (engine), etc. Actually, CHIL is already enabled. My bad. Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk//F6wACgkQmlay1b9qnVMnhQCghxsNSDCr3sbM+6PEenB4nTh2 3/YAoJ5EiSCzQhTKBJQ4bbWd0mVGZqbk =hYlB -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 12 21:11:00 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D291B1065670 for ; Thu, 12 Jul 2012 21:11:00 +0000 (UTC) (envelope-from William.Wilson@unisys.com) Received: from mail201.messagelabs.com (mail201.messagelabs.com [216.82.254.211]) by mx1.freebsd.org (Postfix) with ESMTP id 9AB008FC08 for ; Thu, 12 Jul 2012 21:11:00 +0000 (UTC) X-Env-Sender: William.Wilson@unisys.com X-Msg-Ref: server-8.tower-201.messagelabs.com!1342127453!9890511!6 X-Originating-IP: [192.61.61.104] X-StarScan-Version: 6.5.10; banners=-,-,- X-VirusChecked: Checked Received: (qmail 2585 invoked from network); 12 Jul 2012 21:10:54 -0000 Received: from unknown (HELO USEA-NAEDGE1.unisys.com) (192.61.61.104) by server-8.tower-201.messagelabs.com with RC4-SHA encrypted SMTP; 12 Jul 2012 21:10:54 -0000 Received: from usea-nahubcas2.na.uis.unisys.com (129.224.76.115) by USEA-NAEDGE1.unisys.com (192.61.61.104) with Microsoft SMTP Server (TLS) id 8.3.83.0; Thu, 12 Jul 2012 16:10:10 -0500 Received: from USEA-EXCH8.na.uis.unisys.com ([129.224.76.41]) by usea-nahubcas2.na.uis.unisys.com ([129.224.76.115]) with mapi; Thu, 12 Jul 2012 16:10:10 -0500 From: "Wilson, William O" To: "freebsd-security@freebsd.org" Date: Thu, 12 Jul 2012 16:10:09 -0500 Thread-Topic: FIPS140-2 Thread-Index: Ac1gcrg4RunFVjnESyqMayyz4c+qYA== Message-ID: <99C8B2929B39C24493377AC7A121E21FB032D08A74@USEA-EXCH8.na.uis.unisys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 12 Jul 2012 21:56:42 +0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FIPS140-2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2012 21:11:01 -0000 Greetings, We have a need for a FIPS140-2 compliant FreeBSD kernel plus keymanager. Has anyone done this before? My (na=EFve?) approach is to replace the crypto-dev driver with an openssl = fipscanister based crypto driver, use a second application layer openssl fi= pscanister for the key manager crypto and remove all non-fips crypto from t= he kernel. Unsure if FIPs allows two copies of fipscanister. Design is always easier when one is ignorant. regards THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MA= TERIAL and is thus for use only by the intended recipient. If you received = this in error, please contact the sender and delete the e-mail and its atta= chments from all computers. From owner-freebsd-security@FreeBSD.ORG Fri Jul 13 00:03:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3C9D106566B; Fri, 13 Jul 2012 00:03:10 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5A2D38FC14; Fri, 13 Jul 2012 00:03:10 +0000 (UTC) Message-ID: <4FFF65BD.4060707@FreeBSD.org> Date: Thu, 12 Jul 2012 20:03:09 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120626 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-current@freebsd.org References: <4FFF11CA.60004@FreeBSD.org> In-Reply-To: <4FFF11CA.60004@FreeBSD.org> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , freebsd-security@freebsd.org Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 00:03:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-12 14:04:58 -0400, Jung-uk Kim wrote: > OpenSSL 1.0.1c will be merged to head today. There will be > several important changes to note. > > - Several crypto/engine modules will be added or enabled by default > to closely match OpenSSL default, e.g., Camellia (crypto), SEED > (crypto), GOST (engine), etc. - MD2 will be removed because a) it > is disabled by default and b) we removed it from libmd. - Optimized > amd64 asm files will be added and enabled by default. - Optimized > i386 asm files will be updated and new files will be added. - > opensslconf.h for amd64 and i386 will be merged. > > Unfortunately, library versions will be bumped, i.e., > > libcrypto.so.6 -> libcrypto.so.7 libssl.so.6 -> libssl.so.7 > > Therefore, all binaries depending on these need to be recompiled. > Also, you may have to merge your /etc/ssl/openssl.conf changes. FYI, OpenSSL 1.0.1c import is complete now. Please let me know if you have any problem. Cheers, Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk//Zb0ACgkQmlay1b9qnVMDXACgxjHtAdhyLasffkaqX/Jl9hHX He0An2EjtcRoNsHfTX/ZwZ+iHz2VW2Iq =mHkt -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jul 13 08:00:23 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E95D106564A; Fri, 13 Jul 2012 08:00:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 9460D8FC08; Fri, 13 Jul 2012 08:00:22 +0000 (UTC) Received: from skuns.kiev.zoral.com.ua (localhost [127.0.0.1]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id q6D80QZ0059327; Fri, 13 Jul 2012 11:00:27 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.5/8.14.5) with ESMTP id q6D80ETd088942; Fri, 13 Jul 2012 11:00:14 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.5/8.14.5/Submit) id q6D80E1W088941; Fri, 13 Jul 2012 11:00:14 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Fri, 13 Jul 2012 11:00:14 +0300 From: Konstantin Belousov To: Jung-uk Kim Message-ID: <20120713080014.GN2338@deviant.kiev.zoral.com.ua> References: <4FFF11CA.60004@FreeBSD.org> <4FFF65BD.4060707@FreeBSD.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LwDZSyGAvxkXlqsD" Content-Disposition: inline In-Reply-To: <4FFF65BD.4060707@FreeBSD.org> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: Ben Laurie , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 08:00:23 -0000 --LwDZSyGAvxkXlqsD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 12, 2012 at 08:03:09PM -0400, Jung-uk Kim wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > On 2012-07-12 14:04:58 -0400, Jung-uk Kim wrote: > > OpenSSL 1.0.1c will be merged to head today. There will be > > several important changes to note. > >=20 > > - Several crypto/engine modules will be added or enabled by default > > to closely match OpenSSL default, e.g., Camellia (crypto), SEED > > (crypto), GOST (engine), etc. - MD2 will be removed because a) it > > is disabled by default and b) we removed it from libmd. - Optimized > > amd64 asm files will be added and enabled by default. - Optimized > > i386 asm files will be updated and new files will be added. - How did the asm files were generated (I am sure they are generated) ? > > opensslconf.h for amd64 and i386 will be merged. > >=20 > > Unfortunately, library versions will be bumped, i.e., > >=20 > > libcrypto.so.6 -> libcrypto.so.7 libssl.so.6 -> libssl.so.7 > >=20 > > Therefore, all binaries depending on these need to be recompiled.=20 > > Also, you may have to merge your /etc/ssl/openssl.conf changes. >=20 > FYI, OpenSSL 1.0.1c import is complete now. Please let me know if you > have any problem. >=20 > Cheers, >=20 > Jung-uk Kim > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.19 (FreeBSD) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >=20 > iEYEARECAAYFAk//Zb0ACgkQmlay1b9qnVMDXACgxjHtAdhyLasffkaqX/Jl9hHX > He0An2EjtcRoNsHfTX/ZwZ+iHz2VW2Iq > =3DmHkt > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" --LwDZSyGAvxkXlqsD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAk//1Y4ACgkQC3+MBN1Mb4jCeACfQgIeuw5KN9J/9+QxvW/m8INM 7hgAn0wNfSn2d+knqXQX9Ks0VfMHQxMl =meVN -----END PGP SIGNATURE----- --LwDZSyGAvxkXlqsD-- From owner-freebsd-security@FreeBSD.ORG Fri Jul 13 09:55:15 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AFD4A1065677 for ; Fri, 13 Jul 2012 09:55:15 +0000 (UTC) (envelope-from dougb@dougbarton.us) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with ESMTP id 06D6A8FC1E for ; Fri, 13 Jul 2012 09:55:09 +0000 (UTC) Received: (qmail 23118 invoked by uid 399); 13 Jul 2012 09:55:01 -0000 Received: from unknown (HELO ?172.17.194.139?) (dougb@dougbarton.us@12.207.105.210) by mail2.fluidhosting.com with ESMTPAM; 13 Jul 2012 09:55:01 -0000 X-Originating-IP: 12.207.105.210 X-Sender: dougb@dougbarton.us Message-ID: <4FFFF078.6050109@dougbarton.us> Date: Fri, 13 Jul 2012 02:55:04 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1 MIME-Version: 1.0 To: Jung-uk Kim References: <4FFF11CA.60004@FreeBSD.org> <4FFF65BD.4060707@FreeBSD.org> In-Reply-To: <4FFF65BD.4060707@FreeBSD.org> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 13 Jul 2012 11:16:31 +0000 Cc: Ben Laurie , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 09:55:15 -0000 On 07/12/2012 05:03 PM, Jung-uk Kim wrote: > FYI, OpenSSL 1.0.1c import is complete now. Please let me know if you > have any problem. Sorry if I missed it, but did you bump OSVERSION for this change? If not, could you? It would be helpful for dealing with ports stuff, especially USE_OPENSSL. Doug From owner-freebsd-security@FreeBSD.ORG Fri Jul 13 15:52:45 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D341E106564A; Fri, 13 Jul 2012 15:52:45 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5885D8FC08; Fri, 13 Jul 2012 15:52:45 +0000 (UTC) Message-ID: <5000444C.6030000@FreeBSD.org> Date: Fri, 13 Jul 2012 11:52:44 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120626 Thunderbird/13.0.1 MIME-Version: 1.0 To: Doug Barton References: <4FFF11CA.60004@FreeBSD.org> <4FFF65BD.4060707@FreeBSD.org> <4FFFF078.6050109@dougbarton.us> In-Reply-To: <4FFFF078.6050109@dougbarton.us> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , freebsd-security@FreeBSD.org, freebsd-current@FreeBSD.org Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 15:52:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-13 05:55:04 -0400, Doug Barton wrote: > On 07/12/2012 05:03 PM, Jung-uk Kim wrote: >> FYI, OpenSSL 1.0.1c import is complete now. Please let me know >> if you have any problem. > > Sorry if I missed it, but did you bump OSVERSION for this change? > If not, could you? It would be helpful for dealing with ports > stuff, especially USE_OPENSSL. Yes, it was bumped with the commit. Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAAREwACgkQmlay1b9qnVNpkgCffS1dK8lvKRBXpxeebRGcx/kE UYIAoMxzzJUcx2JvTY996Vm4eHHriXVt =NvEB -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jul 13 17:30:43 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3E9B1065673 for ; Fri, 13 Jul 2012 17:30:43 +0000 (UTC) (envelope-from dougb@dougbarton.us) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with ESMTP id 2D7CA8FC17 for ; Fri, 13 Jul 2012 17:30:42 +0000 (UTC) Received: (qmail 23779 invoked by uid 399); 13 Jul 2012 17:30:33 -0000 Received: from unknown (HELO ?172.17.194.139?) (dougb@dougbarton.us@12.207.105.210) by mail2.fluidhosting.com with ESMTPAM; 13 Jul 2012 17:30:33 -0000 X-Originating-IP: 12.207.105.210 X-Sender: dougb@dougbarton.us Message-ID: <50005B3D.80505@dougbarton.us> Date: Fri, 13 Jul 2012 10:30:37 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1 MIME-Version: 1.0 To: Jung-uk Kim References: <4FFF11CA.60004@FreeBSD.org> <4FFF65BD.4060707@FreeBSD.org> <4FFFF078.6050109@dougbarton.us> <5000444C.6030000@FreeBSD.org> In-Reply-To: <5000444C.6030000@FreeBSD.org> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 13 Jul 2012 17:35:00 +0000 Cc: Ben Laurie , freebsd-security@FreeBSD.org, freebsd-current@FreeBSD.org Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 17:30:43 -0000 On 07/13/2012 08:52 AM, Jung-uk Kim wrote: > On 2012-07-13 05:55:04 -0400, Doug Barton wrote: >> On 07/12/2012 05:03 PM, Jung-uk Kim wrote: >>> FYI, OpenSSL 1.0.1c import is complete now. Please let me know >>> if you have any problem. > >> Sorry if I missed it, but did you bump OSVERSION for this change? >> If not, could you? It would be helpful for dealing with ports >> stuff, especially USE_OPENSSL. > > Yes, it was bumped with the commit. Thanks, and again, sorry I missed it. From owner-freebsd-security@FreeBSD.ORG Fri Jul 13 18:39:32 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B8F21065670; Fri, 13 Jul 2012 18:39:32 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EA68D8FC12; Fri, 13 Jul 2012 18:39:31 +0000 (UTC) Message-ID: <50006B63.4020901@FreeBSD.org> Date: Fri, 13 Jul 2012 14:39:31 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120626 Thunderbird/13.0.1 MIME-Version: 1.0 To: Konstantin Belousov References: <4FFF11CA.60004@FreeBSD.org> <4FFF65BD.4060707@FreeBSD.org> <20120713080014.GN2338@deviant.kiev.zoral.com.ua> In-Reply-To: <20120713080014.GN2338@deviant.kiev.zoral.com.ua> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 18:39:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-13 04:00:14 -0400, Konstantin Belousov wrote: > How did the asm files were generated (I am sure they are generated) > ? Yes, they are all re-generated. Mostly, it is described in FREEBSD-upgrade file: http://svnweb.freebsd.org/base/vendor-crypto/openssl/dist/FREEBSD-upgrade?view=markup&pathrev=238384 Basically, it goes something like this: cd ${SRCDIR}/secure/lib/libcrypto make -f Makefile.asm all mv *.[Ss] ${MACHINE_CPUARCH} make -f Makefile.asm clean Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAAa2MACgkQmlay1b9qnVMBtACgoxxI+jmAmhcpLnbozW3y2LNd /bUAnjeZ8f9K2ccwTDgicwLBLYUw+Mlp =Gy0L -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jul 13 19:33:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 335721065674; Fri, 13 Jul 2012 19:33:28 +0000 (UTC) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 8A8488FC14; Fri, 13 Jul 2012 19:33:27 +0000 (UTC) Received: from WildRover.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id NAA05515; Fri, 13 Jul 2012 13:03:43 -0600 (MDT) Message-Id: <201207131903.NAA05515@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 13 Jul 2012 13:03:39 -0600 To: Jung-uk Kim , freebsd-current@freebsd.org From: Brett Glass In-Reply-To: <4FFF65BD.4060707@FreeBSD.org> References: <4FFF11CA.60004@FreeBSD.org> <4FFF65BD.4060707@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Ben Laurie , freebsd-security@freebsd.org, dougb@dougbarton.us Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 19:33:28 -0000 Will port also be MFCed to 9-RELENG and 9.1-RELEASE? Do not want to have to go to -CURRENT to get latest OpenSSL. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Fri Jul 13 20:01:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 745F3106566C; Fri, 13 Jul 2012 20:01:17 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C141E8FC17; Fri, 13 Jul 2012 20:01:16 +0000 (UTC) Message-ID: <50007E8C.2000207@FreeBSD.org> Date: Fri, 13 Jul 2012 16:01:16 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120626 Thunderbird/13.0.1 MIME-Version: 1.0 To: Brett Glass References: <4FFF11CA.60004@FreeBSD.org> <4FFF65BD.4060707@FreeBSD.org> <201207131903.NAA05515@lariat.net> In-Reply-To: <201207131903.NAA05515@lariat.net> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , freebsd-security@freebsd.org, freebsd-current@freebsd.org, dougb@dougbarton.us Subject: Re: [HEADSUP] OpenSSL 1.0.1c merge in progress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2012 20:01:17 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-13 15:03:39 -0400, Brett Glass wrote: > Will port also be MFCed to 9-RELENG and 9.1-RELEASE? Do not want > to have to go to -CURRENT to get latest OpenSSL. Sorry, we have no plan to MFC this to stable branches because of API and feature changes. However, you may need OpenSSL from ports tree, which has the same version ATM. Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAAfowACgkQmlay1b9qnVO6FQCePL/lmITYUw5xmI4weIX+NOtE ASYAoJBeDaIxmj2wG4j7keczkhU62WAS =Ed5I -----END PGP SIGNATURE-----