Date: Wed, 3 Apr 2013 15:00:01 GMT From: Mark Knight <markk@knigma.org> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/177607: named.conf comment to slave root suggests potentially dangerous BIND configuration Message-ID: <201304031500.r33F01hr091679@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/177607; it has been noted by GNATS. From: Mark Knight <markk@knigma.org> To: Maxim Konovalov <maxim.konovalov@gmail.com> Cc: bug-followup@freebsd.org Subject: Re: conf/177607: named.conf comment to slave root suggests potentially dangerous BIND configuration Date: Wed, 03 Apr 2013 15:51:35 +0100 Thanks for fixing up the Repy-To. I stupidly uncommented these lines on a box *assuming* it was safe. Once upon a time responding to root DNS queries wouldn't have been considered a bad thing. However today I received an abuse@ report to thank me for my error. The comment above the stanza doesn't mention the amplifier threat (although it does mention general caution) and appears to offer a good suggestion for improving resilience and reducing net traffic that's "ready to run". Clearly it isn't. My rationale was that it's a quick and easy fix and given the recent attacks it was worth giving this a high priority in the name of pro-active security. It's a potential security issue and is therefore serious. Apologies if I've exaggerated the threat.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304031500.r33F01hr091679>