From owner-freebsd-questions@FreeBSD.ORG  Fri Aug 15 22:50:53 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 022601065671
	for <freebsd-questions@freebsd.org>;
	Fri, 15 Aug 2008 22:50:53 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 78BE58FC22
	for <freebsd-questions@freebsd.org>;
	Fri, 15 Aug 2008 22:50:52 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id
	m7FMokGE035911; Fri, 15 Aug 2008 23:50:46 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.7.0 smtp.infracaninophile.co.uk m7FMokGE035911
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1218840646; bh=mw9FKVTIS3u0pQ
	allihi1GZuspdrhFRr4UNi5lJqnkE=; h=Message-ID:Date:From:MIME-Version:
	To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type:
	Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes
	sage-ID:=20<48A60840.4070502@infracaninophile.co.uk>|Date:=20Fri,=2
	015=20Aug=202008=2023:50:40=20+0100|From:=20Matthew=20Seaman=20<m.s
	eaman@infracaninophile.co.uk>|Organization:=20Infracaninophile|User
	-Agent:=20Thunderbird=202.0.0.16=20(X11/20080726)|MIME-Version:=201
	.0|To:=20Tim=20Daneliuk=20<tundra@tundraware.com>|CC:=20FreeBSD=20M
	ailing=20List=20<freebsd-questions@freebsd.org>|Subject:=20Re:=20Up
	dated=20'bind'=20And=20FreeBSD=206.3|References:=20<48A5FB1B.404000
	1@tundraware.com>|In-Reply-To:=20<48A5FB1B.4040001@tundraware.com>|
	X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed=3B=20
	micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signatur
	e"=3B=0D=0A=20boundary=3D"------------enigB25B7F4CBDBB1D1331FE6601"
	; b=ekaOzup970K3R5rxmGzVlVLLr8Zbo92RKccS3BkL/W7uNVMxkHuNlelWqPJc58N
	pugu47QZgvnUch/2lokC+XqrfB4bObLBuU2DRXN/ILRWPM9RbCbOXegjwfgWSOO+T/w
	1heRaRhEciZ5LkZFtuAL/33NcrsxU/65EYUs2dKD8=
Message-ID: <48A60840.4070502@infracaninophile.co.uk>
Date: Fri, 15 Aug 2008 23:50:40 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.16 (X11/20080726)
MIME-Version: 1.0
To: Tim Daneliuk <tundra@tundraware.com>
References: <48A5FB1B.4040001@tundraware.com>
In-Reply-To: <48A5FB1B.4040001@tundraware.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enigB25B7F4CBDBB1D1331FE6601"
X-Virus-Scanned: ClamAV 0.93.3/8049/Fri Aug 15 21:57:07 2008 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject: Re: Updated 'bind' And FreeBSD 6.3
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2008 22:50:53 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB25B7F4CBDBB1D1331FE6601
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Tim Daneliuk wrote:
> Is there an expected date when the latest version of bind9 (that fixes
> the recently discussed DNS vulnerability) will be merged into the=20
> 6.3-STABLE tree.  I patch and update fairly regularly and
> bind -v gives me: BIND 9.3.5-P1   I believe the patched version
> is something like 9.5.0-P?...
>=20
> TIA,

Patches against the Kaminsky attack were released for all of the
supported BIND branches.  9.3.5-P1 is a patched version.  You can verify
that your bind is patched by using the dns oarc tester:

   https://www.dns-oarc.net/oarc/services/dnsentropy

or manually by:

   dig +short porttest.dns-oarc.net TXT

If it reports 'poor' you still need to fix your server.  Beware of NAT
gateways which can reduce the randomness with which source ports are
used in passing.

	Cheers,

	Matthew=20

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enigB25B7F4CBDBB1D1331FE6601
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkimCEYACgkQ8Mjk52CukIxjdwCgiOIoKVyBlifDKkYSxx8TjOUT
yUwAnA9TmyTEOomXE8Fn5xxUthaLT0U+
=YAEi
-----END PGP SIGNATURE-----

--------------enigB25B7F4CBDBB1D1331FE6601--