From owner-freebsd-questions@FreeBSD.ORG Sat Aug 16 00:58:27 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6C93106567C for ; Sat, 16 Aug 2008 00:58:27 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) by mx1.freebsd.org (Postfix) with ESMTP id 82BB98FC0A for ; Sat, 16 Aug 2008 00:58:27 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.2/8.14.2) with ESMTP id m7G0w7h4014173 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 15 Aug 2008 19:58:08 -0500 (CDT) (envelope-from tundra@tundraware.com) Message-ID: <48A6261F.5030806@tundraware.com> Date: Fri, 15 Aug 2008 19:58:07 -0500 From: Tim Daneliuk Organization: TundraWare Inc. User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Matthew Seaman References: <48A5FB1B.4040001@tundraware.com> <48A60840.4070502@infracaninophile.co.uk> In-Reply-To: <48A60840.4070502@infracaninophile.co.uk> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-tundraware.com-MailScanner-Information: Please contact the ISP for more information X-MailScanner-ID: m7G0w7h4014173 X-tundraware.com-MailScanner: Found to be clean X-tundraware.com-MailScanner-From: tundra@tundraware.com X-Spam-Status: No Cc: FreeBSD Mailing List Subject: Re: Updated 'bind' And FreeBSD 6.3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2008 00:58:27 -0000 Matthew Seaman wrote: > Tim Daneliuk wrote: >> Is there an expected date when the latest version of bind9 (that fixes >> the recently discussed DNS vulnerability) will be merged into the >> 6.3-STABLE tree. I patch and update fairly regularly and >> bind -v gives me: BIND 9.3.5-P1 I believe the patched version >> is something like 9.5.0-P?... >> >> TIA, > > Patches against the Kaminsky attack were released for all of the > supported BIND branches. 9.3.5-P1 is a patched version. You can verify > that your bind is patched by using the dns oarc tester: > > https://www.dns-oarc.net/oarc/services/dnsentropy > > or manually by: > > dig +short porttest.dns-oarc.net TXT > > If it reports 'poor' you still need to fix your server. Beware of NAT > gateways which can reduce the randomness with which source ports are > used in passing. > > Cheers, > > Matthew Thanks all - I do indeed have the patches and can now no longer spend nights worried about these ;) -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/