From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:43:30 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 359101065685 for ; Wed, 9 Jul 2008 18:43:30 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 114188FC0A for ; Wed, 9 Jul 2008 18:43:30 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id B0FF18669B2; Wed, 9 Jul 2008 11:23:40 -0700 (PDT) Date: Wed, 9 Jul 2008 11:23:40 -0700 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20080709182340.GD55473@noncombatant.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> User-Agent: Mutt/1.4.2.3i Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:43:30 -0000 Okay everybody, take a step back, take a deep breath, and count to ten. :) DNS has never provided any security guarantees, and so a marginal increase or decrease in the difficulty of spoofing responses is not a huge issue in the grand scheme of things. Even if the 16 bits were somehow pure delicious entropy, it would still only be 16 bits. If you want to provide DNS service yet minimize the risk to the server, BIND should never have been your first choice. It has a rough history, and there are more secure alternatives. Some people like BIND anyway. Cool. They accept that risk. DNSSEC is not widely deployed; and if it were, would that matter? Would you securely resolve important.example.com, only to talk to that host via HTTP? HTTP, like DNS, has never provided any security guarantees. It's not clear that, given correct authentication of important.example.com via X509 cert and a trusted third party (or by careful examination of the known-good fingerprint), "secure" DNS would provide any additional server authentication. Granted, I say "given correct authentication of important.example.com via X509 cert" as if that were easy. ;) In any case, that is all we have in the real world today. See also: SSH host keys. So I'm not too worried about the lack of urgency from the FreeBSD security team on this particular issue. It's not news that DNS is insecure and that BIND has a bug. Nobody should have been depending on the security of DNS or on a bulletproof BIND.