From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:49:26 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6EA851065688 for ; Wed, 9 Jul 2008 18:49:26 +0000 (UTC) (envelope-from jason@shalott.net) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id 350D58FC16 for ; Wed, 9 Jul 2008 18:49:26 +0000 (UTC) (envelope-from jason@shalott.net) Received: (qmail 52828 invoked by uid 1000); 9 Jul 2008 18:29:25 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Jul 2008 18:29:25 -0000 Date: Wed, 9 Jul 2008 11:29:25 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: Peter Thoenen In-Reply-To: <4874DD4B.5020608@yahoo.com> Message-ID: References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Mailman-Approved-At: Wed, 09 Jul 2008 19:29:55 +0000 Cc: freebsd-security@freebsd.org, remko@elvandar.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:49:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't agree with the criticism of the security team; it takes a lot of time to test things and make sure that changes and patches work within the larger context of a complete system. And what I like about FreeBSD is that it's a complete system, not just a collection of disjoint parts like some other popular unix-like systems out there.... However, I also don't agree with this: > its really not a CRITICAL patch .. its more of a when you get around to > it seriously. CERT and others have been saying for years that protecting DNS infrastructure is a critical component in protecting the security of the entire internet, and I strongly agree. DNS spoofing and cache poisoning are an big part of how Windows boxes get rooted, and a more robust DNS infrastructure might go a long way in slowing the spread of the zombie armies. Many folks in the hosting world use BIND on FreeBSD to provide DNS resolvers for their clients, and this is _not_ a trivial issue for them. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIdQOFswXMWWtptckRAlgBAJ9fyqJomRiszRJuub6blvV+uXv4RgCg8Q3E wVqCrYVcKV7PjTHSyGuCyGY= =ZU6f -----END PGP SIGNATURE-----