Date: Wed, 09 Oct 2002 16:06:49 -0600 From: Lyndon Nerenberg <lyndon@orthanc.ab.ca> To: Mike Hoskins <mike@adept.org> Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server Message-ID: <200210092206.g99M6oGI092623@orthanc.ab.ca> In-Reply-To: Your message of "Wed, 09 Oct 2002 14:34:48 PDT." <20021009142623.Q88247-100000@fubar.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike> This wouldn't be hard. Write a script that grabs the MD5
Mike> checksums from the ports collection (on a server that's
Mike> trusted and up to date) and turns the MD5 sums into TXT
Mike> records in a md5.somedomain.com DNS zone. Then people can
Mike> issue queries like sendmail.a.b.c.md5.somedomain.com and get
Mike> the MD5 sum returned for sendmail version a.b.c.
DNS isn't the right place for this.
1) it requires DNSSEC to ensure the MD5 record data isn't forged
2) DNS caching would hide updates for the duration of the TTL
attached to the TXT record
--lyndon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210092206.g99M6oGI092623>