From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 23:45:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B706D1065676 for ; Wed, 9 Jul 2008 23:45:24 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 69A028FC32 for ; Wed, 9 Jul 2008 23:45:24 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m69NjNgf091485 for ; Thu, 10 Jul 2008 09:45:23 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807092345.m69NjNgf091485@drugs.dv.isc.org> To: freebsd-security@freebsd.org From: Mark Andrews In-reply-to: Your message of "Wed, 09 Jul 2008 14:53:08 MST." <20080709215308.C4A662B7C00@mx5.roble.com> Date: Thu, 10 Jul 2008 09:45:23 +1000 Sender: marka@isc.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 23:45:24 -0000 Well as a developer of BIND I will tell you that my development platform is FreeBSD. FreeBSD drugs.dv.isc.org 6.3-STABLE FreeBSD 6.3-STABLE #19: Fri Apr 25 13:07:00 EST 2008 marka@drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS i386 If Doug hasn't already updated the ports to use the -P1 I would expect him to do so shortly. Or you could all do it yourselves. It really is not that hard. Just check the PGP signatures on the tarball when you make the new checksums for the port. As for updating the base. There is still time to do this without panicing. Dan's method has not been released. Remember the only real solution to cache poisoning is to deploy DNSSEC. You can go out and do your part of that today. If you really cared about DNS security you would have done it already. It isn't that hard. Just use the defaults. http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf Talk to your member(s) of parliment about getting the root signed and your cctld signed (only 4 have been signed last time I checked). If .SE and .BR can do it then your cctld can do it. ORG is in the process of getting DNSSEC added. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org