From owner-freebsd-security@FreeBSD.ORG  Thu Jul 10 00:27:49 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8DEAF106567E
	for <freebsd-security@freebsd.org>;
	Thu, 10 Jul 2008 00:27:49 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: from strawberry.noncombatant.org (strawberry.noncombatant.org
	[64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 63EF78FC12
	for <freebsd-security@freebsd.org>;
	Thu, 10 Jul 2008 00:27:49 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: by strawberry.noncombatant.org (Postfix, from userid 1001)
	id 3D3F5866957; Wed,  9 Jul 2008 17:27:49 -0700 (PDT)
Date: Wed, 9 Jul 2008 17:27:49 -0700
From: Chris Palmer <chris@noncombatant.org>
To: Mark Boolootian <booloo@ucsc.edu>, freebsd-security@freebsd.org
Message-ID: <20080710002749.GK55473@noncombatant.org>
References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com>
	<3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org>
	<17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com>
	<4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org>
	<17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com>
	<20080709182340.GD55473@noncombatant.org>
	<4875481E.4000100@kernel32.de>
	<20080709235204.GB72293@root.ucsc.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20080709235204.GB72293@root.ucsc.edu>
User-Agent: Mutt/1.4.2.3i
Cc: 
Subject: Re: BIND update?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2008 00:27:49 -0000

Mark Boolootian writes:

> Everyone that uses the Internet depends on the security of DNS.

That's too bad, because DNS never made any security guarantees. When you ask
to resolve www.google.com, the answer does not mean "www.google.com is on
the network at 74.125.19.104." It means "As far as we can tell at the
moment, www.google.com might be on the network at 74.125.19.104, or that
might be a total lie. Good luck! P.S.: Lying is very easy."

There are no guarantees of authentication, authorization, or integrity.

When I need to verify the identity of a host (really, the identity of an
application server -- which is more relevant anyway), I use things like SSL
certificates and SSH host keys.

After all, you were going to need authentication and integrity -- and likely
confidentiality, too -- at the application layer anyway. Right?