Date: Tue, 22 Jul 2008 09:37:14 -0700 From: Doug Barton <dougb@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <48860CBA.6010903@FreeBSD.org> In-Reply-To: <20080722162024.GA1279@lava.net> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Clifton Royston wrote:
> I also think that modular design of security-sensitive tools is the
> way to go, with his DNS tools as with Postfix.
Dan didn't write postfix, he wrote qmail.
If you're interested in a resolver-only solution (and that is not a
bad way to go) then you should evaluate dns/unbound. It is a
lightweight resolver-only server that has a good security model and
already implements query port randomization. It also has the advantage
of being maintained, and compliant to 21st Century DNS standards
including DNSSEC (which, btw, is the real solution to the response
forgery problem, it just can't be deployed universally before 8/5).
hth,
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48860CBA.6010903>