From owner-freebsd-stable@FreeBSD.ORG  Tue Jul 22 16:37:17 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8A90C1065681
	for <freebsd-stable@freebsd.org>; Tue, 22 Jul 2008 16:37:17 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6])
	by mx1.freebsd.org (Postfix) with ESMTP id 1DE5A8FC1D
	for <freebsd-stable@freebsd.org>; Tue, 22 Jul 2008 16:37:16 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: (qmail 12372 invoked by uid 399); 22 Jul 2008 16:37:16 -0000
Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1)
	by localhost with ESMTPAM; 22 Jul 2008 16:37:16 -0000
X-Originating-IP: 127.0.0.1
X-Sender: dougb@dougbarton.us
Message-ID: <48860CBA.6010903@FreeBSD.org>
Date: Tue, 22 Jul 2008 09:37:14 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://www.FreeBSD.org/
User-Agent: Thunderbird 2.0.0.14 (X11/20080606)
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
References: <200807212219.QAA01486@lariat.net>	<200807221552.m6MFqgpm009488@lurza.secnetix.de>
	<20080722162024.GA1279@lava.net>
In-Reply-To: <20080722162024.GA1279@lava.net>
X-Enigmail-Version: 0.95.6
OpenPGP: id=D5B2F0FB
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: FreeBSD 7.1 and BIND exploit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2008 16:37:17 -0000

Clifton Royston wrote:
>   I also think that modular design of security-sensitive tools is the
> way to go, with his DNS tools as with Postfix.

Dan didn't write postfix, he wrote qmail.

If you're interested in a resolver-only solution (and that is not a 
bad way to go) then you should evaluate dns/unbound. It is a 
lightweight resolver-only server that has a good security model and 
already implements query port randomization. It also has the advantage 
of being maintained, and compliant to 21st Century DNS standards 
including DNSSEC (which, btw, is the real solution to the response 
forgery problem, it just can't be deployed universally before 8/5).

hth,

Doug

-- 

     This .signature sanitized for your protection