Date: Tue, 22 Jul 2008 07:03:49 -1000 From: Clifton Royston <cliftonr@lava.net> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <20080722170348.GB1279@lava.net> In-Reply-To: <48860CBA.6010903@FreeBSD.org> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 22, 2008 at 09:37:14AM -0700, Doug Barton wrote:
> Clifton Royston wrote:
> > I also think that modular design of security-sensitive tools is the
> >way to go, with his DNS tools as with Postfix.
>
> Dan didn't write postfix, he wrote qmail.
I know, but I think qmail sucks. Wietse didn't write a DNS server
or I'd probably be using that. :-)
> If you're interested in a resolver-only solution (and that is not a
> bad way to go) then you should evaluate dns/unbound. It is a
> lightweight resolver-only server that has a good security model and
> already implements query port randomization. It also has the advantage
> of being maintained, and compliant to 21st Century DNS standards
> including DNSSEC (which, btw, is the real solution to the response
> forgery problem, it just can't be deployed universally before 8/5).
Sounds interesting; is it a caching resolver?
I'm not totally convinced DNSSEC would solve everything (though it
would solve the current vulnerability) but I'm not sure I follow the
arguments pro and con.
-- Clifton
--
Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net
President - I and I Computing * http://www.iandicomputing.com/
Custom programming, network design, systems and network consulting services
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080722170348.GB1279>