From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 17:03:51 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC742106567E; Tue, 22 Jul 2008 17:03:51 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from outgoing01.lava.net (cake.lava.net [IPv6:2001:1888:0:1:230:48ff:fe5b:3b50]) by mx1.freebsd.org (Postfix) with ESMTP id 28A3A8FC30; Tue, 22 Jul 2008 17:03:51 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by outgoing01.lava.net (Postfix) with ESMTP id 5BDBED011C; Tue, 22 Jul 2008 07:03:50 -1000 (HST) Received: by malasada.lava.net (Postfix, from userid 102) id D6ECB153882; Tue, 22 Jul 2008 07:03:49 -1000 (HST) Date: Tue, 22 Jul 2008 07:03:49 -1000 From: Clifton Royston To: Doug Barton Message-ID: <20080722170348.GB1279@lava.net> Mail-Followup-To: Doug Barton , freebsd-stable@freebsd.org References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48860CBA.6010903@FreeBSD.org> User-Agent: Mutt/1.4.2.2i Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 17:03:51 -0000 On Tue, Jul 22, 2008 at 09:37:14AM -0700, Doug Barton wrote: > Clifton Royston wrote: > > I also think that modular design of security-sensitive tools is the > >way to go, with his DNS tools as with Postfix. > > Dan didn't write postfix, he wrote qmail. I know, but I think qmail sucks. Wietse didn't write a DNS server or I'd probably be using that. :-) > If you're interested in a resolver-only solution (and that is not a > bad way to go) then you should evaluate dns/unbound. It is a > lightweight resolver-only server that has a good security model and > already implements query port randomization. It also has the advantage > of being maintained, and compliant to 21st Century DNS standards > including DNSSEC (which, btw, is the real solution to the response > forgery problem, it just can't be deployed universally before 8/5). Sounds interesting; is it a caching resolver? I'm not totally convinced DNSSEC would solve everything (though it would solve the current vulnerability) but I'm not sure I follow the arguments pro and con. -- Clifton -- Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services