Date: Tue, 22 Jul 2008 18:16:37 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Doug Barton <dougb@freebsd.org> Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <488615F5.80405@infracaninophile.co.uk> In-Reply-To: <48860CBA.6010903@FreeBSD.org> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Doug Barton wrote: > Clifton Royston wrote: >> I also think that modular design of security-sensitive tools is the >> way to go, with his DNS tools as with Postfix. > > Dan didn't write postfix, he wrote qmail. > > If you're interested in a resolver-only solution (and that is not a bad > way to go) then you should evaluate dns/unbound. It is a lightweight > resolver-only server that has a good security model and already > implements query port randomization. It also has the advantage of being > maintained, and compliant to 21st Century DNS standards including DNSSEC Are there any plans to enable DNSSEC capability in the resolver built into FreeBSD? > (which, btw, is the real solution to the response forgery problem, it > just can't be deployed universally before 8/5). That big announcement Dan Kaminsky was going to make at the Blackhat Conference in August? Unfortunately the cat has already been let out of the bag: http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html There's no implementation of DNS that can be any /more/ proof against this than BIND+latest patches because the problem is intrinsic to the design of the DNS protocol. You'ld better be patched up or using alternative DNS implementations equally secure already. Even so that just increases the search space from about 16bits to about 30bits, which should make it not really feasible given current network and server capabilities. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkiGFgEACgkQ8Mjk52CukIz1HQCcCFdf9JQLDJ859kpJswu4k/Qz Cu0An3seGbFxOB3bbGAyOZHkKrLiWAmt =yS2R -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488615F5.80405>