Date: Tue, 22 Jul 2008 18:16:37 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Doug Barton <dougb@freebsd.org> Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <488615F5.80405@infracaninophile.co.uk> In-Reply-To: <48860CBA.6010903@FreeBSD.org> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig32912119FCAFC30F8F21FE78 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Doug Barton wrote: > Clifton Royston wrote: >> I also think that modular design of security-sensitive tools is the >> way to go, with his DNS tools as with Postfix. >=20 > Dan didn't write postfix, he wrote qmail. >=20 > If you're interested in a resolver-only solution (and that is not a bad= =20 > way to go) then you should evaluate dns/unbound. It is a lightweight=20 > resolver-only server that has a good security model and already=20 > implements query port randomization. It also has the advantage of being= =20 > maintained, and compliant to 21st Century DNS standards including DNSSE= C Are there any plans to enable DNSSEC capability in the resolver built int= o FreeBSD? > (which, btw, is the real solution to the response forgery problem, it=20 > just can't be deployed universally before 8/5). That big announcement Dan Kaminsky was going to make at the Blackhat Conference in August? Unfortunately the cat has already been let out of the bag: http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally= -leaked.html There's no implementation of DNS that can be any /more/ proof against thi= s than BIND+latest patches because the problem is intrinsic to the design o= f=20 the DNS protocol. You'ld better be patched up or using alternative DNS=20 implementations equally secure already. Even so that just increases the = search space from about 16bits to about 30bits, which should make it not = really feasible given current network and server capabilities. =20 Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig32912119FCAFC30F8F21FE78 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkiGFgEACgkQ8Mjk52CukIz1HQCcCFdf9JQLDJ859kpJswu4k/Qz Cu0An3seGbFxOB3bbGAyOZHkKrLiWAmt =yS2R -----END PGP SIGNATURE----- --------------enig32912119FCAFC30F8F21FE78--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488615F5.80405>