From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 17:16:57 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CA7A106564A; Tue, 22 Jul 2008 17:16:57 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 9DD198FC1B; Tue, 22 Jul 2008 17:16:56 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m6MHGnJL047138; Tue, 22 Jul 2008 18:16:51 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.6.0 smtp.infracaninophile.co.uk m6MHGnJL047138 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1216747011; bh=rRhF8ZkMD9JL+b 6pQ8hDfkF+aMjeV/wwvn4KDRhvHdo=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<488615F5.80405@infracaninophile.co.uk>|Date:=20Tue,=202 2=20Jul=202008=2018:16:37=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User-A gent:=20Thunderbird=202.0.0.14=20(X11/20080607)|MIME-Version:=201.0 |To:=20Doug=20Barton=20|CC:=20freebsd-stable@fre ebsd.org|Subject:=20Re:=20FreeBSD=207.1=20and=20BIND=20exploit|Refe rences:=20<200807212219.QAA01486@lariat.net>=09<200807221552.m6MFqg pm009488@lurza.secnetix.de>=09<20080722162024.GA1279@lava.net>=20<4 8860CBA.6010903@FreeBSD.org>|In-Reply-To:=20<48860CBA.6010903@FreeB SD.org>|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/sign ed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp- signature"=3B=0D=0A=20boundary=3D"------------enig32912119FCAFC30F8 F21FE78"; b=vWeGBd3DmDMvr7J5QSueiWNT8O05aUcDvzsl2MQ3dSK9zJIKnashagU bGaaPGT29708keYhilsTJLf/3dMP5cW1pzz2HUIYgfcQyMYzFQu0dsvi/NTLNoSF7uV j3/G4F3aGcNscvVQyj94E+3K4PTBC2RWri79AmCuQl1tbulCI= Message-ID: <488615F5.80405@infracaninophile.co.uk> Date: Tue, 22 Jul 2008 18:16:37 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.14 (X11/20080607) MIME-Version: 1.0 To: Doug Barton References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org> In-Reply-To: <48860CBA.6010903@FreeBSD.org> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig32912119FCAFC30F8F21FE78" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 22 Jul 2008 18:16:51 +0100 (BST) X-Virus-Scanned: ClamAV 0.93.3/7779/Tue Jul 22 10:22:01 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 17:16:57 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig32912119FCAFC30F8F21FE78 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Doug Barton wrote: > Clifton Royston wrote: >> I also think that modular design of security-sensitive tools is the >> way to go, with his DNS tools as with Postfix. >=20 > Dan didn't write postfix, he wrote qmail. >=20 > If you're interested in a resolver-only solution (and that is not a bad= =20 > way to go) then you should evaluate dns/unbound. It is a lightweight=20 > resolver-only server that has a good security model and already=20 > implements query port randomization. It also has the advantage of being= =20 > maintained, and compliant to 21st Century DNS standards including DNSSE= C Are there any plans to enable DNSSEC capability in the resolver built int= o FreeBSD? > (which, btw, is the real solution to the response forgery problem, it=20 > just can't be deployed universally before 8/5). That big announcement Dan Kaminsky was going to make at the Blackhat Conference in August? Unfortunately the cat has already been let out of the bag: http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally= -leaked.html There's no implementation of DNS that can be any /more/ proof against thi= s than BIND+latest patches because the problem is intrinsic to the design o= f=20 the DNS protocol. You'ld better be patched up or using alternative DNS=20 implementations equally secure already. Even so that just increases the = search space from about 16bits to about 30bits, which should make it not = really feasible given current network and server capabilities. =20 Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig32912119FCAFC30F8F21FE78 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkiGFgEACgkQ8Mjk52CukIz1HQCcCFdf9JQLDJ859kpJswu4k/Qz Cu0An3seGbFxOB3bbGAyOZHkKrLiWAmt =yS2R -----END PGP SIGNATURE----- --------------enig32912119FCAFC30F8F21FE78--