Date: Tue, 22 Jul 2008 10:27:42 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <4886188E.6090805@FreeBSD.org> In-Reply-To: <488615F5.80405@infracaninophile.co.uk> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org> <488615F5.80405@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote:
> Are there any plans to enable DNSSEC capability in the resolver built
> into FreeBSD?
The server is already capable of it. I'm seriously considering
enabling the define to make the CLI tools (dig/host/nslookup) capable
as well (there is already an OPTION for this in ports).
The problem is that _using_ DNSSEC requires configuration changes in
named.conf, and more importantly, configuration of "trust anchors"
(even for the command line stuff) since the root is not signed. It's
not hard to do that with the DLV system that ISC has in place, and I
would be willing to create a conf file that shows how to do that for
users to include if they choose to. I am not comfortable enabling it
by default (not yet anyway), it's too big of a POLA issue.
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4886188E.6090805>