From owner-freebsd-stable@FreeBSD.ORG  Tue Jul 22 17:27:44 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7CE4F1065679
	for <freebsd-stable@freebsd.org>; Tue, 22 Jul 2008 17:27:44 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6])
	by mx1.freebsd.org (Postfix) with ESMTP id 19E078FC1C
	for <freebsd-stable@freebsd.org>; Tue, 22 Jul 2008 17:27:44 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: (qmail 12775 invoked by uid 399); 22 Jul 2008 17:27:43 -0000
Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1)
	by localhost with ESMTPAM; 22 Jul 2008 17:27:43 -0000
X-Originating-IP: 127.0.0.1
X-Sender: dougb@dougbarton.us
Message-ID: <4886188E.6090805@FreeBSD.org>
Date: Tue, 22 Jul 2008 10:27:42 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://www.FreeBSD.org/
User-Agent: Thunderbird 2.0.0.14 (X11/20080606)
MIME-Version: 1.0
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
References: <200807212219.QAA01486@lariat.net>	<200807221552.m6MFqgpm009488@lurza.secnetix.de>	<20080722162024.GA1279@lava.net>
	<48860CBA.6010903@FreeBSD.org>
	<488615F5.80405@infracaninophile.co.uk>
In-Reply-To: <488615F5.80405@infracaninophile.co.uk>
X-Enigmail-Version: 0.95.6
OpenPGP: id=D5B2F0FB
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable@freebsd.org
Subject: Re: FreeBSD 7.1 and BIND exploit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2008 17:27:44 -0000

Matthew Seaman wrote:

> Are there any plans to enable DNSSEC capability in the resolver built 
> into FreeBSD?

The server is already capable of it. I'm seriously considering 
enabling the define to make the CLI tools (dig/host/nslookup) capable 
as well (there is already an OPTION for this in ports).

The problem is that _using_ DNSSEC requires configuration changes in 
named.conf, and more importantly, configuration of "trust anchors" 
(even for the command line stuff) since the root is not signed. It's 
not hard to do that with the DLV system that ISC has in place, and I 
would be willing to create a conf file that shows how to do that for 
users to include if they choose to. I am not comfortable enabling it 
by default (not yet anyway), it's too big of a POLA issue.

Doug

-- 

     This .signature sanitized for your protection