Date: Tue, 22 Jul 2008 11:59:11 -0500 From: Paul Schmehl <pschmehl_lists@tx.rr.com> To: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <24AEB3BFE15219E4ADA1F2E9@utd65257.utdallas.edu> In-Reply-To: <48860CBA.6010903@FreeBSD.org> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Tuesday, July 22, 2008 09:37:14 -0700 Doug Barton <dougb@FreeBSD.org> wrote: > Clifton Royston wrote: >> I also think that modular design of security-sensitive tools is the >> way to go, with his DNS tools as with Postfix. > > Dan didn't write postfix, he wrote qmail. I think his point was that djbdns is modular just like Postfix is modular - not that Dan wrote both. I'm pretty sure everyone on the planet knows that Weitse wrote/maintains Postfix. If djbdns was as easy to setup as Postfix is, I'd use it too. > > If you're interested in a resolver-only solution (and that is not a bad way > to go) then you should evaluate dns/unbound. It is a lightweight > resolver-only server that has a good security model and already implements > query port randomization. It also has the advantage of being maintained, and > compliant to 21st Century DNS standards including DNSSEC (which, btw, is the > real solution to the response forgery problem, it just can't be deployed > universally before 8/5). > What happens on 8/5? -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24AEB3BFE15219E4ADA1F2E9>