From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 17:28:13 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDF401065675 for ; Tue, 22 Jul 2008 17:28:13 +0000 (UTC) (envelope-from prvs=pschmehl_lists=082004bd1@tx.rr.com) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id 8EA5B8FC16 for ; Tue, 22 Jul 2008 17:28:13 +0000 (UTC) (envelope-from prvs=pschmehl_lists=082004bd1@tx.rr.com) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.31,232,1215406800"; d="scan'208";a="4138822" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 22 Jul 2008 11:59:11 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 885FF23DDF for ; Tue, 22 Jul 2008 11:59:12 -0500 (CDT) Date: Tue, 22 Jul 2008 11:59:11 -0500 From: Paul Schmehl To: freebsd-stable@freebsd.org Message-ID: <24AEB3BFE15219E4ADA1F2E9@utd65257.utdallas.edu> In-Reply-To: <48860CBA.6010903@FreeBSD.org> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org> X-Mailer: Mulberry/4.0.6 (Linux/x86) X-Munged-Reply-To: Figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 17:28:13 -0000 --On Tuesday, July 22, 2008 09:37:14 -0700 Doug Barton wrote: > Clifton Royston wrote: >> I also think that modular design of security-sensitive tools is the >> way to go, with his DNS tools as with Postfix. > > Dan didn't write postfix, he wrote qmail. I think his point was that djbdns is modular just like Postfix is modular - not that Dan wrote both. I'm pretty sure everyone on the planet knows that Weitse wrote/maintains Postfix. If djbdns was as easy to setup as Postfix is, I'd use it too. > > If you're interested in a resolver-only solution (and that is not a bad way > to go) then you should evaluate dns/unbound. It is a lightweight > resolver-only server that has a good security model and already implements > query port randomization. It also has the advantage of being maintained, and > compliant to 21st Century DNS standards including DNSSEC (which, btw, is the > real solution to the response forgery problem, it just can't be deployed > universally before 8/5). > What happens on 8/5? -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer.