From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 17:52:16 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CA2C1065689 for ; Tue, 22 Jul 2008 17:52:16 +0000 (UTC) (envelope-from prvs=pschmehl_lists=082004bd1@tx.rr.com) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id 110BE8FC1F for ; Tue, 22 Jul 2008 17:52:15 +0000 (UTC) (envelope-from prvs=pschmehl_lists=082004bd1@tx.rr.com) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.31,232,1215406800"; d="scan'208";a="4141258" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 22 Jul 2008 12:52:15 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 3947B23DE2; Tue, 22 Jul 2008 12:52:16 -0500 (CDT) Date: Tue, 22 Jul 2008 12:52:15 -0500 From: Paul Schmehl To: Doug Barton , Matthew Seaman Message-ID: <34182EE347F910EA2A64DF03@utd65257.utdallas.edu> In-Reply-To: <4886188E.6090805@FreeBSD.org> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org> <488615F5.80405@infracaninophile.co.uk> <4886188E.6090805@FreeBSD.org> X-Mailer: Mulberry/4.0.6 (Linux/x86) X-Munged-Reply-To: Figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 17:52:16 -0000 --On Tuesday, July 22, 2008 10:27:42 -0700 Doug Barton wrote: > Matthew Seaman wrote: > >> Are there any plans to enable DNSSEC capability in the resolver built >> into FreeBSD? > > The server is already capable of it. I'm seriously considering enabling the > define to make the CLI tools (dig/host/nslookup) capable as well (there is > already an OPTION for this in ports). > > The problem is that _using_ DNSSEC requires configuration changes in > named.conf, and more importantly, configuration of "trust anchors" (even for > the command line stuff) since the root is not signed. It's not hard to do > that with the DLV system that ISC has in place, and I would be willing to > create a conf file that shows how to do that for users to include if they > choose to. I am not comfortable enabling it by default (not yet anyway), it's > too big of a POLA issue. > I just played around with it recently. It's not that easy to understand initially *and* the trust anchors thing is a royal PITA. Once you implement DNSSEC you *must* generate keys every 30 days. So, I think, if you're going to enable it by default, there needs to be a script in periodic that will do all the magic to change keys every 30 days. Maybe put vars in /etc/rc.conf to override the default key lengths and other portions of the commands that could change per installation. If I were to implement it, I'd write a shell script to turn the keys over and cron it because doing it manually every 30 days ain't gonna happen. Too many ways to forget to do it. (I did the same for the root servers so that named.ca gets updated automagically every month.) But until root is signed, it's not worth it for those of us who don't have dedicated staff doing dns only. -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer.