From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 20:38:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50B7C106567F for ; Fri, 11 Jul 2008 20:38:54 +0000 (UTC) (envelope-from alan@clegg.com) Received: from mx.isc.org (mx.isc.org [IPv6:2001:4f8:0:2::1c]) by mx1.freebsd.org (Postfix) with ESMTP id 408768FC17 for ; Fri, 11 Jul 2008 20:38:54 +0000 (UTC) (envelope-from alan@clegg.com) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTPS id A5A33114027 for ; Fri, 11 Jul 2008 20:38:52 +0000 (UTC) (envelope-from alan@clegg.com) Received: from [192.168.1.2] (cpe-066-057-017-110.nc.res.rr.com [66.57.17.110]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id 0436CE6023 for ; Fri, 11 Jul 2008 20:38:51 +0000 (UTC) (envelope-from alan@clegg.com) Message-ID: <4877C4DA.9070404@clegg.com> Date: Fri, 11 Jul 2008 16:38:50 -0400 From: Alan Clegg User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 CC: "freebsd-security@freebsd.org" References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com> <48778A1B.4060504@infracaninophile.co.uk> In-Reply-To: <48778A1B.4060504@infracaninophile.co.uk> X-Enigmail-Version: 0.95.6 OpenPGP: id=B5030987 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.0 required=5.0 tests=AWL, BAYES_00, MISSING_HEADERS, RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mx.isc.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 20:38:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthew Seaman wrote: > Probably what Brett is looking for are the avoid-v4-udp-ports and > avoid-v6-udp-ports options -- these just contain lists of UDP ports > to avoid as the source of any DNS traffic. Details are available here > (for bind95) http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#options > but it's the same for all 9.x versions of BIND. This is fine as long as you are not defining large numbers of "don't touch" ports. The added functionality of 9.5.1b1: use-v4-udp-ports { range 1024 65535; }; use-v6-udp-ports { range 1024 65535; }; Is what I was pointing people towards. AlanC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFId8TacKpYUrUDCYcRAhmHAJoCkQ3dxLfQhw1EamBJfNrLqwVZLwCfcfRg VTWMnJEfymL8TH7AV2MQ7y4= =mIl7 -----END PGP SIGNATURE-----