Date: Tue, 22 Jul 2008 19:37:32 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-stable@FreeBSD.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <488628EC.5030801@infracaninophile.co.uk> In-Reply-To: <4886188E.6090805@FreeBSD.org> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org> <488615F5.80405@infracaninophile.co.uk> <4886188E.6090805@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5488BAD5E4511AF4D0C2864A
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Doug Barton wrote:
> Matthew Seaman wrote:
>=20
>> Are there any plans to enable DNSSEC capability in the resolver built =
>> into FreeBSD?
>=20
> The server is already capable of it. I'm seriously considering enabling=
=20
> the define to make the CLI tools (dig/host/nslookup) capable as well=20
> (there is already an OPTION for this in ports).
Forgive me for being obtuse. What I meant was the capability to enable c=
hecking signatures on DNS RRs as a routine effect of getnameinfo() etc.
by modifying resolver(3) routines or similar locally, without needing a
DNSSEC enabled recursive resolver listed in resolv.conf? I've a feeling
the answer is no, but I haven't been able to find anything definitive.
Which I suppose simply means that if you're in the habit of, for example,=
=20
taking your laptop into the coffee shop and getting on line there then yo=
u=20
need to run your own instance of named on your laptop rather than blindly=
=20
trusting whatever servers the coffee shop provides via their DHCP.
> The problem is that _using_ DNSSEC requires configuration changes in=20
> named.conf, and more importantly, configuration of "trust anchors" (eve=
n=20
> for the command line stuff) since the root is not signed. It's not hard=
=20
> to do that with the DLV system that ISC has in place, and I would be=20
> willing to create a conf file that shows how to do that for users to=20
> include if they choose to. I am not comfortable enabling it by default =
> (not yet anyway), it's too big of a POLA issue.
I sense a business opportunity in providing DLV there. I'm wondering why=
the likes of Verisign (including Thawte and Geotrust), Comodo group and=20
GoDaddy aren't circling like vultures over a dead wildebeest. Perhaps th=
ey=20
are.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig5488BAD5E4511AF4D0C2864A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkiGKPIACgkQ8Mjk52CukIxbWACfTVCDPVViUJ0NTd5GLMMVU8bD
xXkAniwbkPNqgVZYLi4a/5aQHYFxBHSo
=T6Z8
-----END PGP SIGNATURE-----
--------------enig5488BAD5E4511AF4D0C2864A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488628EC.5030801>