Date: Tue, 22 Jul 2008 19:37:32 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-stable@FreeBSD.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <488628EC.5030801@infracaninophile.co.uk> In-Reply-To: <4886188E.6090805@FreeBSD.org> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org> <488615F5.80405@infracaninophile.co.uk> <4886188E.6090805@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Doug Barton wrote:
> Matthew Seaman wrote:
>
>> Are there any plans to enable DNSSEC capability in the resolver built
>> into FreeBSD?
>
> The server is already capable of it. I'm seriously considering enabling
> the define to make the CLI tools (dig/host/nslookup) capable as well
> (there is already an OPTION for this in ports).
Forgive me for being obtuse. What I meant was the capability to enable checking signatures on DNS RRs as a routine effect of getnameinfo() etc.
by modifying resolver(3) routines or similar locally, without needing a
DNSSEC enabled recursive resolver listed in resolv.conf? I've a feeling
the answer is no, but I haven't been able to find anything definitive.
Which I suppose simply means that if you're in the habit of, for example,
taking your laptop into the coffee shop and getting on line there then you
need to run your own instance of named on your laptop rather than blindly
trusting whatever servers the coffee shop provides via their DHCP.
> The problem is that _using_ DNSSEC requires configuration changes in
> named.conf, and more importantly, configuration of "trust anchors" (even
> for the command line stuff) since the root is not signed. It's not hard
> to do that with the DLV system that ISC has in place, and I would be
> willing to create a conf file that shows how to do that for users to
> include if they choose to. I am not comfortable enabling it by default
> (not yet anyway), it's too big of a POLA issue.
I sense a business opportunity in providing DLV there. I'm wondering why
the likes of Verisign (including Thawte and Geotrust), Comodo group and
GoDaddy aren't circling like vultures over a dead wildebeest. Perhaps they
are.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkiGKPIACgkQ8Mjk52CukIxbWACfTVCDPVViUJ0NTd5GLMMVU8bD
xXkAniwbkPNqgVZYLi4a/5aQHYFxBHSo
=T6Z8
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488628EC.5030801>