From owner-freebsd-stable@FreeBSD.ORG  Tue Jul 22 18:37:45 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A36AB106567D;
	Tue, 22 Jul 2008 18:37:45 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 1E5288FC15;
	Tue, 22 Jul 2008 18:37:44 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id
	m6MIbcpL050539; Tue, 22 Jul 2008 19:37:39 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.6.0 smtp.infracaninophile.co.uk m6MIbcpL050539
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1216751859; bh=9ejlIqZIt78k0i
	/WcbiP21+hiiayPw8xGz8ag60FZhA=; h=Message-ID:Date:From:MIME-Version:
	To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type:
	Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes
	sage-ID:=20<488628EC.5030801@infracaninophile.co.uk>|Date:=20Tue,=2
	022=20Jul=202008=2019:37:32=20+0100|From:=20Matthew=20Seaman=20<m.s
	eaman@infracaninophile.co.uk>|Organization:=20Infracaninophile|User
	-Agent:=20Thunderbird=202.0.0.14=20(X11/20080607)|MIME-Version:=201
	.0|To:=20Doug=20Barton=20<dougb@FreeBSD.org>|CC:=20freebsd-stable@F
	reeBSD.org|Subject:=20Re:=20FreeBSD=207.1=20and=20BIND=20exploit|Re
	ferences:=20<200807212219.QAA01486@lariat.net>=09<200807221552.m6MF
	qgpm009488@lurza.secnetix.de>=09<20080722162024.GA1279@lava.net>=20
	<48860CBA.6010903@FreeBSD.org>=20<488615F5.80405@infracaninophile.c
	o.uk>=20<4886188E.6090805@FreeBSD.org>|In-Reply-To:=20<4886188E.609
	0805@FreeBSD.org>|X-Enigmail-Version:=200.95.6|Content-Type:=20mult
	ipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"applic
	ation/pgp-signature"=3B=0D=0A=20boundary=3D"------------enig5488BAD
	5E4511AF4D0C2864A"; b=Ysg05nFA+NNZieFZApzihsU3UpShFjjcOg/lGoZj6t/Ia
	0T7O7Q/T/h3nm0+JyrPXHX9cUBXktanPC6nYZJBZ/Nv93tUtCq7IzL1gFrwqbPDCepg
	Ljcx9C+UhHEnxJnQ910k3WJgU6t/ivQLbbghYJBFp6hPlGrAUN8qqNEpWGQ=
Message-ID: <488628EC.5030801@infracaninophile.co.uk>
Date: Tue, 22 Jul 2008 19:37:32 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.14 (X11/20080607)
MIME-Version: 1.0
To: Doug Barton <dougb@FreeBSD.org>
References: <200807212219.QAA01486@lariat.net>	<200807221552.m6MFqgpm009488@lurza.secnetix.de>	<20080722162024.GA1279@lava.net>
	<48860CBA.6010903@FreeBSD.org>
	<488615F5.80405@infracaninophile.co.uk>
	<4886188E.6090805@FreeBSD.org>
In-Reply-To: <4886188E.6090805@FreeBSD.org>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig5488BAD5E4511AF4D0C2864A"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(smtp.infracaninophile.co.uk [IPv6:::1]);
	Tue, 22 Jul 2008 19:37:39 +0100 (BST)
X-Virus-Scanned: ClamAV 0.93.3/7781/Tue Jul 22 18:35:50 2008 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-stable@FreeBSD.org
Subject: Re: FreeBSD 7.1 and BIND exploit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2008 18:37:45 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5488BAD5E4511AF4D0C2864A
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Doug Barton wrote:
> Matthew Seaman wrote:
>=20
>> Are there any plans to enable DNSSEC capability in the resolver built =

>> into FreeBSD?
>=20
> The server is already capable of it. I'm seriously considering enabling=
=20
> the define to make the CLI tools (dig/host/nslookup) capable as well=20
> (there is already an OPTION for this in ports).

Forgive me for being obtuse.  What I meant was the capability to enable c=
hecking signatures on DNS RRs as a routine effect of getnameinfo() etc.
by modifying resolver(3) routines or similar locally, without needing a
DNSSEC enabled recursive resolver listed in resolv.conf?  I've a feeling
the answer is no, but I haven't been able to find anything definitive.

Which I suppose simply means that if you're in the habit of, for example,=
=20
taking your laptop into the coffee shop and getting on line there then yo=
u=20
need to run your own instance of named on your laptop rather than blindly=
=20
trusting whatever servers the coffee shop provides via their DHCP.

> The problem is that _using_ DNSSEC requires configuration changes in=20
> named.conf, and more importantly, configuration of "trust anchors" (eve=
n=20
> for the command line stuff) since the root is not signed. It's not hard=
=20
> to do that with the DLV system that ISC has in place, and I would be=20
> willing to create a conf file that shows how to do that for users to=20
> include if they choose to. I am not comfortable enabling it by default =

> (not yet anyway), it's too big of a POLA issue.

I sense a business opportunity in providing DLV there.  I'm wondering why=

the likes of Verisign (including Thawte and Geotrust), Comodo group and=20
GoDaddy aren't circling like vultures over a dead wildebeest.  Perhaps th=
ey=20
are.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig5488BAD5E4511AF4D0C2864A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkiGKPIACgkQ8Mjk52CukIxbWACfTVCDPVViUJ0NTd5GLMMVU8bD
xXkAniwbkPNqgVZYLi4a/5aQHYFxBHSo
=T6Z8
-----END PGP SIGNATURE-----

--------------enig5488BAD5E4511AF4D0C2864A--