Date: Wed, 23 Jul 2008 10:54:34 +1000 From: Mark Andrews <Mark_Andrews@isc.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: Doug Barton <dougb@freebsd.org>, freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <200807230054.m6N0sYKi008687@drugs.dv.isc.org> In-Reply-To: Your message of "Tue, 22 Jul 2008 19:37:32 %2B0100." <488628EC.5030801@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) > --------------enig5488BAD5E4511AF4D0C2864A > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: quoted-printable > > Doug Barton wrote: > > Matthew Seaman wrote: > >=20 > >> Are there any plans to enable DNSSEC capability in the resolver built = > > >> into FreeBSD? > >=20 > > The server is already capable of it. I'm seriously considering enabling= > =20 > > the define to make the CLI tools (dig/host/nslookup) capable as well=20 > > (there is already an OPTION for this in ports). > > Forgive me for being obtuse. What I meant was the capability to enable c= > hecking signatures on DNS RRs as a routine effect of getnameinfo() etc. > by modifying resolver(3) routines or similar locally, without needing a > DNSSEC enabled recursive resolver listed in resolv.conf? I've a feeling > the answer is no, but I haven't been able to find anything definitive. > > Which I suppose simply means that if you're in the habit of, for example,= > =20 > taking your laptop into the coffee shop and getting on line there then yo= > u=20 > need to run your own instance of named on your laptop rather than blindly= > =20 > trusting whatever servers the coffee shop provides via their DHCP. Use a local (on machine) validating caching nameserver. > > The problem is that _using_ DNSSEC requires configuration changes in=20 > > named.conf, and more importantly, configuration of "trust anchors" (eve= > n=20 > > for the command line stuff) since the root is not signed. It's not hard= > =20 > > to do that with the DLV system that ISC has in place, and I would be=20 > > willing to create a conf file that shows how to do that for users to=20 > > include if they choose to. I am not comfortable enabling it by default = > > > (not yet anyway), it's too big of a POLA issue. > > I sense a business opportunity in providing DLV there. I'm wondering why= > > the likes of Verisign (including Thawte and Geotrust), Comodo group and=20 > GoDaddy aren't circling like vultures over a dead wildebeest. Perhaps th= > ey=20 > are. You only need one DLV. ISC is offering the service for free. Donations welcome as it does cost to run the service. > Cheers, > > Matthew > > --=20 > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW > > > --------------enig5488BAD5E4511AF4D0C2864A > Content-Type: application/pgp-signature; name="signature.asc" > Content-Description: OpenPGP digital signature > Content-Disposition: attachment; filename="signature.asc" > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (FreeBSD) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEAREIAAYFAkiGKPIACgkQ8Mjk52CukIxbWACfTVCDPVViUJ0NTd5GLMMVU8bD > xXkAniwbkPNqgVZYLi4a/5aQHYFxBHSo > =T6Z8 > -----END PGP SIGNATURE----- > > --------------enig5488BAD5E4511AF4D0C2864A-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807230054.m6N0sYKi008687>