From owner-freebsd-stable@FreeBSD.ORG  Thu Jan  7 23:31:31 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 276251065672;
	Thu,  7 Jan 2010 23:31:31 +0000 (UTC) (envelope-from oberman@es.net)
Received: from mailgw.es.net (mail4.es.net [IPv6:2001:400:6000:6::2])
	by mx1.freebsd.org (Postfix) with ESMTP id CCF3E8FC21;
	Thu,  7 Jan 2010 23:31:30 +0000 (UTC)
Received: from ptavv.es.net (ptavv.es.net [IPv6:2001:400:910::29])
	by mailgw.es.net (8.14.3/8.14.3) with ESMTP id o07NVHbn013195
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Thu, 7 Jan 2010 15:31:28 -0800
Received: from ptavv.es.net (localhost [127.0.0.1])
	by ptavv.es.net (Tachyon Server) with ESMTP id C73E91CC0B;
	Thu,  7 Jan 2010 15:31:17 -0800 (PST)
To: Doug Barton <dougb@FreeBSD.org>
In-reply-to: Your message of "Thu, 07 Jan 2010 15:16:43 PST."
	<4B466B5B.6060009@FreeBSD.org> 
Date: Thu, 07 Jan 2010 15:31:17 -0800
From: "Kevin Oberman" <oberman@es.net>
Message-Id: <20100107233117.C73E91CC0B@ptavv.es.net>
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40,
	4.0.166 definitions=2010-01-07_19:2010-01-05, 2010-01-07,
	2010-01-07 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam
	adjust=0 reason=mlx engine=5.0.0-0908210000
	definitions=main-1001070262
Cc: Thomas Rasmussen <thomas@gibfest.dk>, freebsd-stable@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-10:01.bind 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jan 2010 23:31:31 -0000

> Date: Thu, 07 Jan 2010 15:16:43 -0800
> From: Doug Barton <dougb@FreeBSD.org>
> Sender: owner-freebsd-stable@freebsd.org
> 
> Thomas Rasmussen wrote:
> > Hello,
> > 
> > While this is all true, this vulnerability is for caching servers,
> > not authorative ones. It is pretty easy to setup DLV validation on a
> > recursive bind server. However, it is not enabled by default on FreeBSD,
> > so Stephen should be safe.
> 
> FWIW, I agree with Thomas.

As do I. Guess I've been putting so much effort into getting my zones
signed that DNSSEC took me in the wrong direction.

No, a default config won't make you vulnerable, but making yourself
vulnerable is not heard at all, especially if you use the DLV.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751