From owner-cvs-all  Mon Dec 14 22:42:18 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA20619
          for cvs-all-outgoing; Mon, 14 Dec 1998 22:42:18 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA20614
          for <committers@FreeBSD.ORG>; Mon, 14 Dec 1998 22:42:15 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.1/8.9.1) id WAA51995;
	Mon, 14 Dec 1998 22:41:52 -0800 (PST)
	(envelope-from dillon)
Date: Mon, 14 Dec 1998 22:41:52 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199812150641.WAA51995@apollo.backplane.com>
To: Peter Wemm <peter@netplex.com.au>
Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, committers@FreeBSD.ORG
Subject: Re: Bind sandbox bogosity 
References:  <199812150629.OAA03361@spinner.netplex.com.au>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

:
:The interface scanning is necessary, because the DNS replies *must* come 
:from the same IP address as the query was sent to.  With a multihomed 
:host, replying from the nearest return interface is not allowed.
:
:For a static machine, this isn't a problem.  For a machine with dynamic 
:interface changes (eg: PPP links) it is a big thing.  Of course, being 
:able to control which addresses the queries got sent to would be an 
:alternative..  Or not running named at all on such boxes.
:
:Cheers,
:-Peter

    This is true, and works in the sandbox.  What doesn't work is the case
    where an interface is brought down are given a new address. 

    Sigh.  I'm not rabid about keeping bind in the sandbox but, damn it,
    it sure would be nice if we could ship a reasonably secure system.  Lets
    stick with it a while longer and rip it out prior to the 3.0.1 release
    if it looks like it will be too much of a liability.

						-Matt

    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message