From owner-freebsd-security@FreeBSD.ORG  Wed Jul  9 12:16:17 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 244851065671
	for <freebsd-security@freebsd.org>;
	Wed,  9 Jul 2008 12:16:17 +0000 (UTC) (envelope-from jille@hexon.cx)
Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14])
	by mx1.freebsd.org (Postfix) with ESMTP id A12088FC0C
	for <freebsd-security@freebsd.org>;
	Wed,  9 Jul 2008 12:16:16 +0000 (UTC) (envelope-from jille@hexon.cx)
Received: from [10.0.0.72] ([10.15.16.6]) (authenticated bits=0)
	by mulgore.hexon-is.nl (8.14.1/8.13.8) with ESMTP id m69C0Egu023236;
	Wed, 9 Jul 2008 14:00:15 +0200
Message-ID: <4874A864.3080909@hexon.cx>
Date: Wed, 09 Jul 2008 14:00:36 +0200
From: Jille Timmmermans <jille@hexon.cx>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Oliver Fromme <olli@lurza.secnetix.de>
References: <200807091054.m69As4eH065391@lurza.secnetix.de>
In-Reply-To: <200807091054.m69As4eH065391@lurza.secnetix.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Hexon-MailScanner-Information: Please contact the ISP for more information
X-Hexon-MailScanner: Found to be clean
X-Hexon-MailScanner-From: jille@hexon.cx
X-Mailman-Approved-At: Wed, 09 Jul 2008 12:28:29 +0000
Cc: freebsd-security@freebsd.org
Subject: Re: BIND update?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2008 12:16:17 -0000

Those sysctl apply to sockets that don't get bind(2), or bind(2) to port 0.
(Wild guess ahead!)
BIND probably always binds to the same port, or uses the same socket, etc

-- Jille

Oliver Fromme wrote:
> Andrew Storms wrote:
>  > http://www.isc.org/index.pl?/sw/bind/bind-security.php
>
> I'm just wondering ...
>
> ISC's patches cause source ports to be randomized, thus
> making it more difficult to spoof response packets.
>
> But doesn't FreeBSD already randomize source ports by
> default?  So, do FreeBSD systems require to be patched
> at all?
>
> Best regards
>    Oliver
>
> PS:
> $ sysctl net.inet.ip.portrange.randomized
> net.inet.ip.portrange.randomized: 1
> $ sysctl -d net.inet.ip.portrange.randomized
> net.inet.ip.portrange.randomized: Enable random port allocation
>
>