From owner-freebsd-security@FreeBSD.ORG  Sun Aug  3 17:21:35 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 73CF31065680
	for <freebsd-security@freebsd.org>;
	Sun,  3 Aug 2008 17:21:35 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6])
	by mx1.freebsd.org (Postfix) with ESMTP id AEB638FC1A
	for <freebsd-security@freebsd.org>;
	Sun,  3 Aug 2008 17:21:34 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: (qmail 12911 invoked by uid 399); 3 Aug 2008 17:21:33 -0000
Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1)
	by localhost with ESMTPAM; 3 Aug 2008 17:21:33 -0000
X-Originating-IP: 127.0.0.1
X-Sender: dougb@dougbarton.us
Message-ID: <4895E91B.3000002@FreeBSD.org>
Date: Sun, 03 Aug 2008 10:21:31 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://www.FreeBSD.org/
User-Agent: Thunderbird 2.0.0.16 (X11/20080726)
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <Pine.LNX.4.64.0808021459580.23103@neptune.sinister.com>
In-Reply-To: <Pine.LNX.4.64.0808021459580.23103@neptune.sinister.com>
X-Enigmail-Version: 0.95.6
OpenPGP: id=D5B2F0FB
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: The BIND scandal
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Aug 2008 17:21:35 -0000

Bob is quite obviously trolling for a fight here, and I'm definitely 
not going to get sucked into that.

I would like to point out however that the _DNS_ vulnerability that is 
currently in wide discussion is not in any way related to BIND, it's a 
fundamental flaw in the protocol related to response forgery. All 
major vendors of DNS systems and the IETF working groups on DNS are 
trying to find a permanent solution for this problem. As a stop-gap 
measure ISC has adopted the same solution for BIND that has proven 
effective for other vendors, randomizing the query source port. You 
can find more information about this issue here:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
  http://www.kb.cert.org/vuls/id/800113
  http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience


Hope this helps,

Doug

-- 

     This .signature sanitized for your protection