FreeBSD 7.1 and BIND exploit
Paul Schmehl
pschmehl_lists at tx.rr.com
Tue Jul 22 17:28:13 UTC 2008
--On Tuesday, July 22, 2008 09:37:14 -0700 Doug Barton <dougb at FreeBSD.org>
wrote:
> Clifton Royston wrote:
>> I also think that modular design of security-sensitive tools is the
>> way to go, with his DNS tools as with Postfix.
>
> Dan didn't write postfix, he wrote qmail.
I think his point was that djbdns is modular just like Postfix is modular - not
that Dan wrote both. I'm pretty sure everyone on the planet knows that Weitse
wrote/maintains Postfix.
If djbdns was as easy to setup as Postfix is, I'd use it too.
>
> If you're interested in a resolver-only solution (and that is not a bad way
> to go) then you should evaluate dns/unbound. It is a lightweight
> resolver-only server that has a good security model and already implements
> query port randomization. It also has the advantage of being maintained, and
> compliant to 21st Century DNS standards including DNSSEC (which, btw, is the
> real solution to the response forgery problem, it just can't be deployed
> universally before 8/5).
>
What happens on 8/5?
--
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.
More information about the freebsd-stable
mailing list