FreeBSD 7.1 and BIND exploit

Mark Andrews Mark_Andrews at isc.org
Wed Jul 23 00:54:35 UTC 2008 

> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enig5488BAD5E4511AF4D0C2864A
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: quoted-printable
> 
> Doug Barton wrote:
> > Matthew Seaman wrote:
> >=20
> >> Are there any plans to enable DNSSEC capability in the resolver built =
> 
> >> into FreeBSD?
> >=20
> > The server is already capable of it. I'm seriously considering enabling=
> =20
> > the define to make the CLI tools (dig/host/nslookup) capable as well=20
> > (there is already an OPTION for this in ports).
> 
> Forgive me for being obtuse.  What I meant was the capability to enable c=
> hecking signatures on DNS RRs as a routine effect of getnameinfo() etc.
> by modifying resolver(3) routines or similar locally, without needing a
> DNSSEC enabled recursive resolver listed in resolv.conf?  I've a feeling
> the answer is no, but I haven't been able to find anything definitive.
> 
> Which I suppose simply means that if you're in the habit of, for example,=
> =20
> taking your laptop into the coffee shop and getting on line there then yo=
> u=20
> need to run your own instance of named on your laptop rather than blindly=
> =20
> trusting whatever servers the coffee shop provides via their DHCP.

	Use a local (on machine) validating caching nameserver.
 
> > The problem is that _using_ DNSSEC requires configuration changes in=20
> > named.conf, and more importantly, configuration of "trust anchors" (eve=
> n=20
> > for the command line stuff) since the root is not signed. It's not hard=
> =20
> > to do that with the DLV system that ISC has in place, and I would be=20
> > willing to create a conf file that shows how to do that for users to=20
> > include if they choose to. I am not comfortable enabling it by default =
> 
> > (not yet anyway), it's too big of a POLA issue.
> 
> I sense a business opportunity in providing DLV there.  I'm wondering why=
> 
> the likes of Verisign (including Thawte and Geotrust), Comodo group and=20
> GoDaddy aren't circling like vultures over a dead wildebeest.  Perhaps th=
> ey=20
> are.

	You only need one DLV.  ISC is offering the service for free.
	Donations welcome as it does cost to run the service.

> 	Cheers,
> 
> 	Matthew
> 
> --=20
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                   Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
>                                                   Kent, CT11 9PW
> 
> 
> --------------enig5488BAD5E4511AF4D0C2864A
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (FreeBSD)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEAREIAAYFAkiGKPIACgkQ8Mjk52CukIxbWACfTVCDPVViUJ0NTd5GLMMVU8bD
> xXkAniwbkPNqgVZYLi4a/5aQHYFxBHSo
> =T6Z8
> -----END PGP SIGNATURE-----
> 
> --------------enig5488BAD5E4511AF4D0C2864A--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the freebsd-stable mailing list