FreeBSD 7.1 and BIND exploit
Clifton Royston
cliftonr at lava.net
Tue Jul 22 17:03:51 UTC 2008
On Tue, Jul 22, 2008 at 09:37:14AM -0700, Doug Barton wrote:
> Clifton Royston wrote:
> > I also think that modular design of security-sensitive tools is the
> >way to go, with his DNS tools as with Postfix.
>
> Dan didn't write postfix, he wrote qmail.
I know, but I think qmail sucks. Wietse didn't write a DNS server
or I'd probably be using that. :-)
> If you're interested in a resolver-only solution (and that is not a
> bad way to go) then you should evaluate dns/unbound. It is a
> lightweight resolver-only server that has a good security model and
> already implements query port randomization. It also has the advantage
> of being maintained, and compliant to 21st Century DNS standards
> including DNSSEC (which, btw, is the real solution to the response
> forgery problem, it just can't be deployed universally before 8/5).
Sounds interesting; is it a caching resolver?
I'm not totally convinced DNSSEC would solve everything (though it
would solve the current vulnerability) but I'm not sure I follow the
arguments pro and con.
-- Clifton
--
Clifton Royston -- cliftonr at iandicomputing.com / cliftonr at lava.net
President - I and I Computing * http://www.iandicomputing.com/
Custom programming, network design, systems and network consulting services
More information about the freebsd-stable
mailing list