Re: FreeBSD 7.1 and BIND exploit



--On Tuesday, July 22, 2008 09:37:14 -0700 Doug Barton <dougb@xxxxxxxxxxx> wrote:

Clifton Royston wrote:
I also think that modular design of security-sensitive tools is the
way to go, with his DNS tools as with Postfix.

Dan didn't write postfix, he wrote qmail.

I think his point was that djbdns is modular just like Postfix is modular - not that Dan wrote both. I'm pretty sure everyone on the planet knows that Weitse wrote/maintains Postfix.

If djbdns was as easy to setup as Postfix is, I'd use it too.


If you're interested in a resolver-only solution (and that is not a bad way
to go) then you should evaluate dns/unbound. It is a lightweight
resolver-only server that has a good security model and already implements
query port randomization. It also has the advantage of being maintained, and
compliant to 21st Century DNS standards including DNSSEC (which, btw, is the
real solution to the response forgery problem, it just can't be deployed
universally before 8/5).


What happens on 8/5?

--
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"