From owner-freebsd-security Wed Oct 9 15:12:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6FE437B401 for ; Wed, 9 Oct 2002 15:12:26 -0700 (PDT) Received: from orthanc.ab.ca (orthanc.ab.ca [216.123.203.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0051243E65 for ; Wed, 9 Oct 2002 15:12:26 -0700 (PDT) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost.orthanc.ab.ca [127.0.0.1]) by orthanc.ab.ca (8.12.6/8.12.6) with ESMTP id g99M6oGI092623; Wed, 9 Oct 2002 16:06:50 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200210092206.g99M6oGI092623@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: Mike Hoskins Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-reply-to: Your message of "Wed, 09 Oct 2002 14:34:48 PDT." <20021009142623.Q88247-100000@fubar.adept.org> X-Mailer: mh-e 6.1+cvs; MH 6.8.4; Emacs 21.2 Date: Wed, 09 Oct 2002 16:06:49 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike> This wouldn't be hard. Write a script that grabs the MD5 Mike> checksums from the ports collection (on a server that's Mike> trusted and up to date) and turns the MD5 sums into TXT Mike> records in a md5.somedomain.com DNS zone. Then people can Mike> issue queries like sendmail.a.b.c.md5.somedomain.com and get Mike> the MD5 sum returned for sendmail version a.b.c. DNS isn't the right place for this. 1) it requires DNSSEC to ensure the MD5 record data isn't forged 2) DNS caching would hide updates for the duration of the TTL attached to the TXT record --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message