From owner-freebsd-stable@FreeBSD.ORG Wed Jul 23 01:58:09 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFE751065701 for ; Wed, 23 Jul 2008 01:58:09 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 6DCE48FC15 for ; Wed, 23 Jul 2008 01:58:08 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6N1w6BR015766; Wed, 23 Jul 2008 11:58:06 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807230158.m6N1w6BR015766@drugs.dv.isc.org> To: Oliver Fromme , freebsd-stable@FreeBSD.ORG From: Mark Andrews Mail-Followup-To: Oliver Fromme , freebsd-stable@FreeBSD.ORG In-reply-to: Your message of "Tue, 22 Jul 2008 06:20:25 -1000." <20080722162024.GA1279@lava.net> Date: Wed, 23 Jul 2008 11:58:06 +1000 Sender: marka@isc.org Cc: Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 01:58:10 -0000 > On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote: > > Brett Glass wrote: > > > At 02:24 PM 7/21/2008, Kevin Oberman wrote: > > > > > > > Don't forget that ANY server that caches data, including an end system > > > > running a caching only server is vulnerable. > > > > > > Actually, there is an exception to this. A "forward only" > > > cache/resolver is only as vulnerable as its forwarder(s). This is a > > > workaround for the vulnerability for folks who have systems that they > > > cannot easily upgrade: point at a trusted forwarder that's patched. > > > > > > We're also looking at using dnscache from the djbdns package. > > > > I'm curious, is djbdns exploitable, too? Does it randomize > > the source ports of UDP queries? > > AFAIK Dan Bernstein first spelled out the fundamental problems with > DNS response forgery in 2001. He implemented dnscache to randomize > source ports and IDs from the beginning, via a cryptographic quality > RNG. See for instance this page, much of it written in 2003: > > And the IETF was working on a solution well before that. One that addressed not only off path attacks but also addressed on path attacks. One that worked with kernels that only supported limited numbers of file desriptors. One that worked regardless on the number of concurrent outstanding queries. That solution is called DNSSEC. We looked at what Dan did and said it didn't go far enough and that it has implementation issues at high query rates that can't be solved just by throwing more cpu at the problem. The problems are inherent to how UDP works. > He rubs a lot of people the wrong way, but I think he has usually > proved to be right on security issues. Dan is often right. However a different, more encompassing, solution was choosen. > I also think that modular design of security-sensitive tools is the > way to go, with his DNS tools as with Postfix. > -- Clifton > > -- > Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net > President - I and I Computing * http://www.iandicomputing.com/ > Custom programming, network design, systems and network consulting services > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org