From owner-freebsd-stable@FreeBSD.ORG Fri Dec 6 23:08:16 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3140AFB2 for ; Fri, 6 Dec 2013 23:08:16 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F1FE31A1F for ; Fri, 6 Dec 2013 23:08:15 +0000 (UTC) Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 01A9221495; Fri, 6 Dec 2013 18:01:56 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Fri, 06 Dec 2013 18:01:56 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:cc:mime-version :content-transfer-encoding:content-type:subject:date:in-reply-to :references; s=smtpout; bh=EVv2x6V/yTZ1tnwvAN12kCYlI1Q=; b=gHs7y 5FTYGP3YyP+68IciXr+JkAX7KDEQ5kcvb49lZdXJbqoTROM7rbX5Hu5KDUNGD1JY jgPL4vsDJE9a6x6/2MX6lDGiJh9yESznm0Qs+16JKsMDZrW5il+SPONUVG5eOWJi 7yTgKE7g8hrrJmDgda8gcGp465V+LZQFD7WJac= Received: by web3.nyi.mail.srv.osa (Postfix, from userid 99) id 2A0A510F02A; Fri, 6 Dec 2013 18:01:56 -0500 (EST) Message-Id: <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com> X-Sasl-Enc: yqUWJ9r/J4vcFuyjemOjpgdhZjy9AlG5CVRWlUjpqHBr 1386370916 From: Mark Felder To: Mark Andrews MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-c99dcdd8 Subject: Re: BIND chroot environment in 10-RELEASE...gone? Date: Fri, 06 Dec 2013 17:01:56 -0600 In-Reply-To: <20131206223300.89253B55861@rock.dv.isc.org> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org> Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 23:08:16 -0000 On Fri, Dec 6, 2013, at 16:33, Mark Andrews wrote: > > In message > <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com>, Ma > rk Felder writes: > > On Fri, Dec 6, 2013, at 16:00, Mark Andrews wrote: > > > > > > But they should all be running a resursive validating resolver on > > > every box. > > > > > > > Are you *really* suggesting that I should run a recursive validating > > server on every single server I admin? > > I'm suggesting that it should be run on *every* machine in the > world, until all the applications that use data from the DNS have > been upgraded to validate the data they get from the DNS, need to > be be running a validating resolver. > > MiTM attacks happen all the time in the DNS. > > For mobile devices I would say "Don't leave home without one" to > use a well know slogan. > In a world where every zone is signed (DNSSEC) I might agree, but what's preventing your traffic from being a victim of a MITM attack when 99% of the internet doesn't have DNSSEC deployed? Having a local resolver doesn't improve your security in a statistically significant way. I'm a small fish working in a small ISP, and I admin the DNS servers for maybe 5000 zones. I have zero DNSSEC. In 2014 I expect to maybe have one zone (ours) with DNSSEC. I do not even expect our customers to request or understand DNSSEC by 2020 -- not even the local banks and credit unions we are authoritative for. On the other hand, running a new daemon on all of our servers -- many of them lightweight VMs -- is likely out of the question; we're time constrained as-is. (My DNS servers are on a trusted network; if they're in our network we have a whole host of different problems. If they're on the server itself nothing can be trusted; they'd just hijack the network stack anyway.) Anyway, this is just my two cents; the idea is noble and well-intentioned but I don't think it will gain traction. Security is always an uphill battle. :-( I'm honestly more worried about BGP route hijacking / MiTM than DNS MiTM attacks. I appreciate your thoughts and insight, though.