Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 Jul 2008 21:00:55 -0700
From:      Doug Barton <dougb@FreeBSD.org>
To:        freebsd-security@freebsd.org
Subject:   Re: BIND update?
Message-ID:  <48797DF7.9050402@FreeBSD.org>
In-Reply-To: <C4990135.1A0907%astorms@ncircle.com>
References:  <C4990135.1A0907%astorms@ncircle.com>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

This is an interesting thread, so I'm going to try to respond to what
I think are the reasonable points all in one post so as not to single
anyone out. Again, thanks to those who chose to give thanks,
encouragement, or criticism with a positive approach.

This issue is complicated because it both is, and is not a "serious"
security issue. As others stated rather eloquently, the fact that DNS
is an "insecure" service is (or certainly should be) well known. What
is also (or certainly should be) well known is that almost all of the
other services on the Internet are also insecure, even those with
"secure" in the name. :)

The problem with this particular vulnerability is that it grabbed the
media's attention, and since they think they understand it they are
banging the drum pretty loudly. This creates FUD in normally rational
people, and hilarity ensues.

There are a large number of steps that network operators can and
should already have been taking to mitigate damage from this attack.
Ingress/egress filtering (ala BCP 38), secure ACLs on your name
servers and/or firewalls, splitting authoritative and resolving name
services to separate instances, restricting availability of recursive
services to only those users who should have them, etc.

The danger (and this is a BIG danger in the DNS world) is that most
networks are not taking the basic steps that they should be taking to
secure their name service (it works, why touch it?), and this upcoming
exploit is going to hit them right between the eyes.

Changing topics, the BIND installation in the base is not intended to
be an out of the box solution to those for whom DNS is part of their
critical infrastructure. The BIND bits, along with the sample
named.conf file, are set up to run by default as a fairly secure local
resolver (and by local I mean really local: only listening on the
loopback address). The fact that for many purposes (for instance a
"medium" sized ISP, etc.) it works well out of the box is not totally
accidental, but like any other service if it's important to your
business you need to invest the time and effort to make sure it's
working the way you need it to, not rely on others to do that work for
you.

Jeremy asked why the ports are updated before the BIND in the base.
Someone else gave part of the answer, that a lot more QA is involved
in dealing with stuff in the base. There are patches to create,
security advisories (including instructions, etc.) to write, FreeBSD
update stuff to prep, etc. By contrast updating the ports is easy, and
gives users for whom a given security issue is critical a simple path
to upgrade, and just as importantly, to back out from when/if they
deem what's in the base suitable for their needs.

However, there is a more fundamental reason that goes to the heart of
my philosophy as BIND maintainer. When I was the DNS admen at Yahoo! I
_never_ used the BIND that came with the base system. There were a
variety of reasons for this, the two most important being that I had a
lot of custom tweaks/patches for our version of BIND, and the fact
that I needed to update stuff more often than the boxes were updated.
This lead to the "replace the base" option in the ports way back when.

There is another meta-issue that seems to be coming up a lot lately,
which is users who seem to be paralyzed, unable to take any action to
help themselves, totally dependent on the FreeBSD developers to make
things happen for them. I'm not going to get dragged into that topic
again, but I will say that Mark was right, the BIND ports are pretty
easy to update if you ever have to do it yourself. And, you don't even
have to go out of your way to check the PGP signature, there is a
'make verify' target that will do that for you. :)

Seriously though, one user wrote to me (and others) privately and said
in so many words, "The things I run on FreeBSD are critically
important to me, therefore making them run smoothly must be critically
important to you." If you have that mindset, you really, really need
to take a reality check. (Go ahead, we'll wait for you.) The vast
majority of people who work on FreeBSD do it for FUN, as VOLUNTEERS.
If you need a commercial level of support, you're going to have to pay
for it, it's that simple. And NO, please do not go off into the woods
on this topic. I believe that there is a market for commercial FreeBSD
support, but unfortunately it hasn't reached critical mass yet.
(Chicken, meet egg. Why don't you two go off and talk for a while?)

So, the short version is, "Don't Panic." Well, wok, panic a little,
but don't let it distract you from actually getting something useful
done, like upgrading your servers, firewall rules, etc. And, if anyone
has a business that relies heavily on DNS and needs a good DNS
consultant, I know where to find one. :)


hope this helps,

Doug

- --

~    This .signature sanitized for your protection

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEAREDAAYFAkh5ffcACgkQyIakK9Wy8Ps9YwCgtl80hRIuMkMqcRf9gWLP2dwA
fUIAoOsWRsXAYIMotlgC/yS1RQdp2g6E
=TLjy
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48797DF7.9050402>