Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Jul 2008 19:02:01 +0000 (UTC)
From:      Doug Barton <dougb@FreeBSD.org>
To:        ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo
Message-ID:  <200807091902.m69J21eG022855@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help 
dougb       2008-07-09 19:02:01 UTC

  FreeBSD ports repository

  Modified files:
    dns/bind9            Makefile distinfo 
    dns/bind94           Makefile distinfo 
    dns/bind95           Makefile distinfo 
  Log:
  Upgrade to the -P1 versions of each port, which add stronger randomization
  of the UDP query-source ports. The server will still use the same query
  port for the life of the process, so users for whom the issue of cache
  poisoning is highly significant may wish to periodically restart their
  server using /etc/rc.d/named restart, or other suitable method.
  
  In order to take advantage of this randomization users MUST have an
  appropriate firewall configuration to allow UDP queries to be sent and
  answers to be received on random ports; and users MUST NOT specify a
  port number using the query-source[-v6] option.
  
  The avoid-v[46]-udp-ports options exist for users who wish to eliminate
  certain port numbers from being chosen by named for this purpose. See
  the ARM Chatper 6 for more information.
  
  Also please note, this issue applies only to UDP query ports. A random
  ephemeral port is always chosen for TCP queries.
  
  This issue applies primarily to name servers whose main purpose is to
  resolve random queries (sometimes referred to as "caching" servers, or
  more properly as "resolving" servers), although even an "authoritative"
  name server will make some queries, primarily at startup time.
  
  This update addresses issues raised in:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
  http://www.kb.cert.org/vuls/id/800113
  http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
  
  Revision  Changes    Path
  1.82      +2 -2      ports/dns/bind9/Makefile
  1.44      +6 -6      ports/dns/bind9/distinfo
  1.85      +2 -3      ports/dns/bind94/Makefile
  1.47      +6 -6      ports/dns/bind94/distinfo
  1.87      +2 -2      ports/dns/bind95/Makefile
  1.49      +6 -6      ports/dns/bind95/distinfo

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807091902.m69J21eG022855>