From owner-freebsd-bugs@FreeBSD.ORG  Wed Apr  3 15:00:01 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 581BDED2
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Wed,  3 Apr 2013 15:00:01 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 4A87B703
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Wed,  3 Apr 2013 15:00:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r33F01D1091680
 for <freebsd-bugs@freefall.freebsd.org>; Wed, 3 Apr 2013 15:00:01 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r33F01hr091679;
 Wed, 3 Apr 2013 15:00:01 GMT (envelope-from gnats)
Date: Wed, 3 Apr 2013 15:00:01 GMT
Message-Id: <201304031500.r33F01hr091679@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Mark Knight <markk@knigma.org>
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
 dangerous BIND configuration
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: Mark Knight <markk@knigma.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 15:00:01 -0000

The following reply was made to PR conf/177607; it has been noted by GNATS.

From: Mark Knight <markk@knigma.org>
To: Maxim Konovalov <maxim.konovalov@gmail.com>
Cc: bug-followup@freebsd.org
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
 dangerous BIND configuration
Date: Wed, 03 Apr 2013 15:51:35 +0100

 Thanks for fixing up the Repy-To.
 
 I stupidly uncommented these lines on a box *assuming* it was safe. Once 
 upon a time responding to root DNS queries wouldn't have been considered 
 a bad thing. However today I received an abuse@ report to thank me for 
 my error. The comment above the stanza doesn't mention the amplifier 
 threat (although it does mention general caution) and appears to offer a 
 good suggestion for improving resilience and reducing net traffic that's 
 "ready to run". Clearly it isn't.
 
 My rationale was that it's a quick and easy fix and given the recent 
 attacks it was worth giving this a high priority in the name of 
 pro-active security. It's a potential security issue and is therefore 
 serious. Apologies if I've exaggerated the threat.