Date: Wed, 9 Jul 2008 11:23:40 -0700 From: Chris Palmer <chris@noncombatant.org> To: freebsd-security@freebsd.org Subject: Re: BIND update? Message-ID: <20080709182340.GD55473@noncombatant.org> In-Reply-To: <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Okay everybody, take a step back, take a deep breath, and count to ten. :) DNS has never provided any security guarantees, and so a marginal increase or decrease in the difficulty of spoofing responses is not a huge issue in the grand scheme of things. Even if the 16 bits were somehow pure delicious entropy, it would still only be 16 bits. If you want to provide DNS service yet minimize the risk to the server, BIND should never have been your first choice. It has a rough history, and there are more secure alternatives. Some people like BIND anyway. Cool. They accept that risk. DNSSEC is not widely deployed; and if it were, would that matter? Would you securely resolve important.example.com, only to talk to that host via HTTP? HTTP, like DNS, has never provided any security guarantees. It's not clear that, given correct authentication of important.example.com via X509 cert and a trusted third party (or by careful examination of the known-good fingerprint), "secure" DNS would provide any additional server authentication. Granted, I say "given correct authentication of important.example.com via X509 cert" as if that were easy. ;) In any case, that is all we have in the real world today. See also: SSH host keys. So I'm not too worried about the lack of urgency from the FreeBSD security team on this particular issue. It's not news that DNS is insecure and that BIND has a bug. Nobody should have been depending on the security of DNS or on a bulletproof BIND.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080709182340.GD55473>