From owner-freebsd-stable@FreeBSD.ORG Tue Jul 30 12:57:43 2013 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 69EEAD86 for ; Tue, 30 Jul 2013 12:57:43 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 3DBCC212B for ; Tue, 30 Jul 2013 12:57:43 +0000 (UTC) Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 1D7C8219FD; Tue, 30 Jul 2013 08:57:39 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Tue, 30 Jul 2013 08:57:40 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:cc:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=SlOLMXvqGqHBWZPrpriMkImFb9k=; b=c4V I1CQck8VGZ1G+BviH6XwpecJpEuMU/LOgIf85zYb83CqarfFT4GhEP6WvWGfotUA LvqpwovmebFj0zOsfn/tYlwrOHnOGqVNdeVEYJ8DT3k+tNbgH9mE7N7iWciwOvu1 ZZpmV/rkU2/4yQtMNATKP2pCe5/tOtZdQBLPWUpo= Received: by web3.nyi.mail.srv.osa (Postfix, from userid 99) id 334D5B01EF5; Tue, 30 Jul 2013 08:57:38 -0400 (EDT) Message-Id: <1375189058.1905.3236731.5689550E@webmail.messagingengine.com> X-Sasl-Enc: 32f1lhE+J2eoH7njRJjTY6Hi8wAZCteg6xf/T9SpvEMt 1375189058 From: Mark Felder To: Garrett Wollman MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-9e4be734 In-Reply-To: <201307301245.r6UCjuYs028255@hergotha.csail.mit.edu> References: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <201307301245.r6UCjuYs028255@hergotha.csail.mit.edu> Subject: Re: Bind in FreeBSD, security advisories Date: Tue, 30 Jul 2013 07:57:38 -0500 Cc: stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 12:57:43 -0000 On Tue, Jul 30, 2013, at 7:45, Garrett Wollman wrote: > > There are plenty of situations in which a remote recursive resolver is > untrustworthy. (Some would say any situation.) It doesn't have to be > BIND, but people do legitimately want the normal DNS diagnostic > utilities, which sadly have been tied together with BIND for some > years now. (I don't know why anyone would ever use nslookup(1), but > host(1) and dig(1) are pretty much essential.) > If you're that paranoid about a remote resolver you'd have to be paranoid about someone doing a MITM on your DNS lookups altogether, since even having your own local recursor can't protect you from that as 99% of the web doesn't use DNSSEC. This will quickly turn into a security yak-shaving contest, but I completely understand your viewpoint. I'd vote for keeping the bind utilities in base; I use them every day. The ones provided with unbound work well, but finger memory...