Date: Tue, 30 Jul 2013 07:57:38 -0500 From: Mark Felder <feld@FreeBSD.org> To: Garrett Wollman <wollman@hergotha.csail.mit.edu> Cc: stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories Message-ID: <1375189058.1905.3236731.5689550E@webmail.messagingengine.com> In-Reply-To: <201307301245.r6UCjuYs028255@hergotha.csail.mit.edu> References: <CAO%2BPfDctepQY0mGH7H%2BgOSm4HJwhe-RCND%2BmxAArnRxpWiCsjg@mail.gmail.com> <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <201307301245.r6UCjuYs028255@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 30, 2013, at 7:45, Garrett Wollman wrote: > > There are plenty of situations in which a remote recursive resolver is > untrustworthy. (Some would say any situation.) It doesn't have to be > BIND, but people do legitimately want the normal DNS diagnostic > utilities, which sadly have been tied together with BIND for some > years now. (I don't know why anyone would ever use nslookup(1), but > host(1) and dig(1) are pretty much essential.) > If you're that paranoid about a remote resolver you'd have to be paranoid about someone doing a MITM on your DNS lookups altogether, since even having your own local recursor can't protect you from that as 99% of the web doesn't use DNSSEC. This will quickly turn into a security yak-shaving contest, but I completely understand your viewpoint. I'd vote for keeping the bind utilities in base; I use them every day. The ones provided with unbound work well, but finger memory...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1375189058.1905.3236731.5689550E>