Date: Tue, 22 Jul 2008 13:07:20 -0700 From: "Kevin Oberman" <oberman@es.net> To: Paul Schmehl <pschmehl_lists_nada@tx.rr.com> Cc: freebsd-stable@freebsd.org, Doug Barton <dougb@FreeBSD.org> Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <20080722200720.0540245048@ptavv.es.net> In-Reply-To: Your message of "Tue, 22 Jul 2008 12:52:15 CDT." <34182EE347F910EA2A64DF03@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_1216757240_66746P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Date: Tue, 22 Jul 2008 12:52:15 -0500 > From: Paul Schmehl <pschmehl_lists@tx.rr.com> > Sender: owner-freebsd-stable@freebsd.org > > --On Tuesday, July 22, 2008 10:27:42 -0700 Doug Barton <dougb@FreeBSD.org> > wrote: > > > Matthew Seaman wrote: > > > >> Are there any plans to enable DNSSEC capability in the resolver built > >> into FreeBSD? > > > > The server is already capable of it. I'm seriously considering enabling the > > define to make the CLI tools (dig/host/nslookup) capable as well (there is > > already an OPTION for this in ports). > > > > The problem is that _using_ DNSSEC requires configuration changes in > > named.conf, and more importantly, configuration of "trust anchors" (even for > > the command line stuff) since the root is not signed. It's not hard to do > > that with the DLV system that ISC has in place, and I would be willing to > > create a conf file that shows how to do that for users to include if they > > choose to. I am not comfortable enabling it by default (not yet anyway), it's > > too big of a POLA issue. > > > > I just played around with it recently. It's not that easy to understand > initially *and* the trust anchors thing is a royal PITA. No one is likely to argue with that statement! > Once you implement DNSSEC you *must* generate keys every 30 days. So, > I think, if you're going to enable it by default, there needs to be a > script in periodic that will do all the magic to change keys every 30 > days. Maybe put vars in /etc/rc.conf to override the default key > lengths and other portions of the commands that could change per > installation. No, you don't HAVE to generate keys every 30 days, but you should if you want real security. Still, for a while, until the infrastructure is complete enough to make DNSSEC really of value to the end user, just getting signed domains with keys published in an easily accessed place is at least getting things started and getting the infrastructure moving. Rolling keys is a rather tricky operation where mistakes, once DNSSEC makes it to the end user, would be disastrous, so it would require a couple of scripts, one to set a new key and another to remove the old one. You need both key present for a period of time. > If I were to implement it, I'd write a shell script to turn the keys > over and cron it because doing it manually every 30 days ain't gonna > happen. Too many ways to forget to do it. (I did the same for the > root servers so that named.ca gets updated automagically every month.) And that is FAR less important than the signatures. (named.ca could be updated once a year and be just fine.) > But until root is signed, it's not worth it for those of us who don't > have dedicated staff doing dns only. Work continues on getting the root signed, but it .com and .net that present the really big problems. The root delay is mostly political, not technical. .com and .net are both. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1216757240_66746P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFIhj34kn3rs5h7N1ERAoybAJ9OlCt7mZV8Abk9qM4QsoxhKE0inACfS8ff xr9ZcdpPQxvY71V0Zs1KsSo= =yJOR -----END PGP SIGNATURE----- --==_Exmh_1216757240_66746P--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080722200720.0540245048>