Re: BIND update?

Okay everybody, take a step back, take a deep breath, and count to ten. :)

DNS has never provided any security guarantees, and so a marginal increase
or decrease in the difficulty of spoofing responses is not a huge issue in
the grand scheme of things. Even if the 16 bits were somehow pure delicious
entropy, it would still only be 16 bits.

If you want to provide DNS service yet minimize the risk to the server, BIND
should never have been your first choice. It has a rough history, and there
are more secure alternatives. Some people like BIND anyway. Cool. They
accept that risk.

DNSSEC is not widely deployed; and if it were, would that matter? Would you
securely resolve important.example.com, only to talk to that host via HTTP?
HTTP, like DNS, has never provided any security guarantees. It's not clear
that, given correct authentication of important.example.com via X509 cert
and a trusted third party (or by careful examination of the known-good
fingerprint), "secure" DNS would provide any additional server
authentication.

Granted, I say "given correct authentication of important.example.com via
X509 cert" as if that were easy. ;) In any case, that is all we have in the
real world today. See also: SSH host keys.

So I'm not too worried about the lack of urgency from the FreeBSD security
team on this particular issue. It's not news that DNS is insecure and that
BIND has a bug. Nobody should have been depending on the security of DNS or
on a bulletproof BIND.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Getting around DNS security hole
    ... find out if your ISP has a DNS security problem. ... basic Internet address system, known as the Domain Name System, is ...
    (soc.retirement)
  • Re: Event ID 5719: No Windows NT or Windows 2000 Domain Controller is available for domain .
    ... In my experience what you have done with security policy should ... The workstation gets its networking information from DHCP that, ... updates DNS. ... I don't believe the problem to be at the server end though. ...
    (microsoft.public.win2000.security)
  • [NT] Vulnerability in DNS Client Allows Spoofing (MS08-020)
    ... Get your security news from a reliable source. ... Vulnerability in DNS Client Allows Spoofing ... This security update resolves a privately reported vulnerability. ... This is an important security update for Windows Vista and all supported ...
    (Securiteam)
  • RE: 2 users 1 workstation
    ... I first checked the DNS forward look up, ... Updated the registry keys for the clients and security policies, ... Migrate-- strBat - [C:\Program Files\Microsoft Windows Small Business ... what it is (i created most of the user accounts of the same way, ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
    ... currently relevant reason for DNS responses to be over 512 bytes in size. ... to a 'proposed standard' RFC and mentioned only DNSSEC as an example, ... use nym-based security, since there isn't any software that supports it. ...
    (Firewall-Wizards)