[BUGS] BIND update?

jonathan michaels jlm at caamora.com.au
Sat Jul 12 19:18:48 EST 2008 

On Sat, Jul 12, 2008 at 02:43:22PM +1000, Edwin Groothuis wrote:
> (Forwarded to bugs at bugs.au.freebsd.org for general information)
> 
> On Fri, Jul 11, 2008 at 08:55:00PM +1000, jonathan michaels wrote:
> > On Thu, Jul 10, 2008 at 10:17:15PM +1000, Edwin Groothuis wrote:
> > > On Thu, Jul 10, 2008 at 12:29:55PM +0200, Oliver Brandmueller wrote:
> > > > Hi,
> > > > 
> > > > On Thu, Jul 10, 2008 at 03:17:26AM -0700, Xin LI wrote:
> > > > > Speaking as my own: Base system needs more conservative QA process, 

trimed even more ... reasons

> >From what I've read and understand from the snippets of information
> which have been given (which can be a wrong interpretation so feel
> free to correct me):
> 
> - A DNS query has a 16 bit identifier in the DNS header.
>   If I can force your nameserver to query a specific domain, I need
>   to send 2**16 = 65K spoofed replies to your nameserver to make
>   it accept my spoofed answer.
> 
> - It is possible with some nameservers to predict the range the
>   identifier is in if you know the identifier from two current
>   requests (Birthday attack, See wikipedia)
> 
> Add these two together and you suddenly don't have 65K packets to
> be send but somewhere around 300.
> 
> So how to overcome this issue? Making it more difficult to predict
> (something) in the DNS request. The only thing they could find what
> changable in such a thing was something in the UDP header: Instead
> of using a static source port for all outgoing requests they changed
> it so that it would use a different one (as good as unpredicatable
> as possible of course) for each request.
> 
> So each request from a all-new-and-shiny-DNS server now has not 16
> bit identifiers alone, but 16 bits in the DNS header and 16 bits
> in the UDP header, making it 32 bits (minus a little bit for ports
> which can be used because they are already used etc)

carrying on this bind question a bit further, life was simple
back with freebsd v2.2.7-et al now there are multiple
mailserverish thingies, truckloads of windowing managers .. who
in there right minds need more than screen(8) at any rate .. sort
of grin ????

speaking of various sundried kins of alsorts there are even now
multiple versions, tandemised development trees an all that
stuff for bind i.e. bind v8.something and a somewhat similarly named
v9.etc.etc

so what teh difference between v8 and v9 a look through the
oriely dns & bind dosen't sau much if anything it confuses teh
reasons for using one in favour over teh other. in an effort to
rebuild my bind v4 (from freebsd v2.2.7)  sourced v8 config
file i managed to kill it all off .. i thought i was moving
them .. i was .. right off of teh hard disk ... not so grin

fortunately the slave servers (my own and my isp) are holding
the fort at this point in time. personally i don't see any
reason to use one over the ohter, other than one comes
installed in teh freebsd native distribution and teh oher one
is an 'addon' so to speak and is easily installed/added as
required, updated as required by simply going to
/usr/ports/wherever and doing an ports upgrade of teh relevent
files .. bingo instand new bind nice and cleab as far as i can
tell ??

is it reallly that easy, that simple, that clean an operation,
what about the fact that now bind/named runs in a sandbox ?? is
some sort of external managemnt required to get around the
upgrade inside the sandbox ??

so what about teh difference between bind v8 and bind v9 ? whch
one would be appropriate to a small two bedroom based home
style netork .. there is not much difference in the configs, ok,
as far as i can see, so what gives why teh two concurrent binds ? 
 
> Of course we will know what is going on the sixth of august, but
> in the mean time: http://www.youtube.com/watch?v=XDKw8ny6IcM.

anyone care to offer this deprived individual a text version of
the/these picture(s), please ....

reasons, stories, opinions, objections, appreciated

much thanks, kind regards

jonathan

-- 
================================================================
powered by ..
QNX, OS9 and freeBSD  --  http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====

More information about the BUGS mailing list