Everyone: Will FreeBSD 7.1 be released in time to use it as an upgrade to close the BIND cache poisoning hole? We'd like to upgrade affected servers to the latest FreeBSD at the same time that we upgrade BIND if possible. --Brett Glass
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brett Glass wrote: | Everyone: | | Will FreeBSD 7.1 be released in time to use it as an upgrade to | close the BIND cache poisoning hole? We'd like to upgrade affected | servers to the latest FreeBSD at the same time that we upgrade | BIND if possible. Yes. FreeBSD 7-STABLE and RELENG_7_0 errata branches are already patched and not vulnerable to the problem. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkiCqsEACgkQi+vbBBjt66CnfQCfRazbYaZYS/u9oqV2FV6MdP7U 7OsAni83DoLYN6fkUVCZig0YZbSFTLuW =OMOy -----END PGP SIGNATURE-----
On Sat, Jul 19, 2008 at 08:30:57PM -0600, Brett Glass wrote:> Everyone: > > Will FreeBSD 7.1 be released in time to use it as an upgrade to > close the BIND cache poisoning hole? We'd like to upgrade affected > servers to the latest FreeBSD at the same time that we upgrade > BIND if possible.Given that 7.1 and 6.4 are still listed as "August" in the RE page, and things often slip a bit as the date approaches, I'd say you'd be well-advised not to wait. Assuming you're running 7.0 or 6.3, upgrade to the latest _RELENG patch which is much less work than a full version upgrade. My opinion only. I'm not a developer, and I'm not running any recursive resolvers on BIND these days; my limited set of machines are running djbdns instead, so I have more flexibility. -- Clifton -- Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Brett Glass wrote: | Everyone: | | Will FreeBSD 7.1 be released in time to use it as an upgrade to | close the BIND cache poisoning hole? Brett, et al, I'll make this simple for you. If you have a server that is running BIND, update BIND now. If you need to use the ports, that's fine, just do it now. Make sure that you are not specifying a port via any query-source* options in named.conf, and that any firewall between your named process and the outside world does keep-state on outgoing UDP packets. If you have a system with BIND installed (as it is by default) but you are NOT running named, you don't need to worry about updating now, but you should do it "soonish" just in case someone gets a wild hair and starts up named on that box. As for the meta-question, FreeBSD is currently operating on a time-based release schedule, not a feature-based one. And to your actual question, the answer is no. hope this helps, Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkiE4A0ACgkQyIakK9Wy8PtSWACeN+lmId1jdMF9zGt3v905XEgy bT8AoJtmWCWRjyXSktaeJ6IHiwJas7Fk =vtRp -----END PGP SIGNATURE-----
> Le Wed 23/07/2008, Mark Andrews disait > > > > To roll a key signing key. Add the key at a weekly signing. > > Wait for the DNSKEY RRset TTL to expire. Send the new > > DS/DLV records for the new keys to the parent/DLV operator. > > Once the updated parent / DLV operator has updated the > > DS/DLV RRset wait for the old TTL to expire. Remove the > > old key signing key at your discression. Normally you > > would do this at the next weekly signing. This proceedure > > requires one interaction with the parent/dlv operator during > > the rollover. > > > > Note this is not much different than what is required when > > changing a nameservers. > > But changing nameserver is an exceptional operation. Nobody wants the burden > of an exceptional operation to come back regularly.KSK changes should be approximately annual which is short enough not to forget but long enough to not be a burden.> -- > Erwan > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org