NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bind reacts badly to dhcpcd losing/regaining connectivity
On Apr 15, 5:29pm, kre%munnari.OZ.AU@localhost (Robert Elz) wrote:
-- Subject: Re: bind reacts badly to dhcpcd losing/regaining connectivity
| ps: Christos - capabilities (if we had them) would not be the answer - if you
| were to trust bind to be unhackable, then just using root would be just as
| good a solution, if you (wisely) fail to believe that all named's bugs
| have been fixed, and that it can still be hacked, then giving it extra
| capabilities would still be allowing a privilege escalation - not as big
| a one as directly to root perhaps, but big things can often be built on
| small steps, and taking over a nameserver's answers (being able to intercept
| queries to port 53 and return bogus replies) is one of the standard ways
| to launch all kinds of attacks - allowing a hacker to bind to port 53,
| and perhaps other priv'd ports, depending upon the granualarity of the perms,
| which a capability based solution would essentially do (given named bugs
| remain to be exploited) is essentially giving them control of your network.
I agree. If the bind license was not changed to MPL I would be inclined
to add an option to do a wild-card bind(2). Given that it is and
we are stuck with a version that we are not going to upgrade until
that situation changes I'd advise to switch to unbound/nsd. Of course
it would have been nice if ISC would have dual licensed bind to make
an exception for the opensource operating systems, but they did not
do that either.
christos
Home |
Main Index |
Thread Index |
Old Index