NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bind reacts badly to dhcpcd losing/regaining connectivity



On Apr 15,  9:09am, Christos Zoulas wrote:
} On Apr 15,  5:29pm, kre%munnari.OZ.AU@localhost (Robert Elz) wrote:
} 
} | ps: Christos - capabilities (if we had them) would not be the answer - if you
} | were to trust bind to be unhackable, then just using root would be just as
} | good a solution, if you (wisely) fail to believe that all named's bugs
} | have been fixed, and that it can still be hacked, then giving it extra
} | capabilities would still be allowing a privilege escalation - not as big
} | a one as directly to root perhaps, but big things can often be built on
} | small steps, and taking over a nameserver's answers (being able to intercept
} | queries to port 53 and return bogus replies) is one of the standard ways
} | to launch all kinds of attacks - allowing a hacker to bind to port 53,
} | and perhaps other priv'd ports, depending upon the granualarity of the perms,
} | which a capability based solution would essentially do (given named bugs
} | remain to be exploited) is essentially giving them control of your network.
} 
} I agree. If the bind license was not changed to MPL I would be inclined

     What's wrong with the MPL?

} to add an option to do a wild-card bind(2). Given that it is and

     How is this done in NetBSD?

} we are stuck with a version that we are not going to upgrade until
} that situation changes I'd advise to switch to unbound/nsd. Of course
} it would have been nice if ISC would have dual licensed bind to make
} an exception for the opensource operating systems, but they did not
} do that either.
} 
}-- End of excerpt from Christos Zoulas


Home | Main Index | Thread Index | Old Index