FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Development

 
 
LinkBack Thread Tools
 
Old 01-13-2009, 02:54 PM
Scott Kitterman
 
Default Additional configuration override for sysklogd

Thanks to Mr. Kaminsky and his DNS cache poisoning attack, I've been looking
into DNSSEC a bit more lately.

The first thing I'm trying to do is update the dkim-milter package to build
against a DNSSEC capable resolver (upstream now supports using the Unbound
package for this is a new upstream not yet packaged).

Unbound is shipped by it's upstream in a default chrooted configuration which
Debian has changed because the syslog configuration needs to be changed
manually to work with unbound inside the chroot.

I see that in Ubuntu the sysklogd package is already wired to allow ltsp to
override it's configuration:

https://launchpad.net/ubuntu/+source/sysklogd/1.5-5ubuntu1/+changes

What I would like to do is:

1. Restore the Unbound upstream default chroot configuration.
2. In the sysklogd package allow Unbound to over-ride it's configuration so
logging from the chroot works by default.
3. Update dkim-milter to use Unbound so it's 'DNSSEC Ready'.

I thought I ought to check and see if there was any objection to part 2 of
this before I changed it. I'm not going to upload any of it unless I get all
three bits going OK.

Any objections?

Scott K

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 01-13-2009, 06:29 PM
Kees Cook
 
Default Additional configuration override for sysklogd

On Tue, Jan 13, 2009 at 10:54:08AM -0500, Scott Kitterman wrote:
> The first thing I'm trying to do is update the dkim-milter package to build
> against a DNSSEC capable resolver (upstream now supports using the Unbound
> package for this is a new upstream not yet packaged).

I take it that glibc isn't? What about using bind9 directly?

--
Kees Cook
Ubuntu Security Team

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 01-13-2009, 07:14 PM
Scott Kitterman
 
Default Additional configuration override for sysklogd

On Tue, 13 Jan 2009 11:29:09 -0800 Kees Cook <kees@ubuntu.com> wrote:
>On Tue, Jan 13, 2009 at 10:54:08AM -0500, Scott Kitterman wrote:
>> The first thing I'm trying to do is update the dkim-milter package to
build
>> against a DNSSEC capable resolver (upstream now supports using the
Unbound
>> package for this is a new upstream not yet packaged).
>
>I take it that glibc isn't? What about using bind9 directly?

The dkim-milter can:

1. Just use whstever the system uses.
2. Use it's own resolver lib (arlib) - what it does now.
3. Use Unbound and integrate with DNSSEC.

So Unbound is the only supported config for DNSSEC. I don't have any good
way to test DNSSEC right now, so my plan is to get the config to be what
upstream supports and depend on their testing.

I did also coordinate the switch to unbound with the Debian maintainer and
he's happy to adopt the change if I can make it work.

Scott K

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 

Thread Tools




All times are GMT. The time now is 01:19 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org