Re: RPZ configuration examples

2011-11-20 Thread Stephane Bortzmeyer 
On Sat, Nov 19, 2011 at 03:24:14PM +0100,
 Issam Harrathi  wrote 
 a message of 139 lines which said:

> this is an example:

If the OP reads french, I suggest that
 is
much more detailed.

If, however, he prefers english, I would point him towards 
.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ configuration examples

2011-11-20 Thread Stephane Bortzmeyer 
On Sat, Nov 19, 2011 at 10:53:27AM +0530,
 babu dheen  wrote 
 a message of 105 lines which said:

> If I use RPZ, recursive DNS will contact remote RBL database for
> every DNS query? 

It seems you need to read about RPZ first because one critical point
of RPZ is precisely that the database is never remote.

http://www.isc.org/software/rpz

> 3. Is it possible to download DNS RBLs locally on the DNS server
> automatically daily and then allow RPZ query locally to give malware
> domain lookup response? 

See above. That's the entire point of RPZ.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: trigger point for new bug

2011-11-20 Thread Danny Mayer 
On 11/16/2011 5:35 PM, Michael McNally wrote:
> No.  You can see all versions of ISC BIND 9 that we have released,
> going back to 9.0.0 in 2004, at ftp://ftp.isc.org/isc/bind9/

9.0.0 was released well before that. 9.2.1 was released in 2001 when I
completed the first release of the Windows version. You are being fooled
by the dates on the subdirectories.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: trigger point for new bug

2011-11-20 Thread Fajar A. Nugraha 
On Fri, Nov 18, 2011 at 6:11 AM, Jack Tavares  wrote:
> Thank you again. And I agree that upgrading is the best option, however
> I was looking for any possible mitigations to the problem for the
> (unfortunately unavoidable) period of time it will take vendors
> to provide patched bind servers.

Which "vendors" are you talking about? AFAIK most linux distros have
special release policy w.r.t. critical security updates, so they
should be available not long after a CVE was published. For example:
https://www.isc.org/software/bind/advisories/cve-2011-4313 => Nov 16
https://rhn.redhat.com/errata/RHSA-2011-1458.html => updated package
available on Nov 17

Another alternative (if you can't wait one day) is to build the
package yourself, assuming you have sufficient knowldege about patches
and your distro's build system (e.g. rebuilding SRPM).

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users