FreeBSD Maradns logging

[Sam Trenholme]

> I see that logging under FreeBSD was mentioned on the list here:
>
> http://maradns.blogspot.com/2008_09_01_archive.html
>
> and that it was resolved and bloged about here:
>
> http://maradns.blogspot.com/2008/09/maradns-snapshot-update-freebsd-logging.html

Indeed.  The changes in question were only applied to the branch of
MaraDNS code which is now the 1.4 stable branch of MaraDNS.  People
still using MaraDNS 1.3 or MaraDNS 1.2 will still have the following
problem:

> However the addition in /etc/syslog.conf of:
>
> daemon.info <tab><tab><tab><tab>/var/log/daemon
>
> is still required along with:
>
> touch /var/log/daemon && chown root:wheel /var/log/daemon \
> && chmod 640 /var/log/daemon && kill -HUP $(pgrep syslogd)

Another option is to upgrade from MaraDNS 1.2/1.3 to MaraDNS 1.4
(currently MaraDNS 1.4.03).  I still maintain the 1.2 and 1.3 branches
of MaraDNS, but only for critical security fixes.  I will stop
maintaining the 1.2 branch on December 21, 2010, and the 1.3 branch on
December 21, 2012, so distributions and people making MaraDNS packages
have plenty of time to upgrade, but it does need to be done.

Information about updating MaraDNS and the minor configuration file
changes is here:

http://maradns.org/tutorial/update.html

I don't know which version of MaraDNS the FreeBSD package uses; if it
uses the 1.2 branch, it should use 1.2.12.10 (the last issue which was
a critical security issue was fixed in 1.2.12.08).  If it uses the 1.3
branch, it should use 1.3.07.10; 1.3.07.04 fixes the last critical
security issue; 1.3.07.10 fixes a minor security issue which I blogged
about here:

http://maradns.blogspot.com/2010/02/maradns-1403-and-130710-released.html

For djbdns fanboys who still think djbdns is perfectly secure without
needing updates, I blogged about that here:

http://maradns.blogspot.com/2010/02/there-is-no-such-thing-as-perfectly.html

Thanks for this information; if I have time, I will add this
information to the MaraDNS FAQ.

- Sam

Note: I do not answer MaraDNS (including Deadwood) support requests
sent by private email without being compensated for my time. A MaraDNS
support request is any and all discussion you may wish to have about
MaraDNS in private email; if you want to email me to talk about
MaraDNS then, yes, that is a support request. (You would be amazed
what lusers don't consider support requests) I will discuss rates if
you want this kind of support. Thank you for your understanding.

MaraDNS security vulnerability reports, however, will be dealt with
without charge and kept confidential. If you don't know what Bugtraq
is, then, no, your email is not a security report. It is not a
security report unless you've done due diligence to determine how the
security bug you think you found can reasonably be exploited. (Lusers
who don't know how to interpret a stack trace like to use the
"security report" loophole to try and get free email support this way.
 If you don't have enough clue to read a stack trace to determine how
a segfault could be exploited, you don't have enough clue to get
support from me for free via private email.  I've only had two people
with enough clue to send me this kind of security report: João
Antunes, who found a couple of remotely exploitable memory leaks, and
the relevant people at CERT who communicated with me to make sure
MaraDNS wasn't vulnerable to the Kaminsky DNS security hole before it
became public)