July 27, 2012 archive

Jul 27

NIST Guidelines for the Secure Deployment of IPv6

The United States National Institute of Standards and Technology (NIST) created an excellent “Special Publication” related to IPv6 security called:

Guidelines for the Secure Deployment of IPv6

Like most of NIST’s special publications, including their excellent guide to DNSSEC, the document begins with a lengthy tutorial about IPv6 and how it compares to IPv4.   The document then walks through a number of IPv6 security issues in great detail.  As the title implies, a large part of the document is focused on how to deploy IPv6 securely, and includes detailed sections on the many different IPv4-to-IPv6 transition mechanisms.

It concludes on the very positive note:

Security risks are inherent during the initial deployment of a new protocol such as IPv6, but mitigation strategies exist and many of the residual risks are no different from those that challenge existing IPv4 networks.

And then goes on to provide lengthy appendices fully of definitions, references and links to learn more.

While written for the audience of US federal agencies, this document is an outstanding reference for anyone seeking to understand how to securely deploy IPv6 within their networks.

 

Jul 27

Warning! DNSSEC-Trigger Installation Issue After Mountain Lion Upgrade

Dnssec TriggerIf you are a Mac OS X user looking to upgrade to the brand new Mountain Lion release – and you also have installed DNSSEC-Trigger to have a local DNSSEC-validating DNS resolver, it seems there may be an issue during the upgrade process that you need to deal with.

[UPDATE: This issue apparently only affects new installations of DNSSEC-Trigger.  If you already have DNSSEC-Trigger installed, the upgrade to Mountain Lion works.  It is when you go to install DNSSEC-Trigger on Mountain Lion that the issue appears.]

Over on the dnssec-trigger mailing list, Olaf Kolkman of NLnet Labs writes about the problem with Mountain Lion and provides instructions for how to address the problem.  If you notice unbound not starting after  the Mountain Lion upgrade, you will need to follow Olaf’s instructions:

If the command
$ id unbound
returns “no such user”, you know that you have been bitten by this problem.

To fix:
Allocate yourself a free id. You can see the allocated ids using the following:
dscl localhost -list /Local/Default/Groups PrimaryGroupID
dscl localhost -list /Local/Default/Users UniqueID

Then assign the ids to the unbound user.
sudo dscl localhost -create /Local/Default/Users/unbound PrimaryGroupID <number>
sudo dscl localhost -create /Local/Default/Users/unbound UniqueID <number>

In his email message, Olaf also provides a “use-at-your-own-risk” shell script for performing this fix.  He also indicates that the DNSSEC-Trigger team will be including a fix in a new release sometime in the next few weeks.