DNS Security Flaw.
Mark Andrews
Mark_Andrews at isc.org
Wed Jul 9 22:58:10 UTC 2008
> In article <g51uno$2k3p$1 at sf1.isc.org>, "Sam M" <sam.m at servwise.com>
> wrote:
>
> > I've just seen this story about a major flaw in DNS.
> >
> > http://news.bbc.co.uk/1/hi/technology/7496735.stm
> >
> > What is the current situation with Bind for Windows? Does this effect bind
> > and if so is it fixed and from what version?
>
> Announcements of new versions of BIND went out yesterday afternoon, more
> than 12 hours before you posted your message. They all include Windows
> versions.
Also the only real complete fix is for you to sign your zones and
to use a validating resolver. What we have released is a stop gap
measure to make it harder for the attack to succeed.
Everyone can do their part by signing their zones. If your parent
zone is not yet signed you can register in ISC's DLV. Otherwise
once you have signed your zone inform your parent zone so they can
add DS records for your zone.
Once your parent is signed it should not be necessary to be registered
in the DLV anymore and you should get the entry removed.
Remember whenever you roll your keys you need to update the parent zone
and / or the DLV registry.
Also talk to your local member of parliment and ask them to apply presure
to getting the root zone signed. This is a global issue.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list