do not run old versions of bind any more please!

Paul Vixie Paul_Vixie at isc.org
Thu Jul 24 20:15:28 UTC 2008


an auditor just found that one of my recursive nameservers was vulnerable
to kaminsky-style cache poisoning.  this is one of my personal servers, so
it was quite embarrassing.  upon inspection it turned out i was running the
stock BIND that came with FreeBSD 4.11.  this is BIND8.

apparently FreeBSD 4 went into end-of-life a year or so ago, but this system
is old and small and stable and probably wouldn't take well to an upgrade but
otherwise has some years left in it.  by which i mean to say, it's like tens
of thousands of other FreeBSD 4 and similar-era computers on the internet.

and all of them must be stopped.  cache pollution doesn't just hurt the RDNS
who is the direct victim, and also not just the stubs of that RDNS who are
the indirect victims.  induceable DNS incoherency is a danger to everybody
you might be exchanging packets with.

my immediate plan is to switch to the /usr/ports version of BIND, since i'm
too lazy to compile one up from scratch.  i'll also start thinking thoughts
about replacing or upgrading my FreeBSD-4 era systems, or running modern
BIND without benefit of OS-level integration.

and i hereby advise all of you to do likewise.  for more information, consult
<http://www.isc.org/sw/bind/bind-security.php> which says among other things:

	YOU ARE ADVISED TO INSTALL EITHER THE PATCHES, STAYING WITHIN YOUR
	MAJOR VERSION, (9.5.0-P1, 9.4.2-P1, 9.3.5-P1) OR THE NEW BETA
	RELEASES (9.5.1b1, 9.4.3b2) IMMEDIATELY.

don't assume, as i did, that your OS vendor will have shipped you the patch.
go and check all of your RDNS boxes, you may not like what you find.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the bind-users mailing list