do not run old versions of bind any more please!

Bryan Irvine sparctacus at gmail.com
Fri Jul 25 07:44:11 UTC 2008


wouldn't an acceptable inteerim solution also be to set those older
unpatchable yet stable servers to use a newer server as a forwarder?

-Bryan

On 7/24/08, Paul Vixie <Paul_Vixie at isc.org> wrote:
> an auditor just found that one of my recursive nameservers was vulnerable
> to kaminsky-style cache poisoning.  this is one of my personal servers, so
> it was quite embarrassing.  upon inspection it turned out i was running the
> stock BIND that came with FreeBSD 4.11.  this is BIND8.
>
> apparently FreeBSD 4 went into end-of-life a year or so ago, but this system
> is old and small and stable and probably wouldn't take well to an upgrade
> but
> otherwise has some years left in it.  by which i mean to say, it's like tens
> of thousands of other FreeBSD 4 and similar-era computers on the internet.
>
> and all of them must be stopped.  cache pollution doesn't just hurt the RDNS
> who is the direct victim, and also not just the stubs of that RDNS who are
> the indirect victims.  induceable DNS incoherency is a danger to everybody
> you might be exchanging packets with.
>
> my immediate plan is to switch to the /usr/ports version of BIND, since i'm
> too lazy to compile one up from scratch.  i'll also start thinking thoughts
> about replacing or upgrading my FreeBSD-4 era systems, or running modern
> BIND without benefit of OS-level integration.
>
> and i hereby advise all of you to do likewise.  for more information,
> consult
> <http://www.isc.org/sw/bind/bind-security.php> which says among other
> things:
>
> 	YOU ARE ADVISED TO INSTALL EITHER THE PATCHES, STAYING WITHIN YOUR
> 	MAJOR VERSION, (9.5.0-P1, 9.4.2-P1, 9.3.5-P1) OR THE NEW BETA
> 	RELEASES (9.5.1b1, 9.4.3b2) IMMEDIATELY.
>
> don't assume, as i did, that your OS vendor will have shipped you the patch.
> go and check all of your RDNS boxes, you may not like what you find.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>


More information about the bind-users mailing list