Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive, Coordinated Patch To the DNS Released

Posted by kdawson on from the pretty-much-everybody dept.

tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."

3 of 315 comments (clear)

  1. Re:DJBDNS not affected. by bignetbuy · · Score: 0, Flamebait

    Great! So the four people that actually use DJBDNS don't have to patch it. Thank you!

  2. Re:So give a layman explanation by el33thack3r · · Score: 0, Flamebait
    Here is one way to put it: Paul Vixie cannot write worth crap and we all have to suffer for it.

    If you haven't ditched BIND yet, this is a good opportunity to do so, since DJBDNS has been placed in the public domain. Otherwise, you'll be monkeying around with disruptive BIND patches for the rest of your life.

  3. Re:The Death of BIND by Hydraq · · Score: 1, Flamebait

    There's two responses to this. One is that if you have 90,000+ zones you're presumably making some money from this so can afford to pay for support from ISC -- how far did this get you? Or were you using the free software and not contributing anything back and then going on a rant about the sucky software that you use for nothing and then make money from?

    The other response is to point to the ISC feedback in the CERT Advisory:

    "ISC is also making beta releases, BIND 9.5.1b1 and 9.4.3b2 available for download and testing. These beta releases provide the same improved resiliency as the patches but with better performance for servers with query volumes at or above 10,000 queries per second. They are however betas, not fully tested production releases. The patches,(P1 versions), are fully tested today and released for production use."

    Of course, a paying customer would presumably know this after seeking their paid support and being told the options available.