Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another DNS Flaw Found, Patched

Posted by Soulskill on from the come-and-gone dept.

darthcamaro writes "Remember the big DNS flaw that Dan Kaminsky 'discovered' last year? Well, it looks like another flaw in DNS has just been patched. This time it's an item that affects DNSSEC, which was supposed to be the savior for the Kaminsky flaw. The good news, though, is that this time, the issue is relatively minor and DNS has already been patched. 'The flaw is specific to certain usages of DNSSEC,' Joao Damas, senior programming manager of the ISC told InternetNews. 'It is strongly advised that all BIND DNSSEC deployments update in case they are using the particular pattern affected (DSA keys in some cases) and to prevent coming across the problem in the future unexpectedly.'"

14 of 66 comments (clear)

  1. any relation to the Ubuntu update? by LingNoi · · Score: 2

    Is this somehow related to the bind DNS updates for ubuntu desktop that got pushed yesterday?

    1. Re:any relation to the Ubuntu update? by WarJolt · · Score: 2, Informative

      Your home ubuntu machine or windows machine won't be effected directly by this.

    2. Re:any relation to the Ubuntu update? by peektwice · · Score: 2, Insightful

      You are aware that this is /. right?
      Many, if not most people here take apart stuff and find out how it works for fun. Why, just this weekend, I'll replace a radiator in my wife's van for a fourth of what the repair shop would charge, then later I might compile a new kernel or something. When I'm done, I'm probably gonna treat that old lawn mower to a new magneto, and then later, restart work on my control program for my radio scanner.

      --
      Other than this text, there is no discernible information contained in this sig.
  2. subject by cstdenis · · Score: 4, Funny

    This is bad for all those who use DNSSEC. Both of them must be annoyed at the need to their software.

    --
    1984 was not supposed to be an instruction manual.
  3. Are we actually supposed to trust these people? by mrsbrisby · · Score: 3, Interesting

    I don't have anything to add to my subject.

  4. Yeah, um... by Ethanol · · Score: 5, Informative

    That's not a "DNS flaw".

    It's an OpenSSL bug that turned out to affect BIND.

    1. Re:Yeah, um... by Anonymous Coward · · Score: 2, Funny

      Since the Windows resolver can connect to BIND, and Microsoft didn't release a patch, a well-written Slashdot summary should have read

      Microsoft refuses to fix critical Windows 7 security vulnerability.

    2. Re:Yeah, um... by Florian+Weimer · · Score: 4, Informative

      It's an OpenSSL bug that turned out to affect BIND.

      No, it's a misuse of an OpenSSL API from within BIND, so the error is on BIND's side. It's of extremely low impact, though.

    3. Re:Yeah, um... by slash.duncan · · Score: 2

      Exactly. I was just on the ISC site checking out something else (someone was asking about DNS for MS W2K and I was checking on that), and they said return codes for openSSL function calls weren't being checked in a few places so a verify failure may not have been properly caught. The released patch and downstream updates fix that.

      --
      Duncan
      "Every nonfree program has a lord, a master,
      and if you use the program, he is your master."
      R Stallman
  5. time to dump BIND by hansoloaf · · Score: 2, Informative

    and go wtih djbdns

    1. Re:time to dump BIND by morgan_greywolf · · Score: 2, Interesting

      Personally, I use ldapdns, which used to be based on the djbdns code and continues to adopt some ideas from djbdns, The nice thing about ldapdns, though, is that the database store is entirely in LDAP. You change it in LDAP and the changes in the DNS server are instantaneous.

      I would consider PowerDNS as well, but ldapdns is also very small, fast and lightweight and it scales well. I don't get the feeling that PowerDNS is so lightweight.

      --
      My blog
    2. Re:time to dump BIND by abigor · · Score: 2, Informative

      PowerDNS is actually quite light. They had the good sense to split it into a caching nameserver and a recursing resolver, making two lightweight daemons, rather than a single "does everything" process.

      It's also nice because it can suck in BIND zone files if you're stuck with them and don't want to migrate. Good commercial support is also available. The code itself is GPL.

  6. Only if you're using BIND and DNSSEC by billstewart · · Score: 2, Informative

    Otherwise not a problem.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  7. DNS Flaw? by HairyCanary · · Score: 5, Insightful

    "DNS Flaw"? Can we shoot for a bit more accuracy here on Slashdot, since we're all technical enough to understand the details? It's a flaw that affects BIND. And BIND != DNS. I shouldn't have to point that out...