wouldn't an acceptable inteerim solution also be to set those older unpatchable yet stable servers to use a newer server as a forwarder?
-Bryan On 7/24/08, Paul Vixie <[EMAIL PROTECTED]> wrote: > an auditor just found that one of my recursive nameservers was vulnerable > to kaminsky-style cache poisoning. this is one of my personal servers, so > it was quite embarrassing. upon inspection it turned out i was running the > stock BIND that came with FreeBSD 4.11. this is BIND8. > > apparently FreeBSD 4 went into end-of-life a year or so ago, but this system > is old and small and stable and probably wouldn't take well to an upgrade > but > otherwise has some years left in it. by which i mean to say, it's like tens > of thousands of other FreeBSD 4 and similar-era computers on the internet. > > and all of them must be stopped. cache pollution doesn't just hurt the RDNS > who is the direct victim, and also not just the stubs of that RDNS who are > the indirect victims. induceable DNS incoherency is a danger to everybody > you might be exchanging packets with. > > my immediate plan is to switch to the /usr/ports version of BIND, since i'm > too lazy to compile one up from scratch. i'll also start thinking thoughts > about replacing or upgrading my FreeBSD-4 era systems, or running modern > BIND without benefit of OS-level integration. > > and i hereby advise all of you to do likewise. for more information, > consult > <http://www.isc.org/sw/bind/bind-security.php> which says among other > things: > > YOU ARE ADVISED TO INSTALL EITHER THE PATCHES, STAYING WITHIN YOUR > MAJOR VERSION, (9.5.0-P1, 9.4.2-P1, 9.3.5-P1) OR THE NEW BETA > RELEASES (9.5.1b1, 9.4.3b2) IMMEDIATELY. > > don't assume, as i did, that your OS vendor will have shipped you the patch. > go and check all of your RDNS boxes, you may not like what you find. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > >
