> In what way would it be unsafe to run a non-Kaminsky-patched > *authoritative-only* nameserver? My understanding is that Kaminsky only > applies to resolvers.
Well, for one thing, upgrading to a patched server protects against the "idiot successor" problem, where someone takes over your job someday and naively reconfigures your server to be unsafe. ;) The theoretical, academic answer to your question is: a Kaminksy-style attack is much less likely to succeed against an authoritative-only server than against a resolver. I'm not prepared, though, to say it's impossible (auth-only servers do send notifies and maintain a small cache). The ISC answer to your question is: those releases are unsafe, and we don't recommend using them for any purpose. Please just either upgrade to a Windows release that came out within the last five years, or to some flavor of UNIX or Linux, and run the latest patches. -- Evan Hunt -- [EMAIL PROTECTED] Internet Systems Consortium, Inc.
