The BIND scandal
Doug Barton
dougb at FreeBSD.org
Sun Aug 3 17:21:35 UTC 2008
Bob is quite obviously trolling for a fight here, and I'm definitely
not going to get sucked into that.
I would like to point out however that the _DNS_ vulnerability that is
currently in wide discussion is not in any way related to BIND, it's a
fundamental flaw in the protocol related to response forgery. All
major vendors of DNS systems and the IETF working groups on DNS are
trying to find a permanent solution for this problem. As a stop-gap
measure ISC has adopted the same solution for BIND that has proven
effective for other vendors, randomizing the query source port. You
can find more information about this issue here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Hope this helps,
Doug
--
This .signature sanitized for your protection
More information about the freebsd-security
mailing list