An error in the DNS specifications has been discovered, and all DNS vendors have released patches.

I am doing a cvsup right now on my system, but I haven't seen the bind patches come through yet. My Ubuntu notebook is installing an updated bind now.

If someone who is tracking the FreeBSD security advisories (http://www.freebsd.org/security/advisories.html) RSS (http://www.freebsd.org/security/rss.xml) could give this forum a heads-up when it hits the tree, it would be helpful.

Details:

http://it.slashdot.org/article.pl?sid=08/07/08/195225

http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/

The person who found the problem has published a small test script on his website that determine if your ISP is vulnerable.

Curiously, the OpenBSD team haven't said a word about it.. nor have they done a patch, odd.

By default OpenBSD randomizes the ports used. The same randomization is done by djbdns.

The CERT advisory http://www.kb.cert.org/vuls/id/800113 contains three links to Daniel J. Bernstein web pages about DJBDNS and he is credited for the original idea of using randomized source ports.

BTW according to http://cr.yp.to/djbdns/forgery.html Bernstein predicted this issue already in 2001 ;)

I wonder how long it has been since something of this magatude has happened on the net :\


On a lighter note,


I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, _we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it_ entirely.


!!!

Good thing it's not going to his head ;)

... If someone who is tracking the FreeBSD security advisories (http://www.freebsd.org/security/advisories.html) RSS (http://www.freebsd.org/security/rss.xml) could give this forum a heads-up when it hits the tree, it would be helpful ...

Almost forgot, the changes have hit.

http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc

thanks for the heads up

You should really subscribe to security@...

I am but I check my personal e-mail like, once every two months :\


There's a commercial on American TV for insurance that says

"My inbox is exploding and I haven't had a day off since the third grade"

that really comes to my mind about now +S

Seen that commercial (Peachtree TV?).. some guy is laying on her, partially. :)

The person who found the problem has published a small test script on his website that determine if your ISP is vulnerable.

Curiously, the OpenBSD team haven't said a word about it.. nor have they done a patch, odd.

Actually you are VERY WRONG. There was a long discussion on misc@open
about vulnerability found in BIND last week and I would do a disservice to OpenBSD project if I try to repeat it or give a summery here.

You are welcome to go through archive and see what lead developers had to say about it. OpenBSD would not be OpenBSD if they were relaying on some hasty patches to fix the problem. Problem is most likely not isolated and represents whole class of new bugs.

If you can not wait for proper fix you should switch from BIND to djbdns as
it seems for now that djbdns is bullet proof.

I made that post the day after it was published... fear & confusion led me there.

My apologies, but I'm only human.

If you can not wait for proper fix you should switch from BIND to djbdns as
it seems for now that djbdns is bullet proof.

That may be, but djbdns is unmaintained since 2001, Bernstein is a great guy, but it just sucks how he releases software, you'll have to search the net in search of patches, often encountering dead links :( QMail is even worse...

That may be, but djbdns is unmaintained since 2001, Bernstein is a great guy, but it just sucks how he releases software, you'll have to search the net in search of patches, often encountering dead links :( QMail is even worse...

We had a discussion about Bernstein's software as well in the past couple of weeks on misc@open.

Again you could inform yourself by reading archives. I agree about QMail and your post in general. Actually due to lack of licenses his software was removed from the OpenBSD ports three many years ago. Now when his software is released into public domain it is ported again (so you do not have to seek any patches and do anything manually) but the ports are not committed to the port three. So I can send you zip files or look ports@open to find them.

Best,
OKO