[unisog] Query on CERT VU#800113

Alan Clegg alan at clegg.com
Sat Jul 19 01:40:29 GMT 2008

Hash: SHA1


Hopefully by now you are fully aware of CERT VU#800113 regarding cache
poisoning of recursive DNS servers.  I'm certainly hoping that upgrades
are happening all over the place and that everything is moving along well.

Having said that, I'm interested in how many of you have upgraded your
nameservers and confirmed that your upgrade went well.  What problems
have you encountered at this point?

If you have not upgraded yet, what is your schedule to do so?  How has
the August 7th deadline changed maintenance windows for you?

Did you discover NAT/PAT issues that de-randomize your queries even
after patching?  Are you aware of that problem?

Do you have UNIX/Linux nameservers or Microsoft?   What code did you
upgrade to (assuming UNIX/Linux and BIND)?  Are you seeing issues caused
by high load?

Were you already safe because you run an unaffected server?

Do you have machines in your infrastructure that you are unable to
upgrade and are therefore forwarding to a "patched" system?  Were you
aware that you could do that?

What tests are you using to confirm that your servers are safe?

Are you testing from home as well, and if so, what results are you seeing?

Please feel free to mail me directly and I'll summarize responses early
next week.

Alan Clegg
Internet Systems Consortium
aclegg at isc.org
Version: GnuPG v1.4.6 (GNU/Linux)


More information about the unisog mailing list