[unisog] Query on CERT VU#800113

Getchell, Adam acgetchell at ucdavis.edu
Sun Jul 20 21:16:13 GMT 2008


We run DJBDNS [1], so we were already safe. I chose it more than 5 years ago, and implemented split-horizon using in two different organizations, and have never regretted it.

DJBDNS furthermore splits the recursive resolver, dnscache, from the nameserver, tinydns -- a design that avoids these issues inherently. The software is in the public domain [2], and IMHO far superior to BIND.

[1] http://cr.yp.to/djbdns.html

[2] http://cr.yp.to/distributors.html

***************
* Adam Getchell, M.S.
* Director of Information Technology
* College of Agricultural & Environmental Sciences, UC Davis
* acgetchell at ucdavis.edu (530)752-8008
***************
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu

-----Original Message-----
From: unisog-bounces at lists.dshield.org [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Alan Clegg
Sent: Friday, July 18, 2008 6:40 PM
To: UNIversity Security Operations Group
Subject: [unisog] Query on CERT VU#800113

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Hopefully by now you are fully aware of CERT VU#800113 regarding cache
poisoning of recursive DNS servers.  I'm certainly hoping that upgrades
are happening all over the place and that everything is moving along well.

Having said that, I'm interested in how many of you have upgraded your
nameservers and confirmed that your upgrade went well.  What problems
have you encountered at this point?

If you have not upgraded yet, what is your schedule to do so?  How has
the August 7th deadline changed maintenance windows for you?

Did you discover NAT/PAT issues that de-randomize your queries even
after patching?  Are you aware of that problem?

Do you have UNIX/Linux nameservers or Microsoft?   What code did you
upgrade to (assuming UNIX/Linux and BIND)?  Are you seeing issues caused
by high load?

Were you already safe because you run an unaffected server?

Do you have machines in your infrastructure that you are unable to
upgrade and are therefore forwarding to a "patched" system?  Were you
aware that you could do that?

What tests are you using to confirm that your servers are safe?

Are you testing from home as well, and if so, what results are you seeing?

Please feel free to mail me directly and I'll summarize responses early
next week.

Alan Clegg
Internet Systems Consortium
aclegg at isc.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIgUYNcKpYUrUDCYcRAtT7AJ0ZgEDp/M5FZ88gs7FC4xPl2OTvoACeJbqj
9ec6aumHc81ycpO6ckVznRU=
=FmbZ
-----END PGP SIGNATURE-----
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list