ISC BIND 9.4.2-P2-W1 is now available
Evan Hunt
Evan_Hunt at isc.org
Tue Sep 9 01:30:58 UTC 2008
> In what way would it be unsafe to run a non-Kaminsky-patched
> *authoritative-only* nameserver? My understanding is that Kaminsky only
> applies to resolvers.
Well, for one thing, upgrading to a patched server protects against the
"idiot successor" problem, where someone takes over your job someday
and naively reconfigures your server to be unsafe. ;)
The theoretical, academic answer to your question is: a Kaminksy-style
attack is much less likely to succeed against an authoritative-only server
than against a resolver. I'm not prepared, though, to say it's impossible
(auth-only servers do send notifies and maintain a small cache).
The ISC answer to your question is: those releases are unsafe, and we don't
recommend using them for any purpose.
Please just either upgrade to a Windows release that came out within the
last five years, or to some flavor of UNIX or Linux, and run the latest
patches.
--
Evan Hunt -- evan_hunt at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list