Security firm warns of outdated software (DNS) ?

David R. Conrad David.Conrad at nominum.com
Thu Jun 15 05:45:29 UTC 2000 

Hi,

It is unfortunate that CNET chose to run their article without discussing some
of the claims made by DeMorgan  with us.  A few points about the article:

	"DeMorgan chief information officer Craig Wright said one of the
	 highest-level root servers--".com" root server A, administered 
	by Network Solutions (NSI)--could allow hostile intruders to 
	compromise the system."

No.  There never was an exploit that would permit compromise of 8.1.2.  NSI
has applied the minor patches to 8.1.2 long ago that removed the threat of a
BIND related denial of service attack in that version.

	"Some of the codes are vulnerable to either a root compromise or 
	DDoS (distributed denial of service)attacks," Wright said. 

None of the root servers are running either of the two versions of BIND
(8.1{,.1} (if iquery was turned on which wasn't the default) and 8.2{,.1})
that were susceptible to compromise.

With respect to DDoS, any single system is susceptible to DDoS.

	"There seems to be no control to make sure people actually update 
	their patching." 

The exact opposite is true.  Not to speak for all the root server operators,
but I think it safe to say we as a group are extremely conscious of the
demands of the root servers, are in close contact with each other, keep the
servers very up to date with respect to security related issues, and take
great care in insuring there is no possibility of disruption of service.

	"Nevertheless, Wright said root servers E and F are running a new 
	version of BIND--version 8.2.3 (T5B)--described by developers as 
	a prerelease."

Nominum, ISC's sub-contractor for BIND software development, training, and
support services, operates F for ISC and E for NASA.  As operation on the root
nameservers is so critical, when a version of BIND is being considered for
final release, we install that version (through a number of steps) and closely
monitor the nameserver operation to insure there are no ill effects in the
root server environment.  As with many things on the Internet, to date we have
not been able to replicate the Internet in our test labs, so must do live
testing to be absolutely certain prior to recommending to the other root
server operators that they should upgrade.

As for 8.2.3 T5B being a pre-release, this is true.  8.2.3 T5B has a couple of
(non-security related) problems in the Win32 port (which none of the root
nameservers are running) that have delayed release as final and we will not
release 8.2.3 final until we can get all known problems resolved.  If anyone
knows of a problem in 8.2.2-P5, we would ask they see if they can replicate
the problem in 8.2.3 T5B and if the problem persists, notify us as soon as
possible.

With regards to the underlying theme of the article (and the article in
zdnet.com.au yesterday that this seems to be based on), I would not be at all
surprised to find that a very high percentage of sites are running older
versions of BIND given it is shipped with all Unix implementations and runs on
just about everything from embedded systems to IBM mainframes.  In most cases,
this is not a particularly significant issue (e.g., there are no significant
issues that we know of with 8.1.2 or 4.9.7).  However, there are people out
there who are still running very old versions of BIND that are trivial to
spoof or 8.2.1 or 8.1.1 with iquery turned on.  This is obviously a very
serious problem, yet we are unsure how we can convince people of the need to
upgrade.  Suggestions gratefully accepted.

Rgds,
-drc

More information about the bind-users mailing list