bind8.2 security issues

Steve Foster fosters at uk.psi.com
Mon Jul 1 10:40:28 UTC 2002 

At 09:58 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>
>Steve Foster <fosters at uk.psi.com> wrote:
>
>> All,
>
>
>> i have seen the postings on this group and via CERT about the
>> vulnerabilities in Bind8.X , however i am bit confused as to how to
>> progress. I currently have bind running 8.2.3 on Solaris 2.6 , i have no
>> problems re-building a new version of bind to replace it, however Sun=
 have
>> not released any details on new resolver library patches, So should i=
 wait
>> until they do before building a new version of bind, or does bind use its
>> own internal ones for build named etc...
>
>Using bind-9 as resolving nameserver for all your clients seems to be=20
>a good workaround. That way no resolver is ever exposed to an=20
>answer from hostile nameservers "out there".

Cool, i have no problem replacing my resolvers with bind9, as there are no
specific config issues i have to worry about...at the moment all my
resolvers are running named, which as you suggest below is not an
issue...so assuming sun bring out a patch, we should be okay to patch all
of internal and external servers which use the customer resolvers. my other
servers are primary and secondary servers running named, i assume that
there is no inherent risk in leaving these at bind8.2.3 in the short-term,
as as you say, any calls to named from externally will use the internal
resolver functions in named...

>
>Time to install bind-9 !!
>
>> Also it says that named itself is not vulnerable, how can this be so??
>
>It's not named that is vulnerable, it's the resolver code that all your=20
>applications use. Named uses it's own ( not vulnerable) code for resolving.
>
>
>> many thanks in advance
>
>> Steve
>> Steve Foster
>> Senior Systems Administrator
>> PSINet Europe
>> Work: +44 (1223) 577322
>> Mobile: +44 (7720) 425911
>
>
>--=20
>Peter H=E5kanson        =20
>        IPSec  Sverige      ( At Gothenburg Riverside )
>           Sorry about my e-mail address, but i'm trying to keep spam out,
>	   remove "icke-reklam" if you feel for mailing me. Thanx.
>
>
>
Steve Foster
Senior Systems Administrator
PSINet Europe
Work: +44 (1223) 577322
Mobile: +44 (7720) 425911

More information about the bind-users mailing list