ISC BIND 9.4.2-P2-W1 is now available
Vincent Poy
vincepoy at gmail.com
Tue Sep 9 03:09:11 UTC 2008
On Mon, Sep 8, 2008 at 6:30 PM, Evan Hunt <Evan_Hunt at isc.org> wrote:
>
> > In what way would it be unsafe to run a non-Kaminsky-patched
> > *authoritative-only* nameserver? My understanding is that Kaminsky only
> > applies to resolvers.
>
> Well, for one thing, upgrading to a patched server protects against the
> "idiot successor" problem, where someone takes over your job someday
> and naively reconfigures your server to be unsafe. ;)
>
> The theoretical, academic answer to your question is: a Kaminksy-style
> attack is much less likely to succeed against an authoritative-only server
> than against a resolver. I'm not prepared, though, to say it's impossible
> (auth-only servers do send notifies and maintain a small cache).
>
> The ISC answer to your question is: those releases are unsafe, and we don't
> recommend using them for any purpose.
>
> Please just either upgrade to a Windows release that came out within the
> last five years, or to some flavor of UNIX or Linux, and run the latest
> patches.
>
> --
> Evan Hunt -- evan_hunt at isc.org
> Internet Systems Consortium, Inc.
>
And the other solution for those who insist on Windows 2000 is to run BIND
under FreeBSD as a VM under VMWare or something.
Cheers,
Vince
More information about the bind-users
mailing list