[Pdns-users] coordinated patch
leen at wirehub.nl
Wed Jul 9 05:47:45 UTC 2008
This sounds pretty scary, it seems to concerns recursors and resolver-libraries. The way to solve it, is to use port randomization, which shouldn't be a big suprise to the PowerDNS-using community.
Massive, Coordinated Patch To the DNS Released 
tkrabec alerts us to a CERT advisory announcing a massive , multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC ). Here is the executive overview (PDF ) to the CERT advisory ??? text reproduced at the link above. There's a podcast  interview with Dan Kaminsky too. His site has a DNS checker tool  on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible."
So now the question becomes did anyone inform Bert and/or PowerDNS too ?
I did find in the DOC :
Status: Not Vulnerable
Date Notified: 2008-05-13 11:35:05
PowerDNS Vendor Statement
Since version 3.0, released in April 2006, the PowerDNS Recursor
resolving nameserver has implemented measures that protect against
the vulnerability described in CVE-2008-1447. Source ports are
randomized, and 'near misses', indicating a spoofing attempt in
progress, are detected, and the query is dropped.
I guess no patching for us (for our DNS-servers atleast) ?
Thank you Bert (and DJB) ! ;-)
New things are always on the horizon.
More information about the Pdns-users