Subject: Re: NetBSD Security Advisory 2003-018: DNS negative cache poisoning
To: None <current-users@NetBSD.org>
From: Chuck Yerkes <firstname.lastname@example.org>
Date: 12/17/2003 14:19:23
Again, BIND 9?
It's been working well for me for a couple years now. Mostly
seemless migration (I *had* to add zone TTLs where BIND 8 had them
Is there any reason not to shout out NOW that people should get
their zone files into a BIND 9 compliant format in preparation
for a BIND 9 cutover?
Well, I'll do it myself:
Make sure your zones have a "$TTL nnnn" line as the first line in
your zone file (ie: "$TTL 86400" or "$TTL 1d").
Quoting NetBSD Security Officer (security-officer@NetBSD.org):
> NetBSD Security Advisory 2003-018
> Topic: DNS negative cache poisoning
> pkgsrc: bind8 packages prior to 8.4.3
> bind9 packages unaffected
> Severity: Denial of service resolving DNS entries
> Fixed: NetBSD-current: Nov 27, 2003
> NetBSD-1.6 branch: Nov 28, 2003 (1.6.2 will include the fix)
> (1.6.2_RC3 includes the fix)
> NetBSD-1.5 branch: Nov 28, 2003
> pkgsrc bind8: bind8-8.4.3 will correct this issue
> BIND 9 is not affected by these vulnerabilities. Upgrading to BIND 9
> is recommended. BIND 9 is available in the NetBSD Pkgsrc Collection
> (pkgsrc/net/bind9). Configuration files differ between BIND 8 and
> 9. Plan such a migration appropriately.