Subject: Re: NetBSD Security Advisory 2003-018: DNS negative cache poisoning
To: None <current-users@NetBSD.org>
From: David Maxwell <david@crlf.net>
List: current-users
Date: 12/17/2003 15:29:48
On Wed, Dec 17, 2003 at 02:19:23PM -0500, Chuck Yerkes wrote:
> Again, BIND 9?
> 
> It's been working well for me for a couple years now.  Mostly
> seemless migration (I *had* to add zone TTLs where BIND 8 had them
> still optional).
> 
> Is there any reason not to shout out NOW that people should get
> their zone files into a BIND 9 compliant format in preparation
> for a BIND 9 cutover?
> 
> Well, I'll do it myself:
> 
> Make sure your zones have a "$TTL nnnn" line as the first line in
> your zone file (ie:  "$TTL 86400" or "$TTL 1d").
> 
> 
> Quoting NetBSD Security Officer (security-officer@NetBSD.org):
> >        NetBSD Security Advisory 2003-018
> >        =================================
> > 
> > Topic:        DNS negative cache poisoning
> ...
> >       pkgsrc:         bind8 packages prior to 8.4.3
> >                   bind9 packages unaffected

Bind 9 has limitations for IPv6 users, that makes it a poor candidate
for inclusion in the base OS until they are resolved.

For individuals with no IPv6 requirements, it is certainly an
appropriate way to go.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville