tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ISC BIND Amplification Attack

On Mon, 26 Jan 2009, Brian A. Seklecki wrote:

>   Do we want take a position on the recently exploited DNS cache query/
>   response amplification?

I don't think NetBSD needs to.

>   Maybe just an official position that authoritative nameservers
>   running 3.x and 2.x upgrade to BIND 9.5.x via Pkgsrc?

9.3.x and 9.4.x are fine. You can set allow-query site wide in options to 
only allow queries from your desired networks and then use "allow-query { 
any; };" in each of your public zones.

> Version Summary:
>  NetBSD-5: BIND 9.5.0-P2
>  NetBSD-4: BIND 9.4.2-P2
>  NetBSD-3: BIND 9.3.5-P1

These versions doesn't include the OpenSSL fixes (where there is a chance 
to fool DNSSEC), but that is unrelated to this thread.

Home | Main Index | Thread Index | Old Index