Patrick and all, Sorry Patrick, but the security hole in DNS/Bind has been known for years. And ISC knew it was because I and several people told and demonstrated many times of this hole in DNS/Bind back in 2000. Why wasn't it addressed by ISC than? So Dan wasn't the first by a long shot in making this and other security holes in DNS known. We fixed it in our DNS shortly after we confirmed it back in 2000. We named our product BindPlus and is being used currently by WISE providers sense 2001. Incompatance of this sort and magnitude should never be taken lightly and in my professional opinion, cannot be tolorated at all! For further refrence to what I am contending review the archives at: http://www.dnso.org/mailinglists.html In case some are missing due to creative editing, I still have three archived copies. Patrick Vande Walle wrote:
Jeffrey A. Williams wrote:
All,
As an example to another thread and for Joe's edification.
An article up at TidBITS on http://db.tidbits.com/article/9706 Apple's unexplained failure to patch the DNS vulnerability that we have been http://it.slashdot.org/article.pl?sid=08/07/25/1334254&tid=172
discussing for a http://it.slashdot.org/article.pl?sid=08/07/21/2212227&tid=172 few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched,
but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date.
Sometimes, it may be wise to wait:
"The group responsible for maintaining the internet's most popular domain name software BIND has admitted it caused problems by fast-tracking a security patch designed to fix the widescale DNS flaw discovered by researcher Dan Kaminsky this month."
http://www.zdnet.com.au/news/security/soa/DNS-patch-causes-BIND-blunder/0,13...
Patrick Vande Walle
-- Patrick Vande Walle Check my blog: http://patrick.vande-walle.eu
Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827