On Mon, Sep 8, 2008 at 6:30 PM, Evan Hunt <[EMAIL PROTECTED]> wrote: > > > In what way would it be unsafe to run a non-Kaminsky-patched > > *authoritative-only* nameserver? My understanding is that Kaminsky only > > applies to resolvers. > > Well, for one thing, upgrading to a patched server protects against the > "idiot successor" problem, where someone takes over your job someday > and naively reconfigures your server to be unsafe. ;) > > The theoretical, academic answer to your question is: a Kaminksy-style > attack is much less likely to succeed against an authoritative-only server > than against a resolver. I'm not prepared, though, to say it's impossible > (auth-only servers do send notifies and maintain a small cache). > > The ISC answer to your question is: those releases are unsafe, and we don't > recommend using them for any purpose. > > Please just either upgrade to a Windows release that came out within the > last five years, or to some flavor of UNIX or Linux, and run the latest > patches. > > -- > Evan Hunt -- [EMAIL PROTECTED] > Internet Systems Consortium, Inc. >
And the other solution for those who insist on Windows 2000 is to run BIND under FreeBSD as a VM under VMWare or something. Cheers, Vince
