Perhaps you should read more closely
Fernando Rannou wrote:
I just read in the newspaper there is a "virus" running
around that affects DNS that operate with a cache or resolver server.
So we could all be vulnerable to cache poisoning or spoofing.
Take a look at
http://www.kb.cert.org/vuls/id/800113
If you look down at the affected vendors and look at RedHat, you will see it
points to
http://www.kb.cert.org/vuls/id/MIMG-7ECLBD
which points to
https://rhn.redhat.com/errata/RHSA-2008-0533.html
which shows that is has already been patched, and the patch pushed out.
Do we have it pushed out in Scientific Linux?
Sure, we have these pushed out and announced at
http://listserv.fnal.gov/scripts/wa.exe?A2=ind0807&L=scientific-linux-errata&T=0&X=3417C00DB65A487ABD&Y=dawson%40fnal.gov&P=432
http://listserv.fnal.gov/scripts/wa.exe?A2=ind0807&L=scientific-linux-errata&T=0&X=3417C00DB65A487ABD&Y=dawson%40fnal.gov&P=1067
Could you be infected?
Only if you have turned off your autoupdates.
Troy
http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
http://www.microsoft.com/technet/security/Bulletin
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
http://news.oreilly.com/2008/07/dan-kaminsky-upgrade-your-dns.html
Fernando Rannou
On Thu, 2008-07-24 at 00:43 -0700, Keith Lofstrom wrote:
On Wed, Jul 23, 2008 at 12:07:06AM -0700, Keith Lofstrom wrote:
There was a flurry of upgrades to BIND/named about a week ago. Over
the last few days, I have noticed a few DNS failures (but that may
be coincidental). I am learning to read debug output and developing
a better understanding of named.conf (set up by a consultant 5 years
ago) and so on, but meanwhile, is anyone else having problems?
Try "dig ns1.hostica.com +trace" and see if it fails.
Keith
In my case, it turned out to me a couple of things. The DNS UDP
packets seem to be a bit longer now. I am currently connected to
Verizon FIOS through an Actiontec cable modem/router, which some
websites say truncates UDP packets to 512 bytes, in accordance
with RFC negative 666. :-) That caused problems with hostica
and others. I changed /etc/named.conf to a policy of forward
first, and used the Verizon nameservers as forwarders, taking out
the lookup through the root nameservers. Verizon does some goofy
things with nonexistent URLs, but I can live with that for now.
Keith
--
Keith Lofstrom [EMAIL PROTECTED] Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
--
__________________________________________________
Troy Dawson [EMAIL PROTECTED] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI DSS Group
__________________________________________________
