I don't think Apple has released a patch because ISC is till
working out some tweaks with performance on high volume recursive
servers.
From Paul Vixie, speaking for ISC:
UNTIL THE RELEASE OF THE -P2 CODE, IT IS IMPERATIVE THAT YOU RUN A -P1
VERSION OF BIND ON YOUR CACHING RESOLVERS. THE VULNERABILITY IS OF
MORE
CONCERN THAN A SLOW SERVER.
Yes, there are performance issues with the current patch version of
BIND to eliminate the DNS vulnerability, but that doesn't mean hide
your head in the sand. The problems reported on the BIND-USERS
mailing list are mainly identifying problems with some Linux systems
(not all of them) and Solaris.
Also, most (if not all) of the problems lie with the absolutely
newest version of BIND, 9.5.0. BIND has be patched for versions
9.3.5 and 9.4.2. Both of these are valid systems for running a DNS
server. Let them work the bugs out of the 9.5.x version before you
start trying to deploy it. MacOS X Server, version 10.5.4, is
supplied with BIND 9.4.1-P1 (which is a version with the
vulnerability). The deployment to fix this current problem should be
9.4.2-P1 and NOT the 9.5.0 line which is just past beta testing.
Who here immediately ran out and installed MacOS X 10.5, not 10.5.x,
on their production systems when it first came out? Never mind, I
don't really want to know. I don't ever implement a ".0" release of
anything.
I'd like to set up a MacOS X test system with BIND 9.4.2-P1 and try
and clobber it. Doing this is quite easy and the results could put
to rest these types of statements.
Saying "someone has a problem" but not attempting to confirm the
problem on the platform of interest, MacOS X in this case, is fear
mongering, nothing less. It doesn't matter if it is Apple saying
this or some individual on this list.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macos-x-server/email@hidden
