Re: US-CERT Vulnerability Note VU#800113

• Subject: Re: US-CERT Vulnerability Note VU#800113
• From: "Chris Barker" <email@hidden>
• Date: Mon, 28 Jul 2008 19:04:54 -0700
• Delivered-to: email@hidden
• Delivered-to: email@hidden
• Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=I2gj2ZISa/qiXsXuuhywRPI954rEU64OtZ7kmjeP5iQ=; b=KxMS+QIcm9mGKLZcsQY5KQrrr/Ck/8E5c8yfXZAyn73xoqYjhpYepmGXL9CXVvgfd4 hd+RwqqYwVsCWmJPfGj3gFekEQQnd+CwNOpGE83owp0tJKg9XetorwPc533yJ+GE2kJF DqBzJGUDsQmUANBZNVCQfL8IBydb2GMyAxdTg=
• Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=Ue1q3vRGic9oc2novJ19qEaqlJx831cxAOZQLWcAdIqwCEr1GP8NRh4tchMsYpE/Sb MEe9LY7SDcpI9RKjCdpXlWegFtsH47LLK1wa08YLTilvc7luWMYOaXEf7NyY+7B3uPAt OUfM3lSRmyZ24PLK4hswyKdKxfSDcwKIWlVSc=

On Mon, Jul 28, 2008 at 5:43 PM, Chris <email@hidden> wrote:
> On Jul 28, 2008, at 3:42 PM, Bill Larson wrote:
>
>> On Jul 28, 2008, at 12:29 PM, jeff donovan wrote:
>>
>>> I don't think Apple has released a patch because ISC is till working out
>>> some tweaks with performance on high volume recursive servers.
>>
>> From Paul Vixie, speaking for ISC:
>>
>>        UNTIL THE RELEASE OF THE -P2 CODE, IT IS IMPERATIVE THAT YOU RUN A
>> -P1
>>        VERSION OF BIND ON YOUR CACHING RESOLVERS.  THE VULNERABILITY IS OF
>> MORE
>>        CONCERN THAN A SLOW SERVER.
>>
>> Yes, there are performance issues with the current patch version of BIND
>> to eliminate the DNS vulnerability, but that doesn't mean hide your head in
>> the sand.  The problems reported on the BIND-USERS mailing list are mainly
>> identifying problems with some Linux systems (not all of them) and Solaris.
>
> And I don't hear anyone who rolled their own 9.4.2-P1 complaining that it
> performs unacceptably.
>
> They should issue the patch and let us decide whether or not the risk of
> poor performance is greater or lesser than the risk of cache poisoning.
>
> For me, it's better to give the right address for paypal.com with a possible
> performance hit than it is to give the wrong answer quickly.
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/macos-x-server/email@hidden
>
> This email sent to email@hidden
>

Also, I would imagine that most os x servers do a pretty light amount
of dns work, as that is a secondary feature (ie, you don't buy an
xserve to be your DNS box). I could see institutions being large
enough to dedicate one or two boxes for dns by themselves, but if that
were the case I wouldn't spend the money on an xserve, when a box
running redhat would be sufficient (and patched faster).

Speaking of which, I am surprised there isn't a premade, bind specific
CentOS vmware image out there, for instant drop in bind replacement.

-- 
Chris Barker
Purveyor of Fine Suggestions
ACSA
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

• Prev by Date: Re: US-CERT Vulnerability Note VU#800113
• Next by Date: webmail ...
• Previous by thread: Re: US-CERT Vulnerability Note VU#800113
• Next by thread: Re: US-CERT Vulnerability Note VU#800113
• Index(es):
  • Date
  • Thread