[6030] in Release_7.7_team
9.4 patch release plans
daemon@ATHENA.MIT.EDU (ghudson@MIT.EDU)
Thu Jul 24 13:27:25 2008
Date: Thu, 24 Jul 2008 13:26:48 -0400 (EDT)
From: ghudson@MIT.EDU
Message-Id: <200807241726.m6OHQmWi021657@outgoing.mit.edu>
To: release-team@mit.edu
X-Spam-Flag: NO
X-Spam-Score: 0.00
The caching nameds we run on 9.4 machines are vulnerable to the
recently publicized DNS attack. The scope of this attack is that it's
relatively easy to, without being able to listen to a machine's
outgoing network packets, spoof its DNS cache with a glue record which
allows you to control all future DNS queries to a chosen segment of
the DNS space. It's not clear that this attack is particularly new,
but it's of some concern. (I'm also not sure that the fixes are
really very effective; they used randomized ports, but the port space
is still small and it doesn't help at all if the attacker can listen
to the network traffic of the host. Perhaps there are other
protections in the patches.)
The best approach is to go forward with our plan to stop using a
caching named on 9.4 machines, and just point resolv.conf at the
central MIT caching name servers. This will probably be our last
patch release before October, so I would like to walk either Bob or
Andrew (whichever expects to be doing 9.4 patch releases until 9.4
stops being a concern) through the mechanics rather than doing it
myself.
Also, if there's anything we have been waiting to get into a 9.4 patch
release, now is the time to bring it up.
