[6031] in Release_7.7_team
Re: 9.4 patch release plans
daemon@ATHENA.MIT.EDU (Jonathon Weiss)
Thu Jul 24 14:28:37 2008
Message-Id: <200807241827.m6OIRqju005314@wax-lion.mit.edu>
From: Jonathon Weiss <jweiss@MIT.EDU>
To: ghudson@MIT.EDU
cc: release-team@MIT.EDU
In-reply-to: Your message of "Thu, 24 Jul 2008 13:26:48 EDT."
<200807241726.m6OHQmWi021657@outgoing.mit.edu>
Date: Thu, 24 Jul 2008 14:27:52 -0400
X-Spam-Flag: NO
X-Spam-Score: 0.00
> The caching nameds we run on 9.4 machines are vulnerable to the
> recently publicized DNS attack. The scope of this attack is that it's
> relatively easy to, without being able to listen to a machine's
> outgoing network packets, spoof its DNS cache with a glue record which
> allows you to control all future DNS queries to a chosen segment of
> the DNS space. It's not clear that this attack is particularly new,
> but it's of some concern. (I'm also not sure that the fixes are
> really very effective; they used randomized ports, but the port space
> is still small and it doesn't help at all if the attacker can listen
> to the network traffic of the host. Perhaps there are other
> protections in the patches.)
>
> The best approach is to go forward with our plan to stop using a
> caching named on 9.4 machines, and just point resolv.conf at the
> central MIT caching name servers. This will probably be our last
> patch release before October, so I would like to walk either Bob or
> Andrew (whichever expects to be doing 9.4 patch releases until 9.4
> stops being a concern) through the mechanics rather than doing it
> myself.
I was going to suggest that we talk to netops before killing off the
caching named on athena machines, then I saw the performace issue
discussion on -c consult, and suggest it even more. :-)
> Also, if there's anything we have been waiting to get into a 9.4 patch
> release, now is the time to bring it up.
OS patches is the only thing that comes to mind, and I don't know of
any that are really urgent.
Jonathon
