[6032] in Release_7.7_team
Re: 9.4 patch release plans
daemon@ATHENA.MIT.EDU (andrew m. boardman)
Thu Jul 24 14:44:54 2008
Message-Id: <200807241844.m6OIiGZa006109@pothole.mit.edu>
To: ghudson@MIT.EDU
cc: release-team@MIT.EDU
In-Reply-To: Your message of "Thu, 24 Jul 2008 13:26:48 EDT."
<200807241726.m6OHQmWi021657@outgoing.mit.edu>
Date: Thu, 24 Jul 2008 14:44:16 -0400
From: "andrew m. boardman" <amb@MIT.EDU>
X-Spam-Flag: NO
X-Spam-Score: 0.00
> The best approach is to go forward with our plan to stop using a
> caching named on 9.4 machines, and just point resolv.conf at the
> central MIT caching name servers.
I'm less comfortable with this plan now, as the glibc stub resolver is at
least as vulnerable to the latest attacks as a local nameserver, and
while there are obvious limitations in exposure for a stub resolver it's
still a concern, especially in the case of a web browser. (For Debian's
take, see <http://www.debian.org/security/2008/dsa-1605>.)
It's more work, but the better solution looks like an import of (at
least) BIND 9.3.5p1.