Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Networking Security The Internet IT

Potential 0-Day Vulnerability For BIND 9 187

Posted by Soulskill from the bind-your-own-business dept.
Morty writes "BIND, the popular DNS server software, has been crashing all over the Internet. The root cause is believed to be a 0-day vulnerability in BIND's resolver. The ISC has issued an alert. Quoting: 'An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.'"
This discussion has been archived. No new comments can be posted.

Potential 0-Day Vulnerability For BIND 9 More

Potential 0-Day Vulnerability For BIND 9

Comments Filter:

  • Re:A confusing summary on /., let me try to do bet (Score:4, Interesting)

    by TheCarp ( 96830 ) <sjc.carpanet@net> on Thursday November 17, 2011 @11:21AM (#38085846) Homepage

    yes yes, but thats very limited. Yes, you can deny service.... but it can be started back up. The only loss is availability of the service, the integrity of the service is uncompromised. It isn't allowing someone to make you serve up their data, it isn't allowing anyone to dump data they shouldn't have, it isn't allowing them to change, erase or anything your data.

    Essentially... a DDOS means you are hosed until they stop or you can upgrade... the term 0-Day tends to be used to refer to actualy security issues, where the denial of the service is the least of your worries. Patching isn't good enough because, they got a window in, and could have installed a root kit.

  • Re:A confusing summary on /., let me try to do bet (Score:5, Interesting)

    by surgen ( 1145449 ) on Thursday November 17, 2011 @11:25AM (#38085906)

    Thanks for the clear explanation.

    If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

    Very true. Its funny, that this morning I had applied security patches to a debian stable box and thought "hmm, looks like BIND is getting fixed, wonder what thats about" before this even got posted to slashdot.

  • Re:etckeeper (Score:4, Interesting)

    by X0563511 ( 793323 ) on Thursday November 17, 2011 @12:38PM (#38086978) Homepage Journal

    Awesome!!

    I've been known to keep subdirectories of /etc as SVN repository checkouts, but that grabs the whole thing!

    The only thing I'd be worried about is accidentally uploading sensitive data (hashes and such).

  • qmail backscatter (Score:4, Interesting)

    by Onymous Coward ( 97719 ) on Thursday November 17, 2011 @02:39PM (#38088728) Homepage

    Did a little looking into it and, though I'm generally a fan of DJB's wares, unpatched qmail does indeed have the problem of accepting all mail for configured domains, regardless of localpart (box) validity. Which means DSNs will be sent for bad addresses, and since SMTP provides no way of validating senders, backscatter occurs. This is the term for it, by the way.

    I've seen plenty of spam using the mechanism. It's a real problem.

    Patches are available. But, yeah, DJB's licensing made even patching problematic for the longest time. Thankfully, he's conceded on that point. Which suggests to me he's not dogmatic or unreasonable, just rigidly principled.

    I run Postfix, too. Love it. The licensing limbo was part of my decision to go with Postfix, though there were a number of factors. But I still run DJB's tinydns and dnscache.

  • Re:10 years ago (Score:4, Interesting)

    by MaraDNS ( 1629201 ) on Thursday November 17, 2011 @02:52PM (#38088888) Homepage Journal

    Don't get me wrong, djbdns is an excellent DNS server. Unfortunately, it hasn't been updated for over 10 years and, since then, three different security holes have been discovered the djbdns package, the root server list has been updated, errno has been changed to make Linux more thread safe (requiring a patch to compile it), and so on.

    djbdns can work -- but it requires patching by hand or using an unofficial fork like Zinq [sourceforge.net] (which appears to still be supported -- the last release was done this year).

    (I can also murmur darkly about the fact that djbdns uses a circular queue instead of a LRU for its cache, its lack of a Windows port, its need to use external helper programs to configure the server, etc., but, then again, its core recursive binary is even smaller than MaraDNS 2.0's tiny recursive binary. And three security bugs in the last decade is better than the 13 security issues in MaraDNS I have had to patch against.)

  • Re:10 years ago (Score:3, Interesting)

    by MaraDNS ( 1629201 ) on Thursday November 17, 2011 @06:02PM (#38091140) Homepage Journal

    Your information is out of date; I completely, from scratch, rewrote the recursive code of MaraDNS starting four years ago with far cleaner code.

    That code was declared stable over a year ago and looking at its source code [maradns.org] won't make you blind.

    - Sam

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close