Another DNS Flaw Found, Patched 66
darthcamaro writes "Remember the big DNS flaw that Dan Kaminsky 'discovered' last year? Well, it looks like another flaw in DNS has just been patched. This time it's an item that affects DNSSEC, which was supposed to be the savior for the Kaminsky flaw. The good news, though, is that this time, the issue is relatively minor and DNS has already been patched. 'The flaw is specific to certain usages of DNSSEC,' Joao Damas, senior programming manager of the ISC told InternetNews. 'It is strongly advised that all BIND DNSSEC deployments update in case they are using the particular pattern affected (DSA keys in some cases) and to prevent coming across the problem in the future unexpectedly.'"
Re:any relation to the Ubuntu update? (Score:3, Informative)
Your home ubuntu machine or windows machine won't be effected directly by this.
Yeah, um... (Score:5, Informative)
That's not a "DNS flaw".
It's an OpenSSL bug that turned out to affect BIND.
stop calling these DNS problems (Score:0, Informative)
these are BIND problems, and slashdot should call them that
time to dump BIND (Score:2, Informative)
Only if you're using BIND and DNSSEC (Score:3, Informative)
Otherwise not a problem.
Re:time to dump BIND (Score:3, Informative)
PowerDNS is actually quite light. They had the good sense to split it into a caching nameserver and a recursing resolver, making two lightweight daemons, rather than a single "does everything" process.
It's also nice because it can suck in BIND zone files if you're stuck with them and don't want to migrate. Good commercial support is also available. The code itself is GPL.
Re:Yeah, um... (Score:5, Informative)
It's an OpenSSL bug that turned out to affect BIND.
No, it's a misuse of an OpenSSL API from within BIND, so the error is on BIND's side. It's of extremely low impact, though.