Another DNS Flaw Found, Patched 66
darthcamaro writes "Remember the big DNS flaw that Dan Kaminsky 'discovered' last year? Well, it looks like another flaw in DNS has just been patched. This time it's an item that affects DNSSEC, which was supposed to be the savior for the Kaminsky flaw. The good news, though, is that this time, the issue is relatively minor and DNS has already been patched. 'The flaw is specific to certain usages of DNSSEC,' Joao Damas, senior programming manager of the ISC told InternetNews. 'It is strongly advised that all BIND DNSSEC deployments update in case they are using the particular pattern affected (DSA keys in some cases) and to prevent coming across the problem in the future unexpectedly.'"
Are we actually supposed to trust these people? (Score:4, Interesting)
I don't have anything to add to my subject.
Re:time to dump BIND (Score:2, Interesting)
Personally, I use ldapdns [nimh.org], which used to be based on the djbdns code and continues to adopt some ideas from djbdns, The nice thing about ldapdns, though, is that the database store is entirely in LDAP. You change it in LDAP and the changes in the DNS server are instantaneous.
I would consider PowerDNS as well, but ldapdns is also very small, fast and lightweight and it scales well. I don't get the feeling that PowerDNS is so lightweight.