Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Another DNS Flaw Found, Patched

Posted by Soulskill on Friday January 09, @07:11PM
from the come-and-gone dept.
Networking Communications Security The Internet
darthcamaro writes "Remember the big DNS flaw that Dan Kaminsky 'discovered' last year? Well, it looks like another flaw in DNS has just been patched. This time it's an item that affects DNSSEC, which was supposed to be the savior for the Kaminsky flaw. The good news, though, is that this time, the issue is relatively minor and DNS has already been patched. 'The flaw is specific to certain usages of DNSSEC,' Joao Damas, senior programming manager of the ISC told InternetNews. 'It is strongly advised that all BIND DNSSEC deployments update in case they are using the particular pattern affected (DSA keys in some cases) and to prevent coming across the problem in the future unexpectedly.'"
internet security networking communications buggydns
tech networking
story

Related Stories

[+] IT: Massive, Coordinated Patch To the DNS Released 315 comments
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."
Firehose:Another Big DNS Flaw? Maybe Not. by darthcamaro (735685)
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Another DNS Flaw Found, Patched 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • Is this somehow related to the bind DNS updates for ubuntu desktop that got pushed yesterday?

    • Re: (Score:3, Informative)

      by WarJolt (990309)

      Your home ubuntu machine or windows machine won't be effected directly by this.

      • Even if we are running a DNS server on one of them?

        • Otherwise not a problem.

              • Sorry, but while I appreciate the attempt, the program you gave doesn't work. It only supports XP Pro and crashes instantly in Win2K Pro. So does anybody else know of an easy to use DNS server for 2K Pro? Or am I just going to have to stick with Treewalk and hope I don't get hacked?
                • This might not be of help, but while I don't know of any DNS servers for Win2K Pro/WinXP/WinVista, I'm pretty sure that their Server line comes with DNS services already available. After doing a Google search, this [dns.net] came up.

                  Good luck!
                  • Only works on Win2K and 2K3 server. The only one that does support non server OSes costs more for a license than my PC cost. And with the economy in the crapper I don't have the $$$ for a server and a license. There has to be a DNS server out there that works for Win2K Pro. I mean surely, as much software as there is out there, there just has to be! I guess I'll just have to keep running Treewalk and hope I don't get boned running a BIND-LE from 2005. Thanks anyway.

                • > And all my gear doesn't work in Linux.

                  Been there. =:^(

                  Luckily, about time W98 (which I was in line for at midnight, after running the IE4 betas and installing IE4 with desktop enhancements on W95) came out, I started playing around with Linux, and soon began to require that any hardware I bought was Linux compatible, so by the time MS gave me that final shove when they decided eXPrivacy was going to require authentication, I had been buying all Linux compatible hardware for a couple years and was fine

      • I'm happy not knowing exactly how my car runs and most users are happy not knowing exactly how their operating system runs.

        Unless you know everything about absolutely everything in your life, you have no room to talk about people not knowing how their computers work.

        • Re: (Score:3, Insightful)

          by peektwice (726616)
          You are aware that this is /. right?
          Many, if not most people here take apart stuff and find out how it works for fun. Why, just this weekend, I'll replace a radiator in my wife's van for a fourth of what the repair shop would charge, then later I might compile a new kernel or something. When I'm done, I'm probably gonna treat that old lawn mower to a new magneto, and then later, restart work on my control program for my radio scanner.

      • Well most of the time when there are updates the changelog doesn't actually display any text and reads "unable to download changelog". Also, it was just a fucking question!

        This post was brought to you by an elitist openbsd administrator

        Figures, BSD trolls strike again..

      • Wrong. Updates in distro releases are usually security updates, which should be applied by everyone.

      • I guess that OpenBSD doesn't have a decent package manager... Most package managers can figure out what packages are installed on a user's system, then only notify the user about updates to those installed packages. But, I suppose that *everything* is harder over in OpenBSD land.

  • subject (Score:5, Funny)

    by cstdenis (1118589) on Friday January 09, @07:47PM (#26394395)

    This is bad for all those who use DNSSEC. Both of them must be annoyed at the need to their software.

  • I don't have anything to add to my subject.

  • Yeah, um... (Score:5, Informative)

    by Ethanol (176321) on Friday January 09, @08:24PM (#26394691)

    That's not a "DNS flaw".

    It's an OpenSSL bug that turned out to affect BIND.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Since the Windows resolver can connect to BIND, and Microsoft didn't release a patch, a well-written Slashdot summary should have read

      Microsoft refuses to fix critical Windows 7 security vulnerability.

    • Re:Yeah, um... (Score:5, Informative)

      by Florian Weimer (88405) <fw@deneb.enyo.de> on Saturday January 10, @03:27AM (#26396673) Homepage

      It's an OpenSSL bug that turned out to affect BIND.

      No, it's a misuse of an OpenSSL API from within BIND, so the error is on BIND's side. It's of extremely low impact, though.

      • Exactly. I was just on the ISC site checking out something else (someone was asking about DNS for MS W2K and I was checking on that), and they said return codes for openSSL function calls weren't being checked in a few places so a verify failure may not have been properly caught. The released patch and downstream updates fix that.

  • and go wtih djbdns

    • Make that PowerDNS, and I agree. BIND is a flaming sack of dog shit, and the conflation of DNS with BIND in many people's minds drives me nuts.

    • Personally, I use ldapdns [nimh.org], which used to be based on the djbdns code and continues to adopt some ideas from djbdns, The nice thing about ldapdns, though, is that the database store is entirely in LDAP. You change it in LDAP and the changes in the DNS server are instantaneous.

      I would consider PowerDNS as well, but ldapdns is also very small, fast and lightweight and it scales well. I don't get the feeling that PowerDNS is so lightweight.

      • Re: (Score:3, Informative)

        by abigor (540274)

        PowerDNS is actually quite light. They had the good sense to split it into a caching nameserver and a recursing resolver, making two lightweight daemons, rather than a single "does everything" process.

        It's also nice because it can suck in BIND zone files if you're stuck with them and don't want to migrate. Good commercial support is also available. The code itself is GPL.

  • DNS Flaw? (Score:5, Insightful)

    by HairyCanary (688865) on Friday January 09, @09:46PM (#26395175)

    "DNS Flaw"? Can we shoot for a bit more accuracy here on Slashdot, since we're all technical enough to understand the details? It's a flaw that affects BIND. And BIND != DNS. I shouldn't have to point that out...

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 SourceForge, Inc.