LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: DNS changes?
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Thu, 24 Jul 2008 08:50:18 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (67 lines)

Perhaps you should read more closely

Fernando Rannou wrote:
> I just read in the newspaper there is a "virus" running
> around that affects DNS that operate with a cache or resolver server.
> So we could all be vulnerable to cache poisoning or spoofing.
> 
> Take a look at
> http://www.kb.cert.org/vuls/id/800113

If you look down at the affected vendors and look at RedHat, you will see it 
points to
http://www.kb.cert.org/vuls/id/MIMG-7ECLBD
which points to
https://rhn.redhat.com/errata/RHSA-2008-0533.html
which shows that is has already been patched, and the patch pushed out.
Do we have it pushed out in Scientific Linux?
Sure, we have these pushed out and announced at
http://listserv.fnal.gov/scripts/wa.exe?A2=ind0807&L=scientific-linux-errata&T=0&X=3417C00DB65A487ABD&Y=dawson%40fnal.gov&P=432
http://listserv.fnal.gov/scripts/wa.exe?A2=ind0807&L=scientific-linux-errata&T=0&X=3417C00DB65A487ABD&Y=dawson%40fnal.gov&P=1067

Could you be infected?
Only if you have turned off your autoupdates.

Troy

> http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
> http://www.microsoft.com/technet/security/Bulletin
> http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
> http://news.oreilly.com/2008/07/dan-kaminsky-upgrade-your-dns.html
> 
> Fernando Rannou
> 
> On Thu, 2008-07-24 at 00:43 -0700, Keith Lofstrom wrote:
>> On Wed, Jul 23, 2008 at 12:07:06AM -0700, Keith Lofstrom wrote:
>>> There was a flurry of upgrades to BIND/named about a week ago.  Over
>>> the last few days, I have noticed a few DNS failures (but that may
>>> be coincidental).  I am learning to read debug output and developing
>>> a better understanding of named.conf (set up by a consultant 5 years
>>> ago) and so on, but meanwhile, is anyone else having problems?
>>>
>>> Try "dig ns1.hostica.com +trace" and see if it fails.
>>>
>>> Keith
>> In my case, it turned out to me a couple of things.  The DNS UDP
>> packets seem to be a bit longer now.  I am currently connected to
>> Verizon FIOS through an Actiontec cable modem/router, which some
>> websites say truncates UDP packets to 512 bytes, in accordance
>> with RFC negative 666. :-)  That caused problems with hostica
>> and others.   I changed /etc/named.conf to a policy of forward
>> first, and used the Verizon nameservers as forwarders, taking out
>> the lookup through the root nameservers.  Verizon does some goofy
>> things with nonexistent URLs, but I can live with that for now.
>>
>> Keith
>>
>> --
>> Keith Lofstrom          [log in to unmask]         Voice (503)-520-1993
>> KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
>> Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
>>
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV