<HTML >
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7651.59">
<TITLE>DNS vulnerability</TITLE>
</HEAD>
<BODY >
<DIV>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">FYI there is apparently a rather serious exploit of DNS that will be detailed on August 6</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><SUP><FONT SIZE=2 FACE="Arial">th</FONT></SUP></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">For those of you using BIND (named) there is a quick resiliency fix required to make your name server do randomized ports. It also requires removing port restriction on the query source line of your named.conf options.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I think M$ has also released updates for their stuff.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Information from ISC on the issue:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><A HREF="http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php"><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php</FONT></U></SPAN><SPAN LANG="en-us"></SPAN></A><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Information from RedHat for the update to bind</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> (the ISC updated versions aren</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">’</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">t the officially distributed ones those of you using RedHat subscriptions will have</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">).</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><A HREF="http://rhn.redhat.com/errata/RHSA-2008-0533.html"><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">http://rhn.redhat.com/errata/RHSA-2008-0533.html</FONT></U></SPAN><SPAN LANG="en-us"></SPAN></A><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">The above is short term that decreases but does not eliminate likelihood of being compromised. </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">The long term fix is to implement DNSSEC to sign your zones but th</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">e</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"></FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">resiliency</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> fix will help to lessen the likelihood of successful attack</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">until you can implement DNSSEC.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">. </FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> </SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">There is also a presentation called DNSSEC in 6 minutes at:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><A HREF="http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf"><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf</FONT></U></SPAN><SPAN LANG="en-us"></SPAN></A><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">FYI: The author of the above on the BIND list has stated that of course it takes longer than 6 minutes to go through the presentation but that once you understand it then it should only take 6 minutes to make the changes and keep up with them.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
</DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New">
<FONT FACE="Arial" SIZE="2">----------------------------------<BR>CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.<BR>----------------------------------<BR></FONT>
</DIV></BODY></HTML>