Skip site navigation (1) Skip section navigation (2)

Re: Insecure DNS servers on PG infrastructure

From: Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>
To: Andrew Sullivan <ajs(at)commandprompt(dot)com>
Cc: pgsql-www(at)postgresql(dot)org
Subject: Re: Insecure DNS servers on PG infrastructure
Date: 2008-07-27 19:59:00
Message-ID: 488CD384.9090503@kaltenbrunner.cc (view raw or flat)
Thread:
Lists: pgsql-www
Andrew Sullivan wrote:
> On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote:
>> I just noted that cvs.postgresql.org and svr1.postgresql.org are not
>> running the latest bind release, which means that they are vulnerable to
>> the DNS cache poisoning attack recently discovered by Dan Kaminsky.
>> Vixie and co think this is a pretty big deal, so folks might want to
>> update sooner rather than later.
> 
> This is an extremely big deal.  The numbers I've seen suggest windows
> somewhere around 10 minutes.  If the systems above are doing
> recursion, then they need to be patched right away.  (If they're
> running both authority and recursive services in the same BIND
> instance, I suggest that the practice be abandoned immediately.)

cvs.postgresql.org is not running bind at all - what it is using are two 
(purely) recursive resolvers upstream. One of them is only going to get 
upgraded tomorrow(some changes need to be rolled out in a staged 
fashion) the other one was done a while ago - I have simply removed that 
one from the resolv.conf for the time being.



Stefan

In response to

pgsql-www by date

Next:From: Alvaro HerreraDate: 2008-07-27 23:46:57
Subject: Re: Insecure DNS servers on PG infrastructure
Previous:From: Tom LaneDate: 2008-07-27 18:52:26
Subject: Re: Insecure DNS servers on PG infrastructure

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group