| From: | Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> |
|---|---|
| To: | Andrew Sullivan <ajs(at)commandprompt(dot)com> |
| Cc: | pgsql-www(at)postgresql(dot)org |
| Subject: | Re: Insecure DNS servers on PG infrastructure |
| Date: | 2008-07-27 19:59:00 |
| Message-ID: | 488CD384.9090503@kaltenbrunner.cc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
Andrew Sullivan wrote:
> On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote:
>> I just noted that cvs.postgresql.org and svr1.postgresql.org are not
>> running the latest bind release, which means that they are vulnerable to
>> the DNS cache poisoning attack recently discovered by Dan Kaminsky.
>> Vixie and co think this is a pretty big deal, so folks might want to
>> update sooner rather than later.
>
> This is an extremely big deal. The numbers I've seen suggest windows
> somewhere around 10 minutes. If the systems above are doing
> recursion, then they need to be patched right away. (If they're
> running both authority and recursive services in the same BIND
> instance, I suggest that the practice be abandoned immediately.)
cvs.postgresql.org is not running bind at all - what it is using are two
(purely) recursive resolvers upstream. One of them is only going to get
upgraded tomorrow(some changes need to be rolled out in a staged
fashion) the other one was done a while ago - I have simply removed that
one from the resolv.conf for the time being.
Stefan
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2008-07-27 23:46:57 | Re: Insecure DNS servers on PG infrastructure |
| Previous Message | Tom Lane | 2008-07-27 18:52:26 | Re: Insecure DNS servers on PG infrastructure |