On 2/23/2011 2:23 PM, Larry Vaden wrote:
On Wed, Feb 23, 2011 at 1:14 PM, Always Learningwrote:
Many thanks to Markus Falb for publishing his excellent research - the
same research that Larry could also have done.
"This issue did not affect the versions of bind as shipped with
Red Hat Enterprise Linux 4, 5, or 6."
You are overlooking those on the list who are affected. Enuf said.
Did you get your broken nameserver(s) fixed? Or are you maybe just
complaining here trying to get a new release out which more than likely
will not fix your issue, but it is easier to blame CentOS than to look
at your install? If so, you more than likely will be let down when you
find there is no magic wand in a new update.
That said... I personally believe that upstream provides a rather stock
install of bind, perhaps meant more for an intranet than the internet?
Bind just might be the single hardest part of running a webserver. But,
I spent a number of days reading on hardening bind and then the testing
and moving into production. Larry, have you done this?
If texoma.net is one of the affected domains, I note that there are some
problems with DNS for that domain. The 2 level3.net nameservers are not
providing either full or maybe correct information. If this is the case
for other domain you manage, this is a serious problem and as DNS can be
rather finicky, might be the root of your entire perceived problem.
And, if you think you had an injection, please do some googling on
hardening bind. There is a lot of good information out there. To me,
this is what is needed today and is well beyond a standard bind
installation done by CentOS.
If in fact texoma.net is an example of the problem with all of the
domains under your control, please fix your own house and quit
complaining here until you have cleaned up things on your end. What I
see has 0 to do with the bind version on CentOS. In fact, if you don't
fix this before an upgrade, you may have a larger mess afterwards.
I don't envy the task as I know very well that this is not easy.
Alternatively, maybe you should consider using a service such as
dnsmadeeasy... although they recently experienced a significant downtime
themselves due to a huge DoS attack coming in from all over the world.
Is it possibly a bit hypocritical to complain about other people's
houses being dirty when you live in a dirty house yourself?