Re: Insecure DNS servers on PG infrastructure
| От | Stefan Kaltenbrunner |
|---|---|
| Тема | Re: Insecure DNS servers on PG infrastructure |
| Дата | |
| Msg-id | 488CD384.9090503@kaltenbrunner.cc обсуждение исходный текст |
| Ответ на | Re: Insecure DNS servers on PG infrastructure (Andrew Sullivan <ajs@commandprompt.com>) |
| Список | pgsql-www |
Andrew Sullivan wrote: > On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote: >> I just noted that cvs.postgresql.org and svr1.postgresql.org are not >> running the latest bind release, which means that they are vulnerable to >> the DNS cache poisoning attack recently discovered by Dan Kaminsky. >> Vixie and co think this is a pretty big deal, so folks might want to >> update sooner rather than later. > > This is an extremely big deal. The numbers I've seen suggest windows > somewhere around 10 minutes. If the systems above are doing > recursion, then they need to be patched right away. (If they're > running both authority and recursive services in the same BIND > instance, I suggest that the practice be abandoned immediately.) cvs.postgresql.org is not running bind at all - what it is using are two (purely) recursive resolvers upstream. One of them is only going to get upgraded tomorrow(some changes need to be rolled out in a staged fashion) the other one was done a while ago - I have simply removed that one from the resolv.conf for the time being. Stefan
В списке pgsql-www по дате отправления: