[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

On Tue, Jul 08, 2008 at 07:05:29PM +0200, Florian Weimer wrote:
> Package        : glibc
> At this time, it is not possible to implement the recommended
> countermeasures in the GNU libc stub resolver.  The following
> workarounds are available:
> 1. Install a local BIND 9 resoler on the host, possibly in
> forward-only mode.  BIND 9 will then use source port randomization
> when sending queries over the network.  (Other caching resolvers can
> be used instead.)

Why is this phrased in a way that it prefers BIND as a recursive resolver,
when that same software was *only just* patched to be acceptable for the
same purpose?

I'm not particularly hell-bent on security, but I would expect the security
team to avoid doing these kinds of things...

     2. That which causes joy or happiness.

Reply to: