Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
On Tue, Jul 08, 2008 at 07:05:29PM +0200, Florian Weimer wrote:
> Package : glibc
>
> At this time, it is not possible to implement the recommended
> countermeasures in the GNU libc stub resolver. The following
> workarounds are available:
>
> 1. Install a local BIND 9 resoler on the host, possibly in
> forward-only mode. BIND 9 will then use source port randomization
> when sending queries over the network. (Other caching resolvers can
> be used instead.)
Why is this phrased in a way that it prefers BIND as a recursive resolver,
when that same software was *only just* patched to be acceptable for the
same purpose?
I'm not particularly hell-bent on security, but I would expect the security
team to avoid doing these kinds of things...
--
2. That which causes joy or happiness.
Reply to: