as some of you may have noticed, a new weakness in BIND 9 has
recently been discovered. using this weakness, an attacker can
remotely poison the cache of any BIND 9 server. the attacker can do
this due to a weakness in the transaction ID generation algorithm used.
when BIND 9 was first imported into OpenBSD, we decided not to use
the default ID generation algorithm (LFSR, Linear Feedback Shift
Register) but to use a more proven algorithm (LCG, Linear
Congruential Generator) instead. thanks to this wise decision, the
BIND 9 shipped with OpenBSD does not have this weakness.
the proactive security of OpenBSD strikes again,
jakob
ref: http://www.trusteer.com/docs/bind9dns.html
