On Wed, Jul 09, 2008 at 02:38:38PM +0100, Simon Waters wrote: > On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote: > > On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote: > > > My DNS server made the various DNS requests from the same port and is > > > thus vulnerable. (VMS TCPIP Services so no patches expected). > > > > Well, yes, but unless I've badly misunderstood the situation, all > > that's necessary to mitigate this bug is to interpose a non-buggy > > recursive resolver between the broken machine and the Internet at > > large, right? > > He said "DNS server", which you wouldn't want to point at a correct named, > because that would be forwarding, and forwarding has its own security issues.
Assuming that he actually meant "name server" and not "the resolver library on my VMS machine" -- lots of Unix boxes don't run a local named either. No offense to JF... > I've already dragged a name server here back to a supported OS version today > because of this, don't see why others should escape ;) Well, in his case, for the same reason that no one will be upgrading the resolver library on Win98 if it's broke, I think. Cheers, -- jra -- Jay R. Ashworth Baylink [EMAIL PROTECTED] Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)