[CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued

Wed Feb 23 21:05:09 UTC 2011
John Hinton <webmaster at ew3d.com>

On 2/23/2011 2:23 PM, Larry Vaden wrote:
> On Wed, Feb 23, 2011 at 1:14 PM, Always Learning<centos at g7.u22.net>  wrote:
>> Many thanks to Markus Falb for publishing his excellent research - the
>> same research that Larry could also have done.
>>         "This issue did not affect the versions of bind as shipped with
>>         Red Hat Enterprise Linux 4, 5, or 6."
> You are overlooking those on the list who are affected.  Enuf said.


Did you get your broken nameserver(s) fixed? Or are you maybe just 
complaining here trying to get a new release out which more than likely 
will not fix your issue, but it is easier to blame CentOS than to look 
at your install? If so, you more than likely will be let down when you 
find there is no magic wand in a new update.

That said... I personally believe that upstream provides a rather stock 
install of bind, perhaps meant more for an intranet than the internet? 
Bind just might be the single hardest part of running a webserver. But, 
I spent a number of days reading on hardening bind and then the testing 
and moving into production. Larry, have you done this?

If texoma.net is one of the affected domains, I note that there are some 
problems with DNS for that domain. The 2 level3.net nameservers are not 
providing either full or maybe correct information. If this is the case 
for other domain you manage, this is a serious problem and as DNS can be 
rather finicky, might be the root of your entire perceived problem.

And, if you think you had an injection, please do some googling on 
hardening bind. There is a lot of good information out there. To me, 
this is what is needed today and is well beyond a standard bind 
installation done by CentOS.

If in fact texoma.net is an example of the problem with all of the 
domains under your control, please fix your own house and quit 
complaining here until you have cleaned up things on your end. What I 
see has 0 to do with the bind version on CentOS. In fact, if you don't 
fix this before an upgrade, you may have a larger mess afterwards.

I don't envy the task as I know very well that this is not easy. 
Alternatively, maybe you should consider using a service such as 
dnsmadeeasy... although they recently experienced a significant downtime 
themselves due to a huge DoS attack coming in from all over the world.

Is it possibly a bit hypocritical to complain about other people's 
houses being dirty when you live in a dirty house yourself?

John Hinton