On 2/23/2011 2:23 PM, Larry Vaden wrote: > On Wed, Feb 23, 2011 at 1:14 PM, Always Learning<centos at g7.u22.net> wrote: >> Many thanks to Markus Falb for publishing his excellent research - the >> same research that Larry could also have done. >> >> "This issue did not affect the versions of bind as shipped with >> Red Hat Enterprise Linux 4, 5, or 6." > You are overlooking those on the list who are affected. Enuf said. Larry, Did you get your broken nameserver(s) fixed? Or are you maybe just complaining here trying to get a new release out which more than likely will not fix your issue, but it is easier to blame CentOS than to look at your install? If so, you more than likely will be let down when you find there is no magic wand in a new update. That said... I personally believe that upstream provides a rather stock install of bind, perhaps meant more for an intranet than the internet? Bind just might be the single hardest part of running a webserver. But, I spent a number of days reading on hardening bind and then the testing and moving into production. Larry, have you done this? If texoma.net is one of the affected domains, I note that there are some problems with DNS for that domain. The 2 level3.net nameservers are not providing either full or maybe correct information. If this is the case for other domain you manage, this is a serious problem and as DNS can be rather finicky, might be the root of your entire perceived problem. And, if you think you had an injection, please do some googling on hardening bind. There is a lot of good information out there. To me, this is what is needed today and is well beyond a standard bind installation done by CentOS. If in fact texoma.net is an example of the problem with all of the domains under your control, please fix your own house and quit complaining here until you have cleaned up things on your end. What I see has 0 to do with the bind version on CentOS. In fact, if you don't fix this before an upgrade, you may have a larger mess afterwards. I don't envy the task as I know very well that this is not easy. Alternatively, maybe you should consider using a service such as dnsmadeeasy... although they recently experienced a significant downtime themselves due to a huge DoS attack coming in from all over the world. Is it possibly a bit hypocritical to complain about other people's houses being dirty when you live in a dirty house yourself? Best, John Hinton