It’s a sad day for IT security when even D. J. Bernstein has to admit that there’s a flaw in DJBDNS. Luckily the patch that needs to be applied is straightforward and has no known side-effects (at least, not on the DJBDNS servers that I patched).

A couple of people mailed me a couple of times saying that when they run ddclient in daemon mode their hostnames sometimes get blocked because of abuse (to frequent update requests). I run an update script from cron every time, the script is rather straightforward but might prove useful for some.

The DNS cache poisoning attacks (see VU#800113) / vulnerabilities that are going to be disclosed on the next Black Hat are attracting a lot of attention.

People are commenting (here and here) whether or not the cat has been let out of the bag or not. The exploit has been out there all the time … so what’s the (new) fuzz? Deal with it and apply the patches. Because of the nature of the patch (using ‘random’ ports) proper testing is required and certain environments might require a change in their firewall policy.

The people at DNS-OARC have a dns server that you can use to test if your resolver is using random ports.

$ dig +short porttest.dns-oarc.net TXT

Een bericht op de RIPE mailinglist dns-wg leert ons dat vanaf 1 November 2007 er een nieuw IPv4 adres, 199.7.83.42, is voor L.ROOT-SERVERS.NET. Het oude adres, 198.32.64.12, zal nog een zes maanden actief blijven om de overgang mogelijk te maken.

Iedereen die dns-servers onder zijn controle heeft past best z’n hints files aan. Vanaf één november zijn de nieuwe hints files beschikbaar vanop

ftp://rs.internic.net/domain/db.cache
ftp://rs.internic.net/domain/named.cache
ftp://rs.internic.net/domain/named.root
ftp://ftp.internic.net/domain/db.cache
ftp://ftp.internic.net/domain/named.cache
ftp://ftp.internic.net/domain/named.root