In article <199707222024.NAA14009@wisdom.rc.vix.com>, you wrote:
a BIND 4.9.6 or 8.1.1 server is immune. so, you could upgrade. to so do, see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/. (the root name servers are all running modern software at this point.)
Immune to which attack? The poisoned resource-record attack? The ID guessing attack? How have you confirmed that 8.1.1 is not vulnerable to related attacks? Since, as you say, this has an "operations" context (the integrity of the Internet domain service in realistic danger), it might be appropriate and appreciated for you to detail the steps you and the ISC have taken to resolve these problems in BIND 8.1.1. Does 8.1.1 validate resource records? Does it use random query IDs? My understanding of Kashpureff's attack was that it was of minimal complexity (specifically, that he ripped off some kid's cname-bouncing script). I am therefore concerned at what appears to be the use of his apparently unsophisticated attack as a metric for the security of BIND 8.1.1. Thanks for reading this, and for your time! -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));