Hi again guys,

It seems this is a global thing affecting all the DNS bind versions prior to July 28 2008. I have my work cut out for me very soon, I see at least a handful of servers in my list that either need to patching or upgrading.

How many of you guys are affected? Anybody successfully upgraded for unix? Any problems encountered that we need to beware of?

US-CERT Vulnerability Note VU#800113
Internet Systems Consortium, Inc.

Depending on your current Bind versions, you might need to specify some configuration items explicitly inside the options block in named.conf:

- allow-query and allow-transfer
- check-names
- minimal-responses
- transfer-format
See Upgrading DNS Bind to 9.5.0 p2 | Unixplaza Blog

thx for the info Amsct.

Tho I know the upgrade will only touch on the binary I just want to ask is there any requirement at all to lower the TTL prior to doing the upgrade?

Lowering the TTL is not necessarily a good thing for this issue.

See attached BlackHat presentation by Dan.

Attached Files

DMK_BO2K8.zip (1.51 MB, 16 views)

I didn't know lowering TTL could be a problem.

WOW this is very interesting Neo