Contributed by merdely on from the its-good-to-be-secure dept.
Jakob Schlyter (jakob@) wrote to misc@:
as some of you may have noticed, a new weakness in BIND 9 has recently been discovered. using this weakness, an attacker can remotely poison the cache of any BIND 9 server. the attacker can do this due to a weakness in the transaction ID generation algorithm used. when BIND 9 was first imported into OpenBSD, we decided not to use the default ID generation algorithm (LFSR, Linear Feedback Shift Register) but to use a more proven algorithm (LCG, Linear Congruential Generator) instead. thanks to this wise decision, the BIND 9 shipped with OpenBSD does not have this weakness. the proactive security of OpenBSD strikes again, jakob ref: http://www.trusteer.com/docs/bind9dns.html
(Comments are closed)