Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Another DNS Flaw Found, Patched

Soulskill posted more than 5 years ago | from the come-and-gone dept.

Networking 66

darthcamaro writes "Remember the big DNS flaw that Dan Kaminsky 'discovered' last year? Well, it looks like another flaw in DNS has just been patched. This time it's an item that affects DNSSEC, which was supposed to be the savior for the Kaminsky flaw. The good news, though, is that this time, the issue is relatively minor and DNS has already been patched. 'The flaw is specific to certain usages of DNSSEC,' Joao Damas, senior programming manager of the ISC told InternetNews. 'It is strongly advised that all BIND DNSSEC deployments update in case they are using the particular pattern affected (DSA keys in some cases) and to prevent coming across the problem in the future unexpectedly.'"

Sorry! There are no comments related to the filter you selected.

This is why I love macs (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26394225)

i use mac with my brother sometimes... its very cool... my brother is 30 years old hes pretty smart... he has 45 iq its the same as heis shoe size.. pretu good considaring 100 is full.... mac is cool but visat is beter... i am takeru on msn... bcz when i play halo for the second time i knew what was going too happen befor eit happend... so im takeru... its pretty cooll... is anyone else here mac... thatwould be prety cooll... sonic is cool... i dont like tails though bcz hes sonics girlfrend... i want2 be sonics girlfrend.... sonic is so fast and handsome its increddibnle... sometimes... mac... together... my mom and dad are brother and sister... its prety cool i gess... i herd its prety normal in america.... they love eachother like a father and daugher... theyr so cute together... together... sometimes... mac... my brother is in wheel chair... but hes cool because hes smart... yea... the boy in the basements said he isnt smart and he say bad thing about my dad... but its no mater... he is chained up... in basement... together... vista... yea... maybe... mac is pretty cool bcz they are like copmuters... and the y hav leaf powers btu in mac their in the sfrari... and im there too because im takeru... together... sometimes... i hear screaming from basement... dosnt mater... the boy there is happey.... yea...

Re:This is why I love macs (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26394367)

It's funny that I had only recently been thinking and praying about these queerest of computers. It certainly is true that Apple computers are very popular amongst the homosexual communities, the fact that these computers are so popular indicates the depths to which our great nation has sunk to.

The Apple corporation logo is naturally an apple with a bite taken out of it. Is it not a coincidence that Eve tempted Adam with an Apple? The apple is a symbol of defiance against God, and was an obvious choice for a company whose primary objectives include the liberalisation of all media, and which activly finances the political party that hates God.

When I first saw an apple computer (called a Mac, after the popular fast food product) with it's "fruity" design, I had assumed that it was some kind of obsolete product aimed at latte sipping east-coast homosexual designers. This initial observation turned out to be only half true:

The apple computers are not as obsolete as their gaudy designs suggest - the Apple computer company, based in that Sodomite Central, Cupertino CA, have invested a great deal of money in keeping up with more mainstream American PC brands like Dell or IBM, however rather than compete on computing power, practicality or ease of use the Apple company prefer to emphasize "eye-candy". If you are the sort of person who loves nothing more than gazing for hours at an aquarium full of brightly colored fish, then the feeling of using an Apple desktop will be most familiar.

Note the oddly-shaped apple-mouse. Unike modern computer mice, the Apple product has only one button. This is because historically Apple computer failed to license the patent for including buttons on mice. Since most apple computers are used as children's toys, their homosexual owners have barely noticed this deficiency, they are too busy thinking about sodomy worry about their computer's obvious deficiencies.

Windows appear to swim around, distorting and melding into the "dock", with almost psychedellic fluidity. Parts of the desktop become inexplicably transparant, and then return to normal or else swirl into oblivion. Control over windows is achived not through familiar buttons (like Window's "X"), but candy colored blobs, which are designed to remind the user of "Extasy" tablets. I suspect that the Apple design team must have been doing more drugs than the average touring funk-band.

The Apple OSX platform is missing a large number of common and esential productivity tools commonly used on the Windows platform. For example the endearing BonziBuddy can only be found on Windows, and therefore will only run on a Mac that has been upgraded to Boot-Camp and Windows. I suspect that this is exactly what most Mac-owners will feel forced to do.

Naturally, the big question is, does the "alternative lifestyle" approach to computer design really pay-off for the people who count: The Users?

I think the answer is no. Having used computers all my life, I consider myself an expert in the day to day tasks of computing. The Microsoft Windows operating system makes installing, uninstalling, defragmenting, and removal of viruses and spyware trivially easy. It's a shame that the Apple company (who unbelievably are much praised for their interface design) had not thought to make these everyday tasks simpler.

As I have pointed out on a number of occasions both Linux and AppleMac fail to unclude a disk-defragmentor, a personal firewall, a standard method for installing or removing software or even a system repair utility. Microsoft introduced all of this in their epoch-making "Windows Me" edition. Linux users have had to get used to the lack of these essential productivity tools, however Linux is universally acknowledged as a cheap immitation of Windows. Mac on the other-hand is marketed as a full-price premium product.

Apple computers come preloaded with iTunes which only works with Apple's oddly-coloured iPod. The Apple Mac cannot run the more popular "Windows Media Player", and is therefore incompatible with Microsoft DRM or the wildly popular Microsoft Zune. This seems quite unfair to me, and is most probably an illegal monopoly.

Finally, we should also ask ourselves - is the Apple Mac good value for money? Superficially this may seem to be the case - Apple try to match price-points with Dell on a range of products, however the clues are in the small-print. All Dell products include the industry standard Windows Vista as standard. Dell ensure that each computer comes with an operating system, without which the computer could not function. Apple computers are still bundled with OSX, an attractive but aging operating system based on the very old UNIX, a technology developed by SCO group in the early 70s. This is the the same technology which Linux developers were recently accused of stealing.

Are apple aware of thier obvious limitations? We think they must be - A couple of years ago they released a product that most shrill-voiced liberal Apple pundits believed was impossible: It's called "Boot Camp" - a utility that upgrades any recent Apple computer to be compatible with the industry standard Microsoft Windows. Industry insiders now believe that this release heralds Apple Computer Corporation's exit from the software business. For once, I'd have to agree with Apple - this would be a sensible way to preserve shareholder value.

Apple computer make a big deal out of the claim that their absurdly lurid products are "Designed in California", however a close inspection reveals that just like Linux, they are made in the Republic of China. Christians and Patriots should rather invest in an IBM ThinkPad, which is both designed and made in the USA.

Customers should also consider the moral aspects of buying an Apple computer. One reason for the queerness of Apple's products is that the company's board of directors includes Albert Gore - yes, the same Al Gore whose doom and gloom environmental cassandra-complex is intended to distract America from it's real foes (the Islamofascists and Homosexuals). Apple has historically been a major backer of the Democratic party, and both Bill and Hillary Clinton, not to mention Osama Bin Laden are avid Apple Mac users.

The simple and sad fact is that if you buy a Mac or an iPod you are funding immorality. You are helping to finance the secularists who are ruining America.

OMG! OMG! OMG! Win7 beta delayed! OMFG! (0)

Anonymous Coward | more than 5 years ago | (#26394599)

Say it ain't Dimi, say it ain't so

The power of Christ compels you to respond! Comely lasses only!

Re:This is why I love macs (1)

PincusJr (1310977) | more than 5 years ago | (#26398893)

This is probably the funniest first post I've read. It's "original". Great work :D

any relation to the Ubuntu update? (2)

LingNoi (1066278) | more than 5 years ago | (#26394271)

Is this somehow related to the bind DNS updates for ubuntu desktop that got pushed yesterday?

Re:any relation to the Ubuntu update? (2, Informative)

WarJolt (990309) | more than 5 years ago | (#26394359)

Your home ubuntu machine or windows machine won't be effected directly by this.

Re:any relation to the Ubuntu update? (0)

Anonymous Coward | more than 5 years ago | (#26394537)

However, they may be, er, affected.

Re:any relation to the Ubuntu update? (1)

Sir_Lewk (967686) | more than 5 years ago | (#26394759)

Even if we are running a DNS server on one of them?

Only if you're using BIND and DNSSEC (2, Informative)

billstewart (78916) | more than 5 years ago | (#26395061)

Otherwise not a problem.

Re:Only if you're using BIND and DNSSEC (0, Offtopic)

hairyfeet (841228) | more than 5 years ago | (#26395935)

Slightly OT, but since it is a DNS question and I have NO freaking clue where else to ask this, here goes. Does anyone know of a good easy to set up and use DNS server for Win2K Pro? I have been using Treewalk [ntcanuck.com] , which is nice, easy to maintain and low resource, but with it not having been updated since '05 and all these DNS hacks coming out I think it might be time to switch. Any ideas on what would make a good, preferably low resource replacement?

Re:Only if you're using BIND and DNSSEC (0)

Anonymous Coward | more than 5 years ago | (#26396415)

maradns

Re:Only if you're using BIND and DNSSEC (1)

hairyfeet (841228) | more than 5 years ago | (#26396613)

Sorry, but while I appreciate the attempt, the program you gave doesn't work. It only supports XP Pro and crashes instantly in Win2K Pro. So does anybody else know of an easy to use DNS server for 2K Pro? Or am I just going to have to stick with Treewalk and hope I don't get hacked?

Re:Only if you're using BIND and DNSSEC (1)

MrCrassic (994046) | more than 5 years ago | (#26397537)

This might not be of help, but while I don't know of any DNS servers for Win2K Pro/WinXP/WinVista, I'm pretty sure that their Server line comes with DNS services already available. After doing a Google search, this [dns.net] came up.

Good luck!

Re:Only if you're using BIND and DNSSEC (1)

hairyfeet (841228) | more than 5 years ago | (#26398185)

Only works on Win2K and 2K3 server. The only one that does support non server OSes costs more for a license than my PC cost. And with the economy in the crapper I don't have the $$$ for a server and a license. There has to be a DNS server out there that works for Win2K Pro. I mean surely, as much software as there is out there, there just has to be! I guess I'll just have to keep running Treewalk and hope I don't get boned running a BIND-LE from 2005. Thanks anyway.

Re:Only if you're using BIND and DNSSEC (1)

slash.duncan (1103465) | more than 5 years ago | (#26396941)

I no longer do proprietaryware, so this isn't from personal experience. Point one is second hand and point two is based on the docs. Be kind to me mods, I did turn the karma bonus off and I am being transparent on the authority level.

1) Doesn't "Pro" at least come with a DNS server of some sort? I was under the impression... or maybe you don't trust it (you won't get any argument from me there, altho 2K was still respectable as it didn't yet have the eXPrivacy thing that was what ultimately gave me the final push I needed to jump to freedomware... thanks, MS!).

2) Good old BIND is available on MS platforms as well as *ix. It appears that the pre-built binary supports from XP/2003, but at least according to the documentation shipped with the sources, building for 2K is still supported. "Easy to use and setup" is of course relative, but the instructions for building from source are there. You may of course have to get gcc or the like if you don't have a decent compiler installed. (Some folks consider an OS that doesn't even ship a compiler as an install /option/ little more than a toy. YMMV.) FWIW, I'm running BIND here on Gentoo, of course compiled from source, self-configured after teaching myself how based on the documentation, so it's not /that/ hard. However, as I said, "easy" is relative and for platforms that don't come with more or less automated compile-from-source as a feature it'll certainly be somewhat more difficult. But it appears certainly doable and a quick google demonstrates there's additional resources out there for those on MS platforms (including 2K, which I included in my search terms) as well.

YMMV, and it's certainly understood if this doesn't meet your definition of "easy", but it appears to be both doable and supported so it's an option that's out there, at least. Even if you don't choose such options, it's nice to know they exist, just in case.

Re:Only if you're using BIND and DNSSEC (1)

hairyfeet (841228) | more than 5 years ago | (#26400429)

Win2K Pro doesn't come with any DNS, and trying to compile using GCC on Win2K Pro is about as fun as getting hit in the nuts repeatedly with a ball peen hammer. Linux and Windows just don't play nice with each other, at least not for me. And all my gear doesn't work in Linux. The board has funky proprietary chips, the all in one printer won't even print, and the router won't talk to anything but IE for configuration. So switching to Linux is pretty much out. I need something I can fire up and walk away from.

I guess I'm just trapped running an easily hacked version of BIND-LE, which is what Treewalk is with some GUI tools. Because I've spent the past couple of days researching and have come up with squat. I just can't believe with as many Win2K Pro machines as there are that there isn't a single program to do what I need. So I appreciate the effort, but I've tried running GCC on Win2K Pro and all I got out at the end was a monster headache. Thanks anyway.

Re:Only if you're using BIND and DNSSEC (1)

slash.duncan (1103465) | more than 5 years ago | (#26402953)

> And all my gear doesn't work in Linux.

Been there. =:^(

Luckily, about time W98 (which I was in line for at midnight, after running the IE4 betas and installing IE4 with desktop enhancements on W95) came out, I started playing around with Linux, and soon began to require that any hardware I bought was Linux compatible, so by the time MS gave me that final shove when they decided eXPrivacy was going to require authentication, I had been buying all Linux compatible hardware for a couple years and was fine to switch. A shame for MS as I had spent some thousands on them over the years, but my gain, and now I'm glad MS did give me that final shove as after a decade on the platform I'm honestly not sure I'd have ever fully jumped if they didn't. But I wasn't going to authenticate, which left me the choice of turning to the dark side, or, fortunately for me, the bright side, no more middle-ground for me, and since then, with the exception of the nVidia drivers for my installed at the time video card (I didn't groke the difference between proprietary and freedomware Linux drivers before the switch, when I was buying all Linux compatible), which I upgraded to a freedomware compatible Radeon at the first opportunity, and one old DOS game I still play in DOSBOX, everything I run has been freedomware.

Re:Only if you're using BIND and DNSSEC (1)

hairyfeet (841228) | more than 5 years ago | (#26404385)

Sigh.....that must really be nice to be able to do that. In the past 5 years I have spent exactly $0.00 for my PC gear. With a paraplegic sister and a half blind mom who had to quit working to take care of sis I just don't have it. Every dime that I make at the shop ends up going to them or my boys. So I have adapted and became a "scrap rat" to keep myself in gear.

A customer will come in and say "I hate this thing, it is too slow! Can you get my stuff off and get me a faster one?" or "This thing is broken! I need a new one" and I offer them a discount on my labor if they let me have the old gear for parts. I am currently looking at a 1.5GHz Athlon sitting across from me that I have to take to my engineering buddy down the hall to change out a bad cap on, which he is doing that and fixing a couple of broken wires on an external USB HDD in return for me doing a repair reinstall on his XP Pro work machine. That doesn't count the 2.6GHz Compaq I haven't had time to fool with or the 3.06GHz Celeron chip that I need a motherboard for.

So while I would love the freedom of building my entire network to my specs, it will simply never be. And this old 1.1GHz HP Pavilion I am typing this on has been running non stop(only turned off long enough to move) for 24/7/365 for the 9 years it has been since a customer brought it into my former repair job cursing WinME. It may be proprietary as hell, but this thing just keeps on going year after year, and with a stripped down Win2K Pro(which I got from my boss in return for putting in a little overtime) it makes a great Netbox. No noise, no heat to speak of, and very snappy. So while I keep saying with my next build that I'll finally put her down, I have yet to find anything as reliable, so there she sits. But good luck on your Linux journey. It must be nice to design everything just the way you want it....sigh.

Re:Only if you're using BIND and DNSSEC (1)

slash.duncan (1103465) | more than 5 years ago | (#26405697)

Well... if you look at my posting history, you'll note that I learned the hard way to actively prioritize things in my life, and then actively go after what I have prioritized.

In a way, you're lucky, in that you have family you value highly enough to make that sacrifice for. You mention both upstream and downstream family. I don't have any downstream family. I do have upstream, but while I love 'em, let's just say we get along better if there's a bit of distance between us. So I have no family to spend money on. I also don't have a car (I razor-scoot to work and the grocery and there's the bus), and as many geeks, I'm just as content spending a nite at home on the computer as out partying or whatever, so "having a life" isn't a priority either.

Really, the computer's pretty much my priority, and what I spend most of my money on. So yeah, I have a decent one (plus a netbook I got last year) tho I've sacrificed a bunch of other stuff to have it.

But you tell me. You obviously prioritize your family. I prioritize my computer. Would you honestly like to switch places, and not have that family to prioritize? Perhaps you would, but I'd guess there's a reason your sister and mom aren't wards of the state or whatever and you have them to look after instead of a decent computer. I can't honestly say I'd switch places with you either, but if I were close enough to my family to prioritize them as you obviously do yours, I expect I'd be singing a different tune. I'm reasonably happy with where I am in life, but I do realize some of the things I've given up to get there, and a decently close family either upstream or down is one of them. You have that. I don't. Realize what what's worth to you and treasure it. =:^) (Or conversely, grow a heart of stone, dump 'em on the state or let 'em fend for themselves, and go for what you DO want... but I have a feeling you already have it. =:^)

Meanwhile, now I really DO wish I had a decent DNS option for you. But somehow, I think you'll get by. You seem to appreciate what's REALLY important in your life, and somehow, those that do, do get by, and are happier despite trying circumstances than those that don't.

Re:Only if you're using BIND and DNSSEC (1)

Derek Pomery (2028) | more than 5 years ago | (#26407803)

My computer is 8 years old AMD 1.4ghz - and yes, when I bought it, I checked the compatibility.
It would be interesting if you posted the actual hardware you are having issues with.
The problems may have been resolved.
An out of the box linux has far better HW compatibility these days than Windows.
The windows advantage is the manufacturers actually make sure the equipment has the drivers when they sell it to you.
If you build on your own, which, if you are as poor as you say, you should, you can trivially ensure compatibility and save money as well.

Re:Only if you're using BIND and DNSSEC (1)

hairyfeet (841228) | more than 5 years ago | (#26411483)

I guess you didn't really read my post. i don't actually BUY hardly anything. I swap the machine off of a customer and then scavenge the pieces I need. So there isn't any "shopping for compatibility" there. As for the gear, well besides the Windows programs I use for work, There is an HP Pavilion with a funky as hell audio chipset(not realtek, that would be easy. Maybe an old Ali? I've not busted it open in awhile) along with a Trendnet router that only works with IE for configuration and a Lexmark x1270 all in one(good luck getting THAT to work).

While I have used Linux on an old laptop in the past with the way my setup is now I would have to build a machine JUST for Linux, and I just don't have the cash or the room for it. So while I'm glad that Linux works for you, for me it is a non starter. Nobody will pay me here for Learning or fixing Linux, all I need is a DNS app so it would be nuts to toss everything just for a single program, not to mention having to find dozens of new apps and learning to configure them to do what I need, and finally it would be crazy to toss a perfectly running machine just to run a new OS that won't run the programs I use anyway. And I can't afford to build a server just so I can run a Linux DNS, which is the only thing I'm lacking ATM. So I guess I'll be sticking with Treewalk and hoping I don't get hacked. Because I just don't have the time nor the money to start over just for a DNS server.

Re:Only if you're using BIND and DNSSEC (0)

Anonymous Coward | more than 5 years ago | (#26403137)

When you came in here, did you see a sign saying "DNS"?

QEMU + more modern OS (1)

DrSkwid (118965) | more than 5 years ago | (#26406161)

qemu.exe -hda debian.qcow -redir udp:53::53 -snapshot -vnc 3

then you can run whatever DNS server you like (not necessarily Linux - Plan 9's DNS server doesn't suffer the sequence number guessing problem). Use snapshot once it's set up so that you can just switch off without worrying about syncing its fs, (or use the console to apply fs changes while in snapshot mode). Or use samba to attach to the Host FS and use that, or use AOE (though I've only tried that the other way round with Linux as the host).

Ironically *we* use this setup to run our Windows 2000 server for the Win32 software we have to use (Movie Magic & Final Draft). The laptops start QEMU up on boot. My EeePC runs Qemu at usable speeds, even without the kernel module kqemu.ko.

Booting Windows locked down is a real boon. I don't have to worry about LAN based malware attacks etc. or failed updates / installs.

Hope this helps :)

Re:any relation to the Ubuntu update? (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26394727)

Is this somehow related to the bind DNS updates for ubuntu desktop that got pushed yesterday?

Really?

Really?

You do not know how to read an errata or changelog? This is one of the reasons as to why the whole Linux as a Desktop push is so dumb in regards to dumbed down distro's such as Ubuntu. The windows users are simply using a different OS with the same mindset. Oh, look! There is a button that says to update so I'll do it!... WRONG! Read the update and figure out if it AFFECTS your specific configuration. Oh, you have ISC Bind installed but not running as a caching or authoritative nameserver? REMOVE IT.

This post was brought to you by an elitist openbsd administrator along with the numbers 4 and 2.

Re:any relation to the Ubuntu update? (1)

Aladrin (926209) | more than 5 years ago | (#26395051)

I'm happy not knowing exactly how my car runs and most users are happy not knowing exactly how their operating system runs.

Unless you know everything about absolutely everything in your life, you have no room to talk about people not knowing how their computers work.

Re:any relation to the Ubuntu update? (2, Insightful)

peektwice (726616) | more than 5 years ago | (#26395183)

You are aware that this is /. right?
Many, if not most people here take apart stuff and find out how it works for fun. Why, just this weekend, I'll replace a radiator in my wife's van for a fourth of what the repair shop would charge, then later I might compile a new kernel or something. When I'm done, I'm probably gonna treat that old lawn mower to a new magneto, and then later, restart work on my control program for my radio scanner.

Re:any relation to the Ubuntu update? (1)

DrSkwid (118965) | more than 5 years ago | (#26406331)

You don't know how a car works? And are happy about it! Perhaps you should stick to MacRumours not /.

Re:any relation to the Ubuntu update? (1)

LingNoi (1066278) | more than 5 years ago | (#26395721)

Well most of the time when there are updates the changelog doesn't actually display any text and reads "unable to download changelog". Also, it was just a fucking question!

This post was brought to you by an elitist openbsd administrator

Figures, BSD trolls strike again..

Re:any relation to the Ubuntu update? (1)

CarpetShark (865376) | more than 5 years ago | (#26396223)

Wrong. Updates in distro releases are usually security updates, which should be applied by everyone.

Re:any relation to the Ubuntu update? (1)

ion.simon.c (1183967) | more than 5 years ago | (#26396427)

I guess that OpenBSD doesn't have a decent package manager... Most package managers can figure out what packages are installed on a user's system, then only notify the user about updates to those installed packages. But, I suppose that *everything* is harder over in OpenBSD land.

Re:any relation to the Ubuntu update? (1)

DrSkwid (118965) | more than 5 years ago | (#26406313)

Nope, they guy tries to *sound* elitist but isn't. OpenBSD uses Ports which was a package manager long before Ubuntu was on the scene.

I'm an elitist OpenBSD administrator too. I try to give us a bad name but usually with elitism not idiocy.

Re:any relation to the Ubuntu update? (1)

ion.simon.c (1183967) | more than 5 years ago | (#26408793)

*grins* I was baiting the guy. I know about Ports. Gentoo's Portage was designed in its image. :D

i just got off the toilet (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26394301)

i shit out an obama.

Re:i just got off the toilet (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26394375)

I don't know what the big deal is with Barack Obama. I mean everyone is praising the man and he gets man of the year for what? The man has not even started his Presidential term yet and we are all kissing his ass like he accomplished Middle East Peace and solved world wide poverty in 3 days. If anything I think Mr Obama winning should be attributed to the energy and drive of the American people. The voters are the ones who should get praised for electing the first African American President in the history of the nation.

Too often these days we seem to attribute grandeur and greatness to our elected officials even though we should be looking inwards towards ourselves. Without the will of the people, do you honestly believe any of the policies towards social equality or change would have happened throughout the history of the nation? Poiliticans move when the people light a fire under their asses and at no other time. Mr. President Elect Obama is no different and not that he will be taking his new role we need to keep the pressure on for him to carry out the positives he has stated he would accomplish. What we should not be doing is putting portraits of him up all over the place, and talking about the man like he is the second coming. Obama is not the King of the United States, he is our representative and he thus represents something greater than himself. We need to stop focusing on the person and focus more on what he will do and how he will represent the 300 million people in this country.

Democratic supporters have been very notorious in doing this (Although Religious Republicans of the last 8 years are equally guilty) since their political ideals seem to shift more towards a centralist Government in Washington. A lot of these guys who voted for Obama seem to want to go towards a point where the Federal Government has complete control over the average citizen. Since when did we surrender the power of self determination and submit ourselves to a bunch of rich guys in Washington? You cannot blame the Federal Government, we elected these guys in and you will get what you vote for. I think it is high time we forego these cheap bailouts of OUR tax dollars and these quick fix rebate checks. This is only free money to those who don't pay taxes and will further hurt us down the line.

Hey, Libertarians! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26394429)

Guess what, you insufferable nincompoops? Our government is itself the product of a market system. Cities like New York, London, and San Francisco are successful precisely *because* of their enormous governments--they compete for capital, talent, and prestige against cities with small, ineffectual governments that are unable to effectively lure and corral said capital, talent, and prestige. And as goes the city, so go city-states and nations: Somalia, being a libertarian paradise, is a rather unpleasant place to live for non-ideologues. Somalians, those who can, vote with their feet and leave.

Now go suckle Ayn Rand's rotten tits some more and leave the rest of us alone, you stupid fucking Paultards.

Re:i just got off the toilet (-1)

Anonymous Coward | more than 5 years ago | (#26395011)

Democrats have to be some of the most racist people of all. I don't mean Robert Byrd type racism (the former KKK grad dragon and "dean of the senate"), I mean a softer, more sinister type of racism. For example, just two weeks ago, Democrat senators insisted they wouldn't seat an appointment from then indicted (now impeached) Governor Blogojackoff. Then he appoints a black man and they fold like superman on laundry day.

And look at the rationale. Because Barack Obama was black, his replacement must be black. Isn't that racism? If the Senate needs black people, wasn't it racist for Delaware to appoint a white senator? Won't it be racist for New York to appoint a white senator? (Possibly one who makes Sarah Palin look like Einstein!)

Re:i just got off the toilet (0)

Anonymous Coward | more than 5 years ago | (#26395979)

Won't it be racist for New York to appoint a white senator? (Possibly one who makes Sarah Palin look like Einstein!)

Do you mean the one who has a J.D. from Columbia Law School, graduating in the top 10% of her class, who is also an accomplished author on constitutional law?

subject (4, Funny)

cstdenis (1118589) | more than 5 years ago | (#26394395)

This is bad for all those who use DNSSEC. Both of them must be annoyed at the need to their software.

Re:subject (0)

Anonymous Coward | more than 5 years ago | (#26394491)

I'm sorry, but I think your is missing a word.

Re:subject (1, Funny)

Anonymous Coward | more than 5 years ago | (#26394675)

I think he just accidentally the whole DNSSEC.

Re:subject (1)

AceofSpades19 (1107875) | more than 5 years ago | (#26395393)

You mean there is another user?

One Apple Flaw hasn't been fixed (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26394415)

The Steve Jobs AIDS bug..

Are we actually supposed to trust these people? (3, Interesting)

mrsbrisby (60242) | more than 5 years ago | (#26394451)

I don't have anything to add to my subject.

A: Because it breaks the flow of a message (1)

DNS-and-BIND (461968) | more than 5 years ago | (#26397367)

Q: Why is starting a comment in the Subject: line annoying?

Re:A: Because it breaks the flow of a message (1)

b4dc0d3r (1268512) | more than 5 years ago | (#26404997)

DNS-and-BIND (461968) wrote:

Q: Why is starting a comment in the Subject: line annoying?

Did someone already hack you before you got this patch installed?

Yeah, um... (5, Informative)

Ethanol (176321) | more than 5 years ago | (#26394691)

That's not a "DNS flaw".

It's an OpenSSL bug that turned out to affect BIND.

Re:Yeah, um... (2, Funny)

Anonymous Coward | more than 5 years ago | (#26395121)

Since the Windows resolver can connect to BIND, and Microsoft didn't release a patch, a well-written Slashdot summary should have read

Microsoft refuses to fix critical Windows 7 security vulnerability.

Re:Yeah, um... (4, Informative)

Florian Weimer (88405) | more than 5 years ago | (#26396673)

It's an OpenSSL bug that turned out to affect BIND.

No, it's a misuse of an OpenSSL API from within BIND, so the error is on BIND's side. It's of extremely low impact, though.

Re:Yeah, um... (2)

slash.duncan (1103465) | more than 5 years ago | (#26396965)

Exactly. I was just on the ISC site checking out something else (someone was asking about DNS for MS W2K and I was checking on that), and they said return codes for openSSL function calls weren't being checked in a few places so a verify failure may not have been properly caught. The released patch and downstream updates fix that.

Frist Psot (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26394845)

partner. And if recent article put of HIV and other Are tied up in ME! It's official bought the farm... you can. No, are inherently progrees. Any

mod parent down (0)

Anonymous Coward | more than 5 years ago | (#26395329)

this is an obvious troll with no information.
whoever modded this informative needs to be metamodded into oblivion

stop calling these DNS problems (0, Informative)

Anonymous Coward | more than 5 years ago | (#26394867)

these are BIND problems, and slashdot should call them that

D. J. Bernstein (0)

Anonymous Coward | more than 5 years ago | (#26394911)

Not that djbdns is absolutely bulletproof but Dan Bernstein spoke about this for dnssec awhile back:
http://cr.yp.to/djbdns/forgery.html [cr.yp.to]

time to dump BIND (2, Informative)

hansoloaf (668609) | more than 5 years ago | (#26394939)

and go wtih djbdns

Re:time to dump BIND (1)

abigor (540274) | more than 5 years ago | (#26394987)

Make that PowerDNS, and I agree. BIND is a flaming sack of dog shit, and the conflation of DNS with BIND in many people's minds drives me nuts.

Re:time to dump BIND (0)

Anonymous Coward | more than 5 years ago | (#26395283)

... I did that in 2001 and never looked back. Kaminsky, who? Oh, the guy that publicized what Daniel Berstein already brought up a decade ago.

Re:time to dump BIND (2, Interesting)

morgan_greywolf (835522) | more than 5 years ago | (#26395307)

Personally, I use ldapdns [nimh.org] , which used to be based on the djbdns code and continues to adopt some ideas from djbdns, The nice thing about ldapdns, though, is that the database store is entirely in LDAP. You change it in LDAP and the changes in the DNS server are instantaneous.

I would consider PowerDNS as well, but ldapdns is also very small, fast and lightweight and it scales well. I don't get the feeling that PowerDNS is so lightweight.

Re:time to dump BIND (2, Informative)

abigor (540274) | more than 5 years ago | (#26395409)

PowerDNS is actually quite light. They had the good sense to split it into a caching nameserver and a recursing resolver, making two lightweight daemons, rather than a single "does everything" process.

It's also nice because it can suck in BIND zone files if you're stuck with them and don't want to migrate. Good commercial support is also available. The code itself is GPL.

Re:time to dump BIND (1)

Morty (32057) | more than 5 years ago | (#26404837)

It doesn't make sense to drop BIND in favor of djbdns just because of this. djbdns doesn't even try to do DNSSEC. The bug in BIND is not a direct attack on the DNS server, it just means that DNSSEC validation doesn't always work right. By switching from BIND to djbdns, you are completely breaking DNSSEC validation. In different terms, the worst consequence of this bug was that it sometimes made BIND act like djbdns.

DNS Flaw? (5, Insightful)

HairyCanary (688865) | more than 5 years ago | (#26395175)

"DNS Flaw"? Can we shoot for a bit more accuracy here on Slashdot, since we're all technical enough to understand the details? It's a flaw that affects BIND. And BIND != DNS. I shouldn't have to point that out...

Re:DNS Flaw? (0)

Anonymous Coward | more than 5 years ago | (#26399623)

Sure it does, just like Internet Explorer = Internet.

Re:DNS Flaw? (0)

Anonymous Coward | more than 5 years ago | (#26405043)

I just assume anyone familiar with BIND is either a top or a bottom.

My money is on an OpenSSL issue (0)

Anonymous Coward | more than 5 years ago | (#26396153)

If I were to guess I would think the issue has to do with OpenSSL and routine EVP_VerifyFinal(), per http://www.openssl.org/news/secadv_20090107.txt

Why the sarcasm? (1)

MoeDrippins (769977) | more than 5 years ago | (#26397371)

> Remember the big DNS flaw that Dan Kaminsky 'discovered' last year?

Why emphasize "discovered" in sarcastic quote marks? Did he NOT discover it? Was it someone else?

Re:Why the sarcasm? (0)

Anonymous Coward | more than 5 years ago | (#26397897)

Because Dan Bernstein predicted it. See also: djbdns.

djbdns (0)

Anonymous Coward | more than 5 years ago | (#26400955)

D. J. Bernstein will probably use this as additional ammo against the Buggy Internet Name Daemon, and he'd tell you to use his DNS software instead. See http://cr.yp.to/djbdns.html

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?