DNS patch causes BIND blunder
The group responsible for maintaining the internet's most popular domain name software BIND has admitted it caused problems by fast-tracking a security patch designed to fix the widescale DNS flaw discovered by researcher Dan Kaminsky this month.
Paul Vixie
(Credit: ICANN)
Paul Vixie, president of non-profit Internet Systems Consortium (ISC), the organisation which maintains BIND (the Berkeley Internet Name Domain), admitted yesterday the patch for BIND version 9 was unstable and recommended users to install beta (early test) versions of the software instead.
"During the development cycle we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second," Vixie explained via an e-mail mailing list.
The faulty patches ISC issued were for BIND 9.3, 9.4 and 9.5, and were tagged as "-P1".
ISC was currently working on a second round, labeled -P2, which apparently resolves the performance problems caused by -P1. ISC's BIND -P1 patches focused on "port allocation" to counter the threat of DNS poisoning discovered by Kaminsky.
"Given the limited time frame and associated risks, we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns," Vixie explained.
ISC is just one of many vendors that have released patches to close bugs in various DNS servers. However, according to Securus Global security practice manager, Declan Ingram, "It's just that BIND is the most predominantly used one on really important systems."
Patching the bugs has become particularly urgent since the posting of exploit code by security researcher HD Moore, who talks about the issue in detail on ITRadio.com.au's Risky Business podcast. Moore said his group had worked on what little public information there was about the flaw, including an interview Kaminsky had done with Wired.
The researcher said his exploit technique did work, but he couldn't confirm it actually was the Kaminsky flaw because of the lack of public information.
Internet service providers would typically use BIND in Australia, said Ingram.
Despite the performance issues caused by P1, Vixie said ultimately it was "imperative" to run an updated version of BIND since the vulnerability was of greater concern than a slow server.