From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1KNcgC-0003KY-3e for garchives@archives.gentoo.org; Tue, 29 Jul 2008 00:03:04 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1A02EE031D; Tue, 29 Jul 2008 00:02:56 +0000 (UTC) Received: from smtpout.karoo.kcom.com (smtpout.karoo.kcom.com [212.50.160.34]) by pigeon.gentoo.org (Postfix) with ESMTP id D1D2CE031D for ; Tue, 29 Jul 2008 00:02:55 +0000 (UTC) X-IronPort-AV: E=Sophos;i="4.31,268,1215385200"; d="scan'208";a="16083238" Received: from compaq.stroller.uk.eu.org ([213.152.39.90]) by smtpout.karoo.kcom.com with ESMTP; 29 Jul 2008 01:00:29 +0100 Received: from [192.168.1.71] (funf.stroller.uk.eu.org [192.168.1.71]) by compaq.stroller.uk.eu.org (Postfix) with ESMTP id 43A4E1379D7 for ; Tue, 29 Jul 2008 01:02:51 +0100 (BST) In-Reply-To: <20080728080841.qn4715cnocswwo8g@mail.bensa.ar> References: <20080727180355.7600fa0b@spore.ath.cx> <20080728080841.qn4715cnocswwo8g@mail.bensa.ar> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 (Apple Message framework v752.2) X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <69306758-6ACC-4223-85E2-DA818D08D0FD@stellar.eclipse.co.uk> Content-Transfer-Encoding: 7bit From: Stroller Subject: Re: [gentoo-user] DNS Server Patches Date: Tue, 29 Jul 2008 01:03:00 +0100 To: gentoo-user@lists.gentoo.org X-Mailer: Apple Mail (2.752.2) X-Archives-Salt: 706666b1-7561-4ca6-b32e-caeb9ba3f37b X-Archives-Hash: d8e8ca0b4216bbaa7c16c4dbee762df5 On 28 Jul 2008, at 12:08, Norberto Bensa wrote: > Quoting Dan Farrell : > >> Dan Kiersky's own description, and web-based nameserver checker: >> >> http://www.doxpara.com/ >> >> Alternate web-based nameserver checker (recommended by me! ) >> >> https://www.dns-oarc.net/oarc/services/dnsentropy > > I don't get these tests. Why do they probe _my_ IP and not the IP > of my DNS servers? What's the point on probing me if _maybe_ the > servers are not patched? Wild guess: the problem is with the client mode of operation. DNS servers are affected because their clients to the root name-servers. I think this vulnerability highlights the issue of using servers that you TRUST. It applies to other vulnerabilities, too. It doesn't matter if you revoke your SSH key and upload it to OpenForge if the OpenForge server itself is trusting an insecure SSH key, and an attacker can use it to get at your account that way. Stroller.