Received: from localhost (unknown [200.46.204.183])
	by postgresql.org (Postfix) with ESMTP id 893386501D0
	for <pgsql-www-postgresql.org@postgresql.org>;
	Fri, 25 Jul 2008 12:04:34 -0300 (ADT)
Received: from postgresql.org ([200.46.204.86])
	by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024)
	with ESMTP id 88908-03 for <pgsql-www-postgresql.org@postgresql.org>;
	Fri, 25 Jul 2008 12:04:23 -0300 (ADT)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from sss.pgh.pa.us (sss.pgh.pa.us [66.207.139.130])
	by postgresql.org (Postfix) with ESMTP id 137D465037F
	for <pgsql-www@postgreSQL.org>; Fri, 25 Jul 2008 12:02:03 -0300 (ADT)
Received: from sss2.sss.pgh.pa.us (tgl@localhost [127.0.0.1])
	by sss.pgh.pa.us (8.14.2/8.14.2) with ESMTP id m6PF23U2026211
	for <pgsql-www@postgreSQL.org>; Fri, 25 Jul 2008 11:02:03 -0400 (EDT)
To: pgsql-www@postgreSQL.org
Subject: Insecure DNS servers on PG infrastructure
Date: Fri, 25 Jul 2008 11:02:03 -0400
Message-ID: <26210.1216998123@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: No, hits=0 tagged_above=0 required=5 tests=none
X-Spam-Level: 
X-Archive-Number: 200807/131
X-Sequence-Number: 15561

I just noted that cvs.postgresql.org and svr1.postgresql.org are not
running the latest bind release, which means that they are vulnerable to
the DNS cache poisoning attack recently discovered by Dan Kaminsky.
Vixie and co think this is a pretty big deal, so folks might want to
update sooner rather than later.
	http://www.kb.cert.org/vuls/id/800113

BTW, there is an excellent end-to-end test available for whether the
security fix (port randomization) is actually working for you:

	dig @server-to-test porttest.dns-oarc.net in txt

This takes a few seconds (they've arranged it to force multiple queries
from the tested server) and gives you back a readout of how many ports
those queries arrived from and the spread in the port addresses.
A good result looks about like this:

;; ANSWER SECTION:
porttest.dns-oarc.net.  60      IN      CNAME   z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. 60 IN TXT "66.207.139.134 is GOOD: 26 queries in 2.3 seconds from 26 ports with std dev 17102.06"

If it says FAIR or POOR then you have an unpatched server or there
is something interfering with the port randomization.  If the server
is behind a NAT firewall then the latter is entirely likely.

			regards, tom lane