Received: from localhost (unknown [200.46.204.183])
	by postgresql.org (Postfix) with ESMTP id 3C15D65082C
	for <pgsql-www-postgresql.org@postgresql.org>;
	Sun, 27 Jul 2008 18:34:51 -0300 (ADT)
Received: from postgresql.org ([200.46.204.86])
	by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024)
	with ESMTP id 44676-01-2 for <pgsql-www-postgresql.org@postgresql.org>;
	Sun, 27 Jul 2008 18:34:40 -0300 (ADT)
Received: from mx3.hub.org (mx3.hub.org [206.223.169.73])
	by postgresql.org (Postfix) with ESMTP id 317B96505CF
	for <pgsql-www@postgresql.org>; Sun, 27 Jul 2008 17:27:11 -0300 (ADT)
X-Greylist: delayed 00:28:36.103008 by SQLgrey-1.7.6
Received: from cronos.madness.at (madness.at [217.196.146.217])
	by mx3.hub.org (Postfix) with ESMTP id C205337B86D
	for <pgsql-www@postgresql.org>; Sun, 27 Jul 2008 17:27:10 -0300 (ADT)
Received: from mastermind.kaltenbrunner.cc ([83.215.233.60])
	by cronos.madness.at with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.63) (envelope-from <stefan@kaltenbrunner.cc>)
	id 1KNCNp-0001rm-Qm; Sun, 27 Jul 2008 21:58:25 +0200
Message-ID: <488CD384.9090503@kaltenbrunner.cc>
Date: Sun, 27 Jul 2008 21:59:00 +0200
From: Stefan Kaltenbrunner <stefan@kaltenbrunner.cc>
User-Agent: Mozilla-Thunderbird 2.0.0.14 (X11/20080509)
MIME-Version: 1.0
To: Andrew Sullivan <ajs@commandprompt.com>
CC: pgsql-www@postgresql.org
Subject: Re: Insecure DNS servers on PG infrastructure
References: <26210.1216998123@sss.pgh.pa.us>
	<20080725154048.GE29775@commandprompt.com>
In-Reply-To: <20080725154048.GE29775@commandprompt.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: No, hits=0 tagged_above=0 required=5 tests=none
X-Spam-Level: 
X-Archive-Number: 200807/137
X-Sequence-Number: 15567

Andrew Sullivan wrote:
> On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote:
>> I just noted that cvs.postgresql.org and svr1.postgresql.org are not
>> running the latest bind release, which means that they are vulnerable to
>> the DNS cache poisoning attack recently discovered by Dan Kaminsky.
>> Vixie and co think this is a pretty big deal, so folks might want to
>> update sooner rather than later.
> 
> This is an extremely big deal.  The numbers I've seen suggest windows
> somewhere around 10 minutes.  If the systems above are doing
> recursion, then they need to be patched right away.  (If they're
> running both authority and recursive services in the same BIND
> instance, I suggest that the practice be abandoned immediately.)

cvs.postgresql.org is not running bind at all - what it is using are two 
(purely) recursive resolvers upstream. One of them is only going to get 
upgraded tomorrow(some changes need to be rolled out in a staged 
fashion) the other one was done a while ago - I have simply removed that 
one from the resolv.conf for the time being.



Stefan