topic DNSSEC for VMS? in Operating System - OpenVMS

DNSSEC for VMS?

Willem Grooters — Thu, 07 Aug 2008 05:28:46 GMT

There have been a number of publications on a flaw in the design of DNS that, when expoited, could effect all name translations on the Inernet, and I did read reports that this bug has already been exploited.
What I understood is that the BIND implementation on VMS contains this bug as well and you would be vulnerable if you have set it up as a chaching resolver.
(source: http://64.223.189.234/node/945)
I don't know how many VMS systems are set up this way and could be acessed - but I wonderer when there will be a patch for VMS? I haven't seen it yet for any of the platforms.

Re: DNSSEC for VMS?

Hoff — Thu, 07 Aug 2008 11:31:54 GMT

I'd expect very few OpenVMS systems are being used as DNS servers.

If you are (and if your DNS servers are either exposed to the Internet or if you don't trust your clients), Kaminsky's DNS exposure can be nasty; attacks can require less than 15 seconds or so, and they're active in the wild.

One of the higher-profile targets that's fallen so far was an unpatched AT&T DNS server.

Process Software has released patched DNS servers for OpenVMS.

And FWIW, DNSSEC is an upgrade from DNS; DNSSEC requirements are coming on-line, starting with the .ORG domains. If you're serving DNS for .ORG, you're going to be migrating earlier than most.

Re: DNSSEC for VMS?

Hoff — Thu, 07 Aug 2008 18:20:27 GMT

nb: ITRC is incorrectly including the parenthesis onto the end of the URL.

http://64.223.189.234/node/945

Re: DNSSEC for VMS?

Willem Grooters — Thu, 14 Aug 2008 06:57:34 GMT

Got a notification on openvms.org (http://www.openvms.org/stories.php?story=08/08/12/8896640 )
that HP responded on the issue ( http://h71000.www7.hp.com/network/new.html ).A patched version of BIND will be available in the forthcoming ECO for more recent TCPIP versions. For those that require a quick solution, a specific patch is available.