On Mon, Sep 8, 2008 at 6:30 PM, Evan Hunt wrote:
> > In what way would it be unsafe to run a non-Kaminsky-patched
> > *authoritative-only* nameserver? My understanding is that Kaminsky only
> > applies to resolvers.

> Well, for one thing, upgrading to a patched server protects against the
> "idiot successor" problem, where someone takes over your job someday
> and naively reconfigures your server to be unsafe.
> The theoretical, academic answer to your question is: a Kaminksy-style
> attack is much less likely to succeed against an authoritative-only server
> than against a resolver. I'm not prepared, though, to say it's impossible
> (auth-only servers do send notifies and maintain a small cache).
> The ISC answer to your question is: those releases are unsafe, and we don't
> recommend using them for any purpose.
> Please just either upgrade to a Windows release that came out within the
> last five years, or to some flavor of UNIX or Linux, and run the latest
> patches.
> --
> Evan Hunt -- evan_hunt@isc.org
> Internet Systems Consortium, Inc.

And the other solution for those who insist on Windows 2000 is to run BIND
under FreeBSD as a VM under VMWare or something.