BIND 9.5.0-P1 is now available. BIND 9.5.0-P1 is a SECURITY release of BIND 9.5. URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT THIS ANNOUNCEMENT REFERS TO AN ISSUE THAT MAY AFFECT THE URGENT URGENT INTEGRITY OF YOUR RECURSIVE DNS SERVICE URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT Thanks to recent work by Dan Kaminsky of IOActive, ISC has become aware of a potential attack exploiting weaknesses in the DNS protocol itself to enable the poisoning of caching recurive resolvers with spoofed data. For additional information about this vulnerability, see US-CERT (CERT VU#800113 DNS Cache Poisoning Issue). For more details on changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php. IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION. DNSSEC is the only definitive solution for this issue. Understanding that immediate DNSSEC deployment is not a realistic expectation, ISC is releasing patched versions of BIND that improve its resilience against this attack. The method used makes it harder to spoof answers to a resolver by expanding the range of UDP ports from which queries are sent by the nameserver, thereby increasing the variability of parameters in outgoing queries. The code implementing the improved defenses against spoofing attacks is the only change between this release and the underlying version (9.5.0). The patch will have a noticeable impact on the performance of BIND caching resolvers with query rates at or above 10,000 queries per second. If performance at this level is critical for you, please refer to the new beta releases of BIND (9.5.1b1 or 9.4.3b2; see separate announcements). YOU ARE ADVISED TO INSTALL EITHER THIS SECURITY PATCH OR ONE OF THE BETA RELEASES (9.5.1b1 or 9.4.3b2), IMMEDIATELY. BIND 9.5.0-P1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at . A binary kit for Windows 2000, Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip The PGP signature of the binary kit for Windows 2000, Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.sha512.asc Changes since 9.5.0: --- 9.5.0-P1 released --- 2375. [security] Fully randomize UDP query ports to improve forgery resilience. [RT #17949]