Date: Mon, 29 Jan 2001 10:17:19 -0800 From: susanl@connectedbrands.com Subject: Upgrade to BIND Version 9.1 Software Imperative To: LWN@LWN.NET Upgrade to BIND Version 9.1 Software Imperative Prior Releases of Domain Name System Software Are Vulnerable Redwood City, California - January 29, 2001- Nominum, Inc., www.nominum.com, and Internet Software Consortium, www.isc.org, strongly recommend that all users of the BIND Domain Name System (DNS) software upgrade to version 9.1. CERT Coordination Center (CERT/CC), www.cert.org, today announced a vulnerability in older versions of the BIND software that is used in many of the Internet domain servers. This vulnerability was discovered by COVERT Labs, a part of Network Associates Inc, www.NAI.com. According to Jim Magdych, Manager of Covert Labs, "We found the vulnerability in the older version of BIND during an intensive audit. Nominum and ISC responded effectively with a patch release for the older versions, and no such vulnerability was found in their current software." Since its introduction in 1986, BIND (Berkeley Internet Name Domain) DNS software has been used as the foundation for communication on the Internet. DNS software translates the name of a computer, which is more easily read, understood and remembered by humans, into the required IP network address. Most, if not all, modern Internet based applications including web services and email, fully depend on the underlying DNS infrastructure. The BIND software package, which implements the DNS protocol suite, has long been available as Open Source software. Its wide distribution and reliability have made it the de facto standard for DNS. The requirements of DNS have changed over time as the Internet has grown. The ISC is dedicated to the principle of making reference implementations of core Internet protocols such as DNS and DHCP freely available to everyone. Knowing that continuing to patch BIND versions 4 and 8 would not meet coming requirements, the ISC selected Nominum to write BIND 9. "With the requirement of DNSSEC (security) and IPv6, I knew continuing to modify the old code base wasn't going to cut it; BIND needed to be completely re-written. BIND 9, a collaborative effort by ISC and Nominum, was the result of that decision. Their (Nominum's) staff are among the most knowledgeable DNS experts in the world." say Paul Vixie, Chairman of the Board for ISC. "BIND 9 is an entirely new code base written from scratch with security as a basic premise. Version 9 is not susceptible to the same issues found in earlier versions of the BIND DNS software, says David Conrad, CTO of Nominum. "We strongly encourage all users of BIND to upgrade to BIND version 9 or later," he states. BIND 9 has been available from the ISC website since October 9th of last year. BIND 9.1 was released on January 17, 2001. The software is freely available from the ISC website, http://www.isc.org/products/BIND/. Nominum offers a full suite of professional services to systems and network administrators in completing the transition from older versions of BIND to version 9, or with installing most recent releases to the older versions, 4.9.8 or 8.2.3. Additional information about the vulnerability can be found at www.nominum.com/resources/alerts/security-faq.html. About Nominum Nominum, Inc. is the world's leading provider of Internet naming and address management solutions that provide the Domain Name Service (DNS) necessary for virtually all internetworking software. Nominum supports and has written the latest version of the Berkeley Internet Name Domain (BIND) package, the most commonly used domain name server on the Internet, as well as ISC's Dynamic Host Configuration Protocol (DHCP), the most widely used Open Source package for the automated assignment of IP addresses. BIND and DHCP are freely available as Open Source via the Internet Software Consortium's website: http://www.isc.org/. Nominum offers enterprise customers, e-commerce businesses, Internet Service Providers and telecommunications companies' infrastructure assistance with their most demanding name and IP address management requirements via training, technical support, consulting and outsourcing solutions. For more information about Nominum, please visit their web site at www.nominum.com. Contacts: Nominum, Inc. Laura Hendriksen (650) 381-6018 Laura.Hendriksen@nominum.com ConnectedBrands Susan Luinetti susanl@connectedbrands.com 650-306-1558