I just noted that cvs.postgresql.org and svr1.postgresql.org are not
running the latest bind release, which means that they are vulnerable to
the DNS cache poisoning attack recently discovered by Dan Kaminsky.
Vixie and co think this is a pretty big deal, so folks might want to
update sooner rather than later.http://www.kb.cert.org/vuls/id/800113
BTW, there is an excellent end-to-end test available for whether the
security fix (port randomization) is actually working for you:
dig @server-to-test porttest.dns-oarc.net in txt
This takes a few seconds (they've arranged it to force multiple queries
from the tested server) and gives you back a readout of how many ports
those queries arrived from and the spread in the port addresses.
A good result looks about like this:
;; ANSWER SECTION:
porttest.dns-oarc.net. 60 IN CNAME z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. 60 IN TXT "66.207.139.134 is GOOD: 26 queries in
2.3seconds from 26 ports with std dev 17102.06"
If it says FAIR or POOR then you have an unpatched server or there
is something interfering with the port randomization. If the server
is behind a NAT firewall then the latter is entirely likely.
regards, tom lane
