The the DNS patch
In the past 24 hours I have received a lot of queries on the reports of the major DNS security patch. Since this is not my area of responsibility I asked Matt Larson, our DNS specialist to comment, here is his reply:
I'm aware of the vulnerability and know the details. It is not broader than DNS cache poisoning and only recursive name servers are vulnerable. These are the servers run by enterprises and ISPs to resolve DNS lookups on behalf of their employees' and customers' computers. Recursive name servers do the "heavy lifting" of DNS resolution by tracking down answers in authoritative name servers.
Because recursive name servers cache responses they receive to speed up subsequent lookups, they are potentially vulnerable to bad information getting into their caches, via an attack called "cache poisoning".
The important message is: for customer-facing services, VeriSign runs only authoritative name servers, not recursive name servers, and we are therefore completely unaffected by this vulnerability.
In short, core DNS is not affected (the root, major TLD servers). But Matt did also point out that the issue does affect enterprises and ISPs that run local recursive DNS servers and that it is important that these are appropriately patched or upgraded.
