Apple in a bind over its DNS patch?

Company's dilemma may be related to a third party's DNS patch problems.

Updated 2:50 p.m. PDT with comments from security researcher Rich Mogull.

Three weeks after the disclosure of a serious flaw within the Domain Name System (DNS), Apple has yet to patch its MAC OS X operating system, but the company may be able to look to a third party in defense.

In a posting to an Internet newsgroup on Monday, Paul Vixie of the Internet Systems Consortium (ISC) acknowledged that the Berkeley Internet Name Domain (BIND) DNS Server's recent -P1 releases may be unstable for some users. The BIND DNS Server is used on the vast majority of name serving machines on the Internet and provides an openly redistributable reference implementation of the major components of the Domain Name System.

Vixie, one of the researchers briefed in advance of the DNS flaw disclosure by Dan Kaminsky, said that once ISC learned of the problem, it began work immediately on a patch.

However, "during the development cycle we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second. Given the limited time frame and associated risks we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns."

Vixie underscored that having the DNS patch was more important than worrying about slow server problems. He said that ISC will be releasing versions of 9.3.5-P2, 9.4.2-P2, and 9.5.0-P2 at the end of this week.

Separately, security researcher Rich Mogull of echoed that having a DNS patch was better than not having one.

In a blog last week co-authored with Glenn Fleishman, Mogull commented on Apple's lack of a patch. He wrote: "Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."

In an e-mail to CNET News, Mogull said "Apple may be stuck between a rock and a hard place on this one, but they've chosen the worst possible option--remaining silent."

He went on to say that we don't know how the BIND instability affects the Mac OS X Server.

"If it were unstable, my recommendation would be to make a preliminary patch available that those using it as a recursive DNS server can apply. With an active exploit, no patch at all is not a viable option and places customers at high risk. Let the customers make their own risk decision."

Mogull suggests that those savvy with compiling code could still install their own version of 9.5.0-P1 to a Mac OS X Server or "reconfigure those servers to forward DNS requests to alternative platforms, such as BIND on Linux or Unix, or Microsoft servers, until Apple issues a patch."

Current attacks in the wild only affect DNS caching on Web servers, said Mogull in his blog, so desktop MAC OS X users need not be concerned just yet.

Apple had no comment to a request from CNET News regarding the status of a Mac OS X DNS patch.