thanks Tobias, i am still unclear as to the possibility of exploiting bind9 if recursion is limited/not allowed afaik the overflow occurs at two of the variable parsers used by the resolver libs.
If BIND9 uses the vulnerable resolver lib or implements the same code, it is vulnerable. If it doesn't, it isn't. That having been said, if you're worried about BIND being exploitable now and in the future, which I would be, then dump BIND and switch to something more secure. Such as djbdns. You'll still need to resolve the issue on the DNS clients, though. On a sidenote, proxy firewalled infrastructures don't require the workstations to perform DNS lookups at all, the proxy handles that for them.
and also afaik bind9 answers from cache anyway.
So? I don't see your meaning.
the reason i am sceptical at this stage is one of my production boxen running only (SuSE) patched apache and bind9 (80 & 53) has been r00ted.
I don't believe it runs only those two apps.. ;-) [box r00ted by unknown avenue of attack] Post-breakin forensics can be tough (and therefore expensive). I believe we (secunet, the company I work for) have done some of it in the past, so if it's important enough to you, we could perhaps come to a deal, but it probably won't be cheap.. I sincerely hope the list doesn't read this as an advertisement of any sort, it's not meant that way. Tobias