In message <1215550691.3987.44.camel(a)titan>, Jamie Baddeley writes:
Vulnerability Summary: Deficiencies in the DNS protocol and common DNS implementations facilitate a DNS cache poisoning attack that affects BIND, Microsoft Windows DNS services and CISCO IOS.
See also, eg, http://isc.sans.org/diary.html?storyid=4687 which has some sane discussion of the issue (which basically seems to boil down to insufficient randomness in queries allowing spoofed replies, given the lack of any actual properly deployed security in DNS). Amongst other things they suggest patching any recursive/caching DNS servers with vendor patches at the soonest suitable patch window. The priority for patching other things depends on their reliance on DNS and protection gained from other DNS servers -- for instance things which only rely on DNS to look up internal management network names from a DNS server which is already patched are probably a much lower priority than the recursive DNS servers for your customers. (And while, eg, Cisco have a patch out for IOS, I'd imagine most routers/switches are not configured to offer recursive DNS or otherwise using the DNS functionality in IOS in a way that puts them at much risk.) Also for recursive DNS servers for customers see the note at the end of the isc.sans.org page (link above) about a beta version of BIND9 with performance improvements for high query load recursive servers. Ewen