FreeBSD Security Advisory FreeBSD-SA-07:02.bind
Mark Andrews
Mark_Andrews at isc.org
Sat Feb 10 04:25:43 UTC 2007
> IV. Workaround
>
> There is no workaround available, but systems which are not authoritative
> servers for DNSSEC signed zones are not affected by the first issue; and
> systems which do not permit untrusted users to perform recursive DNS
> resolution are not affected by the second issue. Note that the default
> configuration for named(8) in FreeBSD allows local access only (which on
> many systems is equivalent to refusing access to untrusted users).
More precisely, systems which do not *validate* anwers are not
vulnerable to the first.
All nameservers which offer recursion are vulnerable to the
second.
From ISC's advisary (which I authored).
Workaround:
Disable / restrict recursion (to limit exposure).
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the freebsd-security
mailing list