FreeBSD Security Advisory FreeBSD-SA-09:04.bind
Doug Barton
dougb at FreeBSD.org
Wed Jan 14 22:35:45 PST 2009
Carl Friend wrote:
> Hi Leonid,
>
> I got the message, so it looks like at least something is working.
>
> From the advisory:
>
>> NOTE WELL: If named(8) is not explicitly set to use DNSSEC the setup
>> is not vulnerable to the issue as described in this Security Advisory.
>
> We are not using DNSSEC on either the internal or external BIND
> instances. We *are* using authentication keys for some of the internal
> infrastructure (for dynamic updates) but not for the external, and
> this facility uses shared-secrets anyway rather than PKI.
When you say "authentication keys" I assume you mean TSIG. If so, that
is not affected by this advisory.
> I think we're OK unless we're going to light up DNSSEC in the near
> future.
You are only vulnerable to a potential man-in-the-middle attack IF you
are validating DNSSEC signatures AND IF the signatures on that record
involve DSA.
Doug
--
This .signature sanitized for your protection
More information about the freebsd-security
mailing list