FreeBSD Security Advisory FreeBSD-SA-10:01.bind
oberman at es.net
Wed Jan 6 23:56:58 UTC 2010
> Date: Wed, 06 Jan 2010 17:15:12 -0600
> From: Stephen Montgomery-Smith <stephen at missouri.edu>
> Sender: owner-freebsd-stable at freebsd.org
> FreeBSD Security Advisories wrote:
> > I. Background
> > BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> > The named(8) daemon is an Internet Domain Name Server.
> > DNS Security Extensions (DNSSEC) provides data integrity, origin
> > authentication and authenticated denial of existence to resolvers.
> > II. Problem Description
> > If a client requests DNSSEC records with the Checking Disabled (CD) flag
> > set, BIND may cache the unvalidated responses. These responses may later
> > be returned to another client that has not set the CD flag.
> How do I find out if my named server is using DNSSEC? I am using the
> vanilla defaults with named on FreeBSD.
I think that it is VERY safe to say that if you don't know that you are
using DNSSEC, you are not. And, even if you are, only a subset of those
doing so are vulnerable.
DNSSEC takes a fair amount of effort to sign your data and create and
maintain keys. It takes a fair amount of planning and quite a bit of time
to set it up, especially with versions of BIND prior to 9.7 (which is
still in beta). Even with 9.7, it won't happen by accident.
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the freebsd-stable