FreeBSD Security Advisory FreeBSD-SA-10:01.bind
Kevin Oberman
oberman at es.net
Wed Jan 6 23:56:58 UTC 2010
> Date: Wed, 06 Jan 2010 17:15:12 -0600
> From: Stephen Montgomery-Smith <stephen at missouri.edu>
> Sender: owner-freebsd-stable at freebsd.org
>
> FreeBSD Security Advisories wrote:
>
> > I. Background
> >
> > BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> > The named(8) daemon is an Internet Domain Name Server.
> >
> > DNS Security Extensions (DNSSEC) provides data integrity, origin
> > authentication and authenticated denial of existence to resolvers.
> >
> > II. Problem Description
> >
> > If a client requests DNSSEC records with the Checking Disabled (CD) flag
> > set, BIND may cache the unvalidated responses. These responses may later
> > be returned to another client that has not set the CD flag.
>
> How do I find out if my named server is using DNSSEC? I am using the
> vanilla defaults with named on FreeBSD.
I think that it is VERY safe to say that if you don't know that you are
using DNSSEC, you are not. And, even if you are, only a subset of those
doing so are vulnerable.
DNSSEC takes a fair amount of effort to sign your data and create and
maintain keys. It takes a fair amount of planning and quite a bit of time
to set it up, especially with versions of BIND prior to 9.7 (which is
still in beta). Even with 9.7, it won't happen by accident.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the freebsd-stable
mailing list