conf/177607: named.conf comment to slave root suggests potentially dangerous BIND configuration
markk at knigma.org
Wed Apr 3 15:00:01 UTC 2013
The following reply was made to PR conf/177607; it has been noted by GNATS.
From: Mark Knight <markk at knigma.org>
To: Maxim Konovalov <maxim.konovalov at gmail.com>
Cc: bug-followup at freebsd.org
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
dangerous BIND configuration
Date: Wed, 03 Apr 2013 15:51:35 +0100
Thanks for fixing up the Repy-To.
I stupidly uncommented these lines on a box *assuming* it was safe. Once
upon a time responding to root DNS queries wouldn't have been considered
a bad thing. However today I received an abuse@ report to thank me for
my error. The comment above the stanza doesn't mention the amplifier
threat (although it does mention general caution) and appears to offer a
good suggestion for improving resilience and reducing net traffic that's
"ready to run". Clearly it isn't.
My rationale was that it's a quick and easy fix and given the recent
attacks it was worth giving this a high priority in the name of
pro-active security. It's a potential security issue and is therefore
serious. Apologies if I've exaggerated the threat.
More information about the freebsd-bugs