FreeBSD Security Advisory FreeBSD-SA-10:01.bind

Kevin Oberman oberman at es.net
Wed Jan 6 23:56:58 UTC 2010


> Date: Wed, 06 Jan 2010 17:15:12 -0600
> From: Stephen Montgomery-Smith <stephen at missouri.edu>
> Sender: owner-freebsd-stable at freebsd.org
> 
> FreeBSD Security Advisories wrote:
> 
> > I.   Background
> > 
> > BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> > The named(8) daemon is an Internet Domain Name Server.
> > 
> > DNS Security Extensions (DNSSEC) provides data integrity, origin
> > authentication and authenticated denial of existence to resolvers.
> > 
> > II.  Problem Description
> > 
> > If a client requests DNSSEC records with the Checking Disabled (CD) flag
> > set, BIND may cache the unvalidated responses.  These responses may later
> > be returned to another client that has not set the CD flag.
> 
> How do I find out if my named server is using DNSSEC?  I am using the 
> vanilla defaults with named on FreeBSD.

I think that it is VERY safe to say that if you don't know that you are
using DNSSEC, you are not. And, even if you are, only a subset of those
doing so are vulnerable.

DNSSEC takes a fair amount of effort to sign your data and create and
maintain keys. It takes a fair amount of planning and quite a bit of time
to set it up, especially with versions of BIND prior to 9.7 (which is
still in beta). Even with 9.7, it won't happen by accident.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751


More information about the freebsd-stable mailing list