FreeBSD Security Advisory FreeBSD-SA-10:01.bind

Thomas Rasmussen thomas at gibfest.dk
Thu Jan 7 01:01:55 UTC 2010 

Kevin Oberman wrote:
>> Date: Wed, 06 Jan 2010 17:15:12 -0600
>> From: Stephen Montgomery-Smith <stephen at missouri.edu>
>> Sender: owner-freebsd-stable at freebsd.org
>>
>> FreeBSD Security Advisories wrote:
>>
>>     
>>> I.   Background
>>>
>>> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
>>> The named(8) daemon is an Internet Domain Name Server.
>>>
>>> DNS Security Extensions (DNSSEC) provides data integrity, origin
>>> authentication and authenticated denial of existence to resolvers.
>>>
>>> II.  Problem Description
>>>
>>> If a client requests DNSSEC records with the Checking Disabled (CD) flag
>>> set, BIND may cache the unvalidated responses.  These responses may later
>>> be returned to another client that has not set the CD flag.
>>>       
>> How do I find out if my named server is using DNSSEC?  I am using the 
>> vanilla defaults with named on FreeBSD.
>>     
>
> I think that it is VERY safe to say that if you don't know that you are
> using DNSSEC, you are not. And, even if you are, only a subset of those
> doing so are vulnerable.
>
> DNSSEC takes a fair amount of effort to sign your data and create and
> maintain keys. It takes a fair amount of planning and quite a bit of time
> to set it up, especially with versions of BIND prior to 9.7 (which is
> still in beta). Even with 9.7, it won't happen by accident.
>   
Hello,

While this is all true, this vulnerability is for caching servers,
not authorative ones. It is pretty easy to setup DLV validation on a
recursive bind server. However, it is not enabled by default on FreeBSD,
so Stephen should be safe.

By the way, to check if a given resolver is DNSSEC enabled (without
checking the config), you could for example do:
dig @resolverip +dnssec isc.org
and check under flags to see if the "ad" flag has been returned.

If the "ad" flag is present, like in this example...

$ dig +dnssec isc.org

; <<>> DiG 9.6.1-P1 <<>> +dnssec isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5628
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 14
-------------------^^ DNSSEC is enabled (remaining output removed).

...then DNSSEC is enabled and your bind is in a vulnerable configuration,
and you should update. If the "ad" flag is not present, update bind anyway,
and go enable DNSSEC! :)

Best regards

Thomas Rasmussen

More information about the freebsd-stable mailing list