From owner-freebsd-stable@FreeBSD.ORG  Wed Jan  6 23:56:58 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 52D401065670
	for <freebsd-stable@freebsd.org>; Wed,  6 Jan 2010 23:56:58 +0000 (UTC)
	(envelope-from oberman@es.net)
Received: from mailgw.es.net (mail4.es.net [IPv6:2001:400:6000:6::2])
	by mx1.freebsd.org (Postfix) with ESMTP id E71098FC20
	for <freebsd-stable@freebsd.org>; Wed,  6 Jan 2010 23:56:57 +0000 (UTC)
Received: from ptavv.es.net (ptavv.es.net [IPv6:2001:400:910::29])
	by mailgw.es.net (8.14.3/8.14.3) with ESMTP id o06NutL9010978
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Wed, 6 Jan 2010 15:56:56 -0800
Received: from ptavv.es.net (localhost [127.0.0.1])
	by ptavv.es.net (Tachyon Server) with ESMTP id BA25C1CC0B;
	Wed,  6 Jan 2010 15:56:55 -0800 (PST)
To: Stephen Montgomery-Smith <stephen@missouri.edu>
In-reply-to: Your message of "Wed, 06 Jan 2010 17:15:12 CST."
	<4B451980.8010403@missouri.edu> 
Date: Wed, 06 Jan 2010 15:56:55 -0800
From: "Kevin Oberman" <oberman@es.net>
Message-Id: <20100106235655.BA25C1CC0B@ptavv.es.net>
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40,
	4.0.166 definitions=2010-01-06_15:2010-01-05, 2010-01-06,
	2010-01-06 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam
	adjust=0 reason=mlx engine=5.0.0-0908210000
	definitions=main-1001060316
Cc: freebsd-stable@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-10:01.bind 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2010 23:56:58 -0000

> Date: Wed, 06 Jan 2010 17:15:12 -0600
> From: Stephen Montgomery-Smith <stephen@missouri.edu>
> Sender: owner-freebsd-stable@freebsd.org
> 
> FreeBSD Security Advisories wrote:
> 
> > I.   Background
> > 
> > BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> > The named(8) daemon is an Internet Domain Name Server.
> > 
> > DNS Security Extensions (DNSSEC) provides data integrity, origin
> > authentication and authenticated denial of existence to resolvers.
> > 
> > II.  Problem Description
> > 
> > If a client requests DNSSEC records with the Checking Disabled (CD) flag
> > set, BIND may cache the unvalidated responses.  These responses may later
> > be returned to another client that has not set the CD flag.
> 
> How do I find out if my named server is using DNSSEC?  I am using the 
> vanilla defaults with named on FreeBSD.

I think that it is VERY safe to say that if you don't know that you are
using DNSSEC, you are not. And, even if you are, only a subset of those
doing so are vulnerable.

DNSSEC takes a fair amount of effort to sign your data and create and
maintain keys. It takes a fair amount of planning and quite a bit of time
to set it up, especially with versions of BIND prior to 9.7 (which is
still in beta). Even with 9.7, it won't happen by accident.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751