Date: Thu, 07 Jan 2010 01:33:13 +0100 From: Thomas Rasmussen <thomas@gibfest.dk> To: freebsd-stable@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-10:01.bind Message-ID: <4B452BC9.1040104@gibfest.dk> In-Reply-To: <20100106235655.BA25C1CC0B@ptavv.es.net> References: <20100106235655.BA25C1CC0B@ptavv.es.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Oberman wrote: >> Date: Wed, 06 Jan 2010 17:15:12 -0600 >> From: Stephen Montgomery-Smith <stephen@missouri.edu> >> Sender: owner-freebsd-stable@freebsd.org >> >> FreeBSD Security Advisories wrote: >> >> >>> I. Background >>> >>> BIND 9 is an implementation of the Domain Name System (DNS) protocols. >>> The named(8) daemon is an Internet Domain Name Server. >>> >>> DNS Security Extensions (DNSSEC) provides data integrity, origin >>> authentication and authenticated denial of existence to resolvers. >>> >>> II. Problem Description >>> >>> If a client requests DNSSEC records with the Checking Disabled (CD) flag >>> set, BIND may cache the unvalidated responses. These responses may later >>> be returned to another client that has not set the CD flag. >>> >> How do I find out if my named server is using DNSSEC? I am using the >> vanilla defaults with named on FreeBSD. >> > > I think that it is VERY safe to say that if you don't know that you are > using DNSSEC, you are not. And, even if you are, only a subset of those > doing so are vulnerable. > > DNSSEC takes a fair amount of effort to sign your data and create and > maintain keys. It takes a fair amount of planning and quite a bit of time > to set it up, especially with versions of BIND prior to 9.7 (which is > still in beta). Even with 9.7, it won't happen by accident. > Hello, While this is all true, this vulnerability is for caching servers, not authorative ones. It is pretty easy to setup DLV validation on a recursive bind server. However, it is not enabled by default on FreeBSD, so Stephen should be safe. By the way, to check if a given resolver is DNSSEC enabled (without checking the config), you could for example do: dig @resolverip +dnssec isc.org and check under flags to see if the "ad" flag has been returned. If the "ad" flag is present, like in this example... $ dig +dnssec isc.org ; <<>> DiG 9.6.1-P1 <<>> +dnssec isc.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5628 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 14 -------------------^^ DNSSEC is enabled (remaining output removed). ...then DNSSEC is enabled and your bind is in a vulnerable configuration, and you should update. If the "ad" flag is not present, update bind anyway, and go enable DNSSEC! :) Best regards Thomas Rasmussen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B452BC9.1040104>