From owner-freebsd-stable@FreeBSD.ORG Thu Jan 7 01:01:55 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82674106566B for ; Thu, 7 Jan 2010 01:01:55 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (gw.tyknet.dk [93.167.110.194]) by mx1.freebsd.org (Postfix) with ESMTP id 3008C8FC1B for ; Thu, 7 Jan 2010 01:01:55 +0000 (UTC) Received: from mail.tyknet.dk (localhost [127.0.0.1]) by mail.tyknet.dk (Postfix) with ESMTP id E3C27B8B3; Thu, 7 Jan 2010 01:33:19 +0100 (CET) Received: from mail.tyknet.dk (localhost [127.0.0.1]) by mail.tyknet.dk (Postfix) with ESMTP id 6C1C2B8AE; Thu, 7 Jan 2010 01:33:16 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on doobie.tyknet.cn.dom X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, FH_DATE_PAST_20XX autolearn=no version=3.2.5 Received: from [10.10.1.199] (tykpc.tyknet.cn.dom [10.10.1.199]) by mail.tyknet.dk (Postfix) with ESMTP id 34F67B883; Thu, 7 Jan 2010 01:33:16 +0100 (CET) Message-ID: <4B452BC9.1040104@gibfest.dk> Date: Thu, 07 Jan 2010 01:33:13 +0100 From: Thomas Rasmussen User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <20100106235655.BA25C1CC0B@ptavv.es.net> In-Reply-To: <20100106235655.BA25C1CC0B@ptavv.es.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-10:01.bind X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 01:01:55 -0000 Kevin Oberman wrote: >> Date: Wed, 06 Jan 2010 17:15:12 -0600 >> From: Stephen Montgomery-Smith >> Sender: owner-freebsd-stable@freebsd.org >> >> FreeBSD Security Advisories wrote: >> >> >>> I. Background >>> >>> BIND 9 is an implementation of the Domain Name System (DNS) protocols. >>> The named(8) daemon is an Internet Domain Name Server. >>> >>> DNS Security Extensions (DNSSEC) provides data integrity, origin >>> authentication and authenticated denial of existence to resolvers. >>> >>> II. Problem Description >>> >>> If a client requests DNSSEC records with the Checking Disabled (CD) flag >>> set, BIND may cache the unvalidated responses. These responses may later >>> be returned to another client that has not set the CD flag. >>> >> How do I find out if my named server is using DNSSEC? I am using the >> vanilla defaults with named on FreeBSD. >> > > I think that it is VERY safe to say that if you don't know that you are > using DNSSEC, you are not. And, even if you are, only a subset of those > doing so are vulnerable. > > DNSSEC takes a fair amount of effort to sign your data and create and > maintain keys. It takes a fair amount of planning and quite a bit of time > to set it up, especially with versions of BIND prior to 9.7 (which is > still in beta). Even with 9.7, it won't happen by accident. > Hello, While this is all true, this vulnerability is for caching servers, not authorative ones. It is pretty easy to setup DLV validation on a recursive bind server. However, it is not enabled by default on FreeBSD, so Stephen should be safe. By the way, to check if a given resolver is DNSSEC enabled (without checking the config), you could for example do: dig @resolverip +dnssec isc.org and check under flags to see if the "ad" flag has been returned. If the "ad" flag is present, like in this example... $ dig +dnssec isc.org ; <<>> DiG 9.6.1-P1 <<>> +dnssec isc.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5628 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 14 -------------------^^ DNSSEC is enabled (remaining output removed). ...then DNSSEC is enabled and your bind is in a vulnerable configuration, and you should update. If the "ad" flag is not present, update bind anyway, and go enable DNSSEC! :) Best regards Thomas Rasmussen