Date: Tue, 12 Nov 2002 18:16:50 -0600 From: Len Conrad <LConrad@Go2France.com> To: Freebsd-security@freebsd.org Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] Message-ID: <5.1.1.6.2.20021112180339.00a891d8@mail.go2france.com> In-Reply-To: <07fe01c28aa7$5bdeba10$0d11000a@wscarewm> References: <20021112172820.GV96637@techometer.net> <07dc01c28aa4$fdb51d50$0d11000a@wscarewm> <20021112234706.GB62028@hellblazer.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
>At least limiting it prevents someone setting up an authoritative server, >then making a query to that domain off your name server. In the Men and Mice DNS Security course, we call this "triggered poisoning". With BIND8, limiting/disabling recursion and disabling glue-fetching will keep your pretty secure from cache poisoning, and from this particular vulnerability. The attacker could send you email that bounced causing your MX to query his DNS to send the bounce msg, but your MX wouldn't be querying his tricked up DNS for SIG records. SIG records are for DNSSEC signed zones and signed records. How many BIND8 zones even have SIG records to respond with? Len To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.2.20021112180339.00a891d8>