From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 17:49:23 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA1CE106566B for ; Wed, 14 Jan 2009 17:49:23 +0000 (UTC) (envelope-from Carl.Friend@mathworks.com) Received: from smtp2.mathworks.com (smtp2.mathworks.com [144.212.95.218]) by mx1.freebsd.org (Postfix) with ESMTP id 195008FC19 for ; Wed, 14 Jan 2009 17:49:22 +0000 (UTC) (envelope-from Carl.Friend@mathworks.com) Received: from mail-vif.mathworks.com (fred-ce0.mathworks.com [144.212.95.18]) by smtp2.mathworks.com (8.13.8/8.12.11) with ESMTP id n0EHalYd026393 for ; Wed, 14 Jan 2009 12:36:47 -0500 (EST) Received: from exhub-00-ah.ad.mathworks.com (exhub-00-ah.mathworks.com [172.31.22.58]) by mail-vif.mathworks.com (8.13.8/8.11.7) with ESMTP id n0EHaX8Q014184 for ; Wed, 14 Jan 2009 12:36:47 -0500 (EST) Received: from EXCHANGE-AH.ad.mathworks.com ([172.31.22.57]) by exhub-00-ah.ad.mathworks.com ([172.31.22.58]) with mapi; Wed, 14 Jan 2009 12:36:33 -0500 From: Carl Friend To: "freebsd-security@freebsd.org" Date: Wed, 14 Jan 2009 12:36:31 -0500 Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-09:04.bind Thread-Index: Acl2bQHGnNFAQMPpQJCmYKHd259K4wAATSxg Message-ID: <0528A1CB48AB5B4FA0D8FD7E0D94D81D5A75B7441B@EXCHANGE-AH.ad.mathworks.com> References: <200901132233.n0DMXv4a055314@freefall.freebsd.org> In-Reply-To: <200901132233.n0DMXv4a055314@freefall.freebsd.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 14 Jan 2009 17:57:56 +0000 Subject: RE: FreeBSD Security Advisory FreeBSD-SA-09:04.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 17:49:24 -0000 Hi Leonid, I got the message, so it looks like at least something is working. From the advisory: > NOTE WELL: If named(8) is not explicitly set to use DNSSEC the setup > is not vulnerable to the issue as described in this Security Advisory. We are not using DNSSEC on either the internal or external BIND instances. We *are* using authentication keys for some of the internal infrastructure (for dynamic updates) but not for the external, and this facility uses shared-secrets anyway rather than PKI. I think we're OK unless we're going to light up DNSSEC in the near future. +-----------------------------------------+----------------------------+ | Carl Richard Friend (UNIX Sysadmin) | Natick, Massachusetts, USA | | Minicomputer Collector / Enthusiast | 01760-2098 | | mailto:carl_friend@mathworks.com +----------------------------+ | http://users.rcn.com/crfriend/museum | ICBM: +42:18:00 -71:21:03 | +-----------------------------------------+----------------------------+