Date: Wed, 14 Jan 2009 22:35:41 -0800 From: Doug Barton <dougb@FreeBSD.org> To: Carl Friend <Carl.Friend@mathworks.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:04.bind Message-ID: <496ED93D.1010200@FreeBSD.org> In-Reply-To: <0528A1CB48AB5B4FA0D8FD7E0D94D81D5A75B7441B@EXCHANGE-AH.ad.mathworks.com> References: <200901132233.n0DMXv4a055314@freefall.freebsd.org> <0528A1CB48AB5B4FA0D8FD7E0D94D81D5A75B7441B@EXCHANGE-AH.ad.mathworks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Carl Friend wrote:
> Hi Leonid,
>
> I got the message, so it looks like at least something is working.
>
> From the advisory:
>
>> NOTE WELL: If named(8) is not explicitly set to use DNSSEC the setup
>> is not vulnerable to the issue as described in this Security Advisory.
>
> We are not using DNSSEC on either the internal or external BIND
> instances. We *are* using authentication keys for some of the internal
> infrastructure (for dynamic updates) but not for the external, and
> this facility uses shared-secrets anyway rather than PKI.
When you say "authentication keys" I assume you mean TSIG. If so, that
is not affected by this advisory.
> I think we're OK unless we're going to light up DNSSEC in the near
> future.
You are only vulnerable to a potential man-in-the-middle attack IF you
are validating DNSSEC signatures AND IF the signatures on that record
involve DSA.
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?496ED93D.1010200>