From owner-freebsd-security@FreeBSD.ORG Thu Jan 15 06:35:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 575BD1065670 for ; Thu, 15 Jan 2009 06:35:45 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with ESMTP id DA30B8FC16 for ; Thu, 15 Jan 2009 06:35:44 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 25350 invoked by uid 399); 15 Jan 2009 06:35:44 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 15 Jan 2009 06:35:44 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <496ED93D.1010200@FreeBSD.org> Date: Wed, 14 Jan 2009 22:35:41 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Carl Friend References: <200901132233.n0DMXv4a055314@freefall.freebsd.org> <0528A1CB48AB5B4FA0D8FD7E0D94D81D5A75B7441B@EXCHANGE-AH.ad.mathworks.com> In-Reply-To: <0528A1CB48AB5B4FA0D8FD7E0D94D81D5A75B7441B@EXCHANGE-AH.ad.mathworks.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:04.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2009 06:35:45 -0000 Carl Friend wrote: > Hi Leonid, > > I got the message, so it looks like at least something is working. > > From the advisory: > >> NOTE WELL: If named(8) is not explicitly set to use DNSSEC the setup >> is not vulnerable to the issue as described in this Security Advisory. > > We are not using DNSSEC on either the internal or external BIND > instances. We *are* using authentication keys for some of the internal > infrastructure (for dynamic updates) but not for the external, and > this facility uses shared-secrets anyway rather than PKI. When you say "authentication keys" I assume you mean TSIG. If so, that is not affected by this advisory. > I think we're OK unless we're going to light up DNSSEC in the near > future. You are only vulnerable to a potential man-in-the-middle attack IF you are validating DNSSEC signatures AND IF the signatures on that record involve DSA. Doug -- This .signature sanitized for your protection