Date: Sat, 10 Feb 2007 15:25:36 +1100 From: Mark Andrews <Mark_Andrews@isc.org> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:02.bind Message-ID: <200702100425.l1A4Pab2073080@drugs.dv.isc.org> In-Reply-To: Your message of "Fri, 09 Feb 2007 20:42:01 GMT." <200702092042.l19Kg1UV023236@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> IV. Workaround
>
> There is no workaround available, but systems which are not authoritative
> servers for DNSSEC signed zones are not affected by the first issue; and
> systems which do not permit untrusted users to perform recursive DNS
> resolution are not affected by the second issue. Note that the default
> configuration for named(8) in FreeBSD allows local access only (which on
> many systems is equivalent to refusing access to untrusted users).
More precisely, systems which do not *validate* anwers are not
vulnerable to the first.
All nameservers which offer recursion are vulnerable to the
second.
From ISC's advisary (which I authored).
Workaround:
Disable / restrict recursion (to limit exposure).
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702100425.l1A4Pab2073080>