Date: Fri, 09 Feb 2007 23:09:08 -0800 From: Colin Percival <cperciva@freebsd.org> To: Mark Andrews <Mark_Andrews@isc.org> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:02.bind Message-ID: <45CD6F94.5040409@freebsd.org> In-Reply-To: <200702100425.l1A4Pab2073080@drugs.dv.isc.org> References: <200702100425.l1A4Pab2073080@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Andrews wrote: >> There is no workaround available, but systems which are not authoritative >> servers for DNSSEC signed zones are not affected by the first issue; and >> systems which do not permit untrusted users to perform recursive DNS >> resolution are not affected by the second issue. Note that the default >> configuration for named(8) in FreeBSD allows local access only (which on >> many systems is equivalent to refusing access to untrusted users). > > From ISC's advisary (which I authored). > > Workaround: > > Disable / restrict recursion (to limit exposure). Considering that the only FreeBSD systems which permit recursive queries are those which have been specifically configured to do so, I don't consider this to be a workaround. DoS by administrator is no better than DoS by attacker. Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45CD6F94.5040409>