From owner-freebsd-security@FreeBSD.ORG Sat Feb 10 07:09:21 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1707716A409 for ; Sat, 10 Feb 2007 07:09:21 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id E0C5813C46B for ; Sat, 10 Feb 2007 07:09:20 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mr3so.prod.shaw.ca (pd3mr3so-qfe3.prod.shaw.ca [10.0.141.179]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JD800CL1JVL6F60@l-daemon> for freebsd-security@freebsd.org; Sat, 10 Feb 2007 00:09:21 -0700 (MST) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd3mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JD8000SXJVJZPT0@pd3mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Sat, 10 Feb 2007 00:09:20 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JD8002JKJVFDB42@l-daemon> for freebsd-security@freebsd.org; Sat, 10 Feb 2007 00:09:20 -0700 (MST) Received: (qmail 30350 invoked from network); Sat, 10 Feb 2007 07:09:08 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Sat, 10 Feb 2007 07:09:08 +0000 Date: Fri, 09 Feb 2007 23:09:08 -0800 From: Colin Percival In-reply-to: <200702100425.l1A4Pab2073080@drugs.dv.isc.org> To: Mark Andrews Message-id: <45CD6F94.5040409@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200702100425.l1A4Pab2073080@drugs.dv.isc.org> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:02.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 07:09:21 -0000 Mark Andrews wrote: >> There is no workaround available, but systems which are not authoritative >> servers for DNSSEC signed zones are not affected by the first issue; and >> systems which do not permit untrusted users to perform recursive DNS >> resolution are not affected by the second issue. Note that the default >> configuration for named(8) in FreeBSD allows local access only (which on >> many systems is equivalent to refusing access to untrusted users). > > From ISC's advisary (which I authored). > > Workaround: > > Disable / restrict recursion (to limit exposure). Considering that the only FreeBSD systems which permit recursive queries are those which have been specifically configured to do so, I don't consider this to be a workaround. DoS by administrator is no better than DoS by attacker. Colin Percival