Date: Wed, 06 Jan 2010 15:56:55 -0800 From: "Kevin Oberman" <oberman@es.net> To: Stephen Montgomery-Smith <stephen@missouri.edu> Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-10:01.bind Message-ID: <20100106235655.BA25C1CC0B@ptavv.es.net> In-Reply-To: Your message of "Wed, 06 Jan 2010 17:15:12 CST." <4B451980.8010403@missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Wed, 06 Jan 2010 17:15:12 -0600 > From: Stephen Montgomery-Smith <stephen@missouri.edu> > Sender: owner-freebsd-stable@freebsd.org > > FreeBSD Security Advisories wrote: > > > I. Background > > > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > > The named(8) daemon is an Internet Domain Name Server. > > > > DNS Security Extensions (DNSSEC) provides data integrity, origin > > authentication and authenticated denial of existence to resolvers. > > > > II. Problem Description > > > > If a client requests DNSSEC records with the Checking Disabled (CD) flag > > set, BIND may cache the unvalidated responses. These responses may later > > be returned to another client that has not set the CD flag. > > How do I find out if my named server is using DNSSEC? I am using the > vanilla defaults with named on FreeBSD. I think that it is VERY safe to say that if you don't know that you are using DNSSEC, you are not. And, even if you are, only a subset of those doing so are vulnerable. DNSSEC takes a fair amount of effort to sign your data and create and maintain keys. It takes a fair amount of planning and quite a bit of time to set it up, especially with versions of BIND prior to 9.7 (which is still in beta). Even with 9.7, it won't happen by accident. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100106235655.BA25C1CC0B>