[dns-operations] BIND Security Advisory

Doug Barton dougb at dougbarton.us
Tue Jul 28 23:36:27 UTC 2009


Tom Daly wrote:
>> A purely cache only server should not be affected. Being auth for
>> a single zone would make you be vulnerable.
> 
> Some quick and dirty research/testing on our side indicates that
> being an authoritative slave doesn't make you vulnerable either, it
> is only if you are authoritative master, i.e.:
> 
> zone blat.com { type master; ... };

Our (FreeBSD) testing indicates the same.

> Then again, if you choose to be RFC1912 compliant, you probably
> made yourself vulnerable.

Unfortunately for this issue I added 1912 plus a bunch of other
default zones to our default resolver config, so if you use our stuff
out of the box you are vulnerable.


Doug



More information about the dns-operations mailing list