[dns-operations] BIND Security Advisory
Chris Thompson
cet1 at cam.ac.uk
Wed Jul 29 10:08:29 UTC 2009
On Jul 29 2009, Anand Buddhdev wrote:
>On 28/7/09 23:47, Michael Graff wrote:
>
>> A purely cache only server should not be affected. Being auth for a
>> single zone would make you be vulnerable.
>
>This implies that most caches are also vulnerable, because most typical
>BIND caches are authoritative for at least the 0.0.127.in-addr.arpa
>zone. Ouch.
Even if not, there are the "automatic empty zones" in BIND 9.4 and later,
typically enabled *only* on recursive nameservers. Presumably these can
be used as the attack vector as well?
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list