[dns-operations] BIND Security Advisory

Chris Thompson cet1 at cam.ac.uk
Wed Jul 29 10:08:29 UTC 2009

On Jul 29 2009, Anand Buddhdev wrote:

>On 28/7/09 23:47, Michael Graff wrote:
>> A purely cache only server should not be affected. Being auth for a
>> single zone would make you be vulnerable.
>This implies that most caches are also vulnerable, because most typical
>BIND caches are authoritative for at least the 0.0.127.in-addr.arpa
>zone. Ouch.

Even if not, there are the "automatic empty zones" in BIND 9.4 and later,
typically enabled *only* on recursive nameservers. Presumably these can
be used as the attack vector as well?

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list