On 1/8/2009 9:10 AM, David Coulthart wrote:
Would someone be able to provide some more details as to what particular configurations of BIND this affects? My interpretation is it only impacts recursive nameservers that have DNSSEC validation enabled. Speaking in terms of BIND config options, the dnssec-validation option would need to be set to yes (so just having the default of dnssec-enable set to yes isn't enough to make the server vulnerable). Is this a correct interpretation?
The OpenSSL vulnerability affects DSA and ECDSA certificates; an attacker is able to bypass validation of the certificate. Since DNSSEC uses ECDSA, this means an attacker could use a forged certificate in a man-in-the-middle attack.
If you're not using DNSSEC, then this vulnerability doesn't really affect you, since you already have no way of knowing if a MITM attack is occurring.
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
