David Coulthart wrote: > On Jan 19, 2010, at 12:28 PM, Evan Hunt wrote: >> BIND 9.6.1-P3 is a SECURITY PATCH for BIND 9.6.1. It addresses two >> potential cache poisoning vulnerabilities, both of which could allow >> a validating recursive nameserver to cache data which had not been >> authenticated or was invalid. > > Do these vulnerabilities only apply to recursive name servers that have > DNSSEC trusted keys or lookaside keys configured? Or do they also apply > if the server has dnssec-enable & dnssec-validation enabled (as by > default on 9.6.x) but no trusted keys or lookaside keys configured?
There is no validation until you have a trusted key or lookaside configured. The default enabling has no effect without the keys - therefore you are not vulnerable either without the keys. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
