> Date: Wed, 06 Jan 2010 17:15:12 -0600 > From: Stephen Montgomery-Smith <step...@missouri.edu> > Sender: owner-freebsd-sta...@freebsd.org > > FreeBSD Security Advisories wrote: > > > I. Background > > > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > > The named(8) daemon is an Internet Domain Name Server. > > > > DNS Security Extensions (DNSSEC) provides data integrity, origin > > authentication and authenticated denial of existence to resolvers. > > > > II. Problem Description > > > > If a client requests DNSSEC records with the Checking Disabled (CD) flag > > set, BIND may cache the unvalidated responses. These responses may later > > be returned to another client that has not set the CD flag. > > How do I find out if my named server is using DNSSEC? I am using the > vanilla defaults with named on FreeBSD.
I think that it is VERY safe to say that if you don't know that you are using DNSSEC, you are not. And, even if you are, only a subset of those doing so are vulnerable. DNSSEC takes a fair amount of effort to sign your data and create and maintain keys. It takes a fair amount of planning and quite a bit of time to set it up, especially with versions of BIND prior to 9.7 (which is still in beta). Even with 9.7, it won't happen by accident. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
