Re: FreeBSD Security Advisory FreeBSD-SA-10:01.bind

Wed, 06 Jan 2010 17:02:27 -0800 

Kevin Oberman wrote:

Date: Wed, 06 Jan 2010 17:15:12 -0600
From: Stephen Montgomery-Smith <step...@missouri.edu>
Sender: owner-freebsd-sta...@freebsd.org

FreeBSD Security Advisories wrote:


I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.

II.  Problem Description

If a client requests DNSSEC records with the Checking Disabled (CD) flag
set, BIND may cache the unvalidated responses.  These responses may later
be returned to another client that has not set the CD flag.
How do I find out if my named server is using DNSSEC? I am using the vanilla defaults with named on FreeBSD. 

I think that it is VERY safe to say that if you don't know that you are
using DNSSEC, you are not. And, even if you are, only a subset of those
doing so are vulnerable.

DNSSEC takes a fair amount of effort to sign your data and create and
maintain keys. It takes a fair amount of planning and quite a bit of time
to set it up, especially with versions of BIND prior to 9.7 (which is
still in beta). Even with 9.7, it won't happen by accident.

Hello,

While this is all true, this vulnerability is for caching servers,
not authorative ones. It is pretty easy to setup DLV validation on a
recursive bind server. However, it is not enabled by default on FreeBSD,
so Stephen should be safe.

By the way, to check if a given resolver is DNSSEC enabled (without
checking the config), you could for example do:
dig @resolverip +dnssec isc.org
and check under flags to see if the "ad" flag has been returned.

If the "ad" flag is present, like in this example...

$ dig +dnssec isc.org

; <<>> DiG 9.6.1-P1 <<>> +dnssec isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5628
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 14
-------------------^^ DNSSEC is enabled (remaining output removed).

...then DNSSEC is enabled and your bind is in a vulnerable configuration,
and you should update. If the "ad" flag is not present, update bind anyway,
and go enable DNSSEC! :)

Best regards

Thomas Rasmussen
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to