Evan Hunt wrote:
> Yes. But the problem domain has been corrected, so you won't be able to
> reproduce it now.
> In the interest of preventing this happening again, either by accident
> (as it was in this case) or due to someone crafting a bad zone
> maliciously,
> we will be releasing a patch to
On Fri, 27 May 2011, Frank Kloeker wrote:
Hello,
I would want to say thank you very much for the wonderful work of the
ISC team and the quick solution of the problem and a very
professional appearance.
I have come to expect such performance from everyone at ISC, but yesterday
the exceeded ev
Hi Jim,
We are seeing the same thing. The problem is an incorrectly signed
zone (missing RRSIG records) at ed.gov. See:
http://dnssec-debugger.verisignlabs.com/www.ed.gov
http://dnsviz.net/d/www.ed.gov/dnssec/
cv
On Fri, May 27, 2011 at 12:09 PM, Jim Glassford wrote:
> Hi,
>
> Running BIND 9.7
On Fri, May 27, 2011 at 12:09 PM, Jim Glassford wrote:
> Starting today got reports of unable to reach some student ad sites such as
> studentloans.gov
>
>
There are problems with this and related sites. Specifically RRSIGs are not
being returned with some RRsets, resulting in a broken chain of
Hi,
Running BIND 9.7.0-P2
Is this just me or other seeing this?
Starting today got reports of unable to reach some student ad sites such
as studentloans.gov
# dig eduftcdnsp01.ed.gov
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> eduftcdnsp01.ed.gov
;; global options: +cmd
;; Got answer:
Hello,
I would want to say thank you very much for the wonderful work of the
ISC team and the quick solution of the problem and a very
professional appearance.
Happy patching & a nice weekend
Frank
--
++
Frank Kloeker
Operations and
Change: BIND 9.4-ESV-R4-P1 is now available.
Title: Large RRSIG RRsets and Negative Caching can crash named.
Summary: A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource record
sets (RRSets) when trying to negatively cache a resp
To follow up on this thread (there's been much more about it on DNS-OARC
than here), it was a bug that is fixed (change 3020) together with the
more serious security problem (change 3121) in the new BIND versions
9.6-ESV-R4-P1, 9.7.3-P1 and 9.8.0-P2.
--
Chris Thompson
Email: c...@cam.ac.uk
_
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
*Summary:* A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource record
sets (RRSets) when trying to negatively cache a response. This can
cause the BIND 9 DNS server (named process) to
> This is reproducible and should only affected in 9.7.3.
For the record, the problem has been fixed:
http://www.isc.org/software/bind/advisories/cve-2011-1910
-JP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailma
10 matches
Mail list logo
