* Jack Tavares:
> Thank you again. And I agree that upgrading is the best option, however
> I was looking for any possible mitigations to the problem for the
> (unfortunately unavoidable) period of time it will take vendors
> to provide patched bind servers.
I don't think it's possible to filte
On Fri, Nov 18, 2011 at 6:11 AM, Jack Tavares wrote:
> Thank you again. And I agree that upgrading is the best option, however
> I was looking for any possible mitigations to the problem for the
> (unfortunately unavoidable) period of time it will take vendors
> to provide patched bind servers.
W
On 11/16/2011 5:35 PM, Michael McNally wrote:
> No. You can see all versions of ISC BIND 9 that we have released,
> going back to 9.0.0 in 2004, at ftp://ftp.isc.org/isc/bind9/
9.0.0 was released well before that. 9.2.1 was released in 2001 when I
completed the first release of the Windows versio
I asked
>> If the assertion takes place when retrieving data from the cache,
>> would setting cache size to 0 (do disable caching) avert this issue
>> while still allowing recursion?
Evan responded:
>
>I don't think so. I believe the cache actually has a minimum size,
>lower than which named won't
> If the assertion takes place when retrieving data from the cache,
> would setting cache size to 0 (do disable caching) avert this issue
> while still allowing recursion?
I don't think so. I believe the cache actually has a minimum size,
lower than which named won't let you go.
Setting max-ncac
>> So is it true that there is no way to make an existing bind server
>> (without this patch) safe from this?
>A server that only serves authoritative data and doesn't recurse
>is safe. The assertion takes place when retrieving data from the
>cache, which an authoritative server never does.
>An
From: Evan Hunt [e...@isc.org]
Sent: Thursday, November 17, 2011 14:30
To: Jack Tavares
Cc: John Wobus; bind-users
Subject: Re: trigger point for new bug
> So is it true that there is no way to make an existing bind server
> (without this patch) safe from this?
>A server that on
> So is it true that there is no way to make an existing bind server
> (without this patch) safe from this?
A server that only serves authoritative data and doesn't recurse
is safe. The assertion takes place when retrieving data from the
cache, which an authoritative server never does.
Any serv
tavares=f5@lists.isc.org] on behalf of Evan Hunt
[e...@isc.org]
Sent: Thursday, November 17, 2011 08:44
To: John Wobus
Cc: bind-users
Subject: Re: trigger point for new bug
> How about authoritative-only views? I.e., if a query reaches
> the bind instance but is in a view that does
On 11/17/11 3:58 AM, "Gaurav Kansal" wrote:
> Can you please explain What is the meaning of "INVALID RECORD"?
I think doing so in overly verbose terms just helps script kiddies while
parts of the community schedule upgrades... It can be best not to rush this
type of detail.
Granted, "determ
> How about authoritative-only views? I.e., if a query reaches
> the bind instance but is in a view that does not have caching,
> could it crash the instance? (I assume not.)
You're correct, that would be safe. (But, obviously, if the
recursive view crashes, it's taking the authoritative one dow
On Nov 16, 2011, at 4:20 PM, Michael McNally wrote:
On 11/16/11 9:55 AM, Chris Brookes wrote:
Any info on whether the newly announced bug can be triggered before
the query ACL is applied on a recursive only server? An authoritative
only server ought to be safe?
According to our best current u
el McNally
Sent: Thursday, 17 November, 2011 2:50 AM
To: bind-users@lists.isc.org
Subject: Re: trigger point for new bug
On 11/16/11 9:55 AM, Chris Brookes wrote:
> Any info on whether the newly announced bug can be triggered before
> the query ACL is applied on a recursive only server?
On 11/16/11 12:31 PM, Paul Wouters wrote:
Is disabling DNSSEC validation a workaround?
We do not believe it would be effective.
Michael McNally
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
On 11/16/11 2:35 PM, "Michael McNally" wrote:
> On 11/16/11 1:22 PM, michoski wrote:
>> Short time ago I grabbed the latest tarball from your download site, and
>> generated internal packages. I could have sworn that was 9.8.1-P4 (our
>> internal packages still have the P4, and Google finds some
On 11/16/11 1:22 PM, michoski wrote:
Short time ago I grabbed the latest tarball from your download site, and
generated internal packages. I could have sworn that was 9.8.1-P4 (our
internal packages still have the P4, and Google finds some hits):
Perhaps it was 9.8.0-P4? Many of our version
On 11/16/11 1:20 PM, "Michael McNally" wrote:
> According to our best current understanding of the issue:
>
> + Authoritative-only nameservers should be safe and only
> recursing servers at risk.
>
> + From the security advisory we have posted on our website:
> ( http://www.isc.org/sof
On Wed, 16 Nov 2011, Evan Hunt wrote:
The answer is no, to the best of our knowledge at this time, the
bug cannot be triggered before the query ACL has been applied.
This doesn't help, though, because the query can be a perfectly
innocuous one sent by an allowed host. The problem is what was i
On 11/16/11 9:55 AM, Chris Brookes wrote:
Any info on whether the newly announced bug can be triggered before
the query ACL is applied on a recursive only server? An authoritative
only server ought to be safe?
According to our best current understanding of the issue:
+ Authoritative-only name
> Any info on whether the newly announced bug can be triggered before
> the query ACL is applied on a recursive only server?
The answer is no, to the best of our knowledge at this time, the
bug cannot be triggered before the query ACL has been applied.
This doesn't help, though, because the quer
On 11/16/11 10:55 AM, "Chris Brookes" wrote:
> Any info on whether the newly announced bug can be triggered before
> the query ACL is applied on a recursive only server? An authoritative
> only server ought to be safe?
Hmm, good question. Then folks with IDS/IPS hooks could potentially catch
who
Any info on whether the newly announced bug can be triggered before
the query ACL is applied on a recursive only server? An authoritative
only server ought to be safe?
Cheers
C
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc
22 matches
Mail list logo
