Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 07 Jan 2010 01:33:13 +0100
From:      Thomas Rasmussen <thomas@gibfest.dk>
To:        freebsd-stable@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-10:01.bind
Message-ID:  <4B452BC9.1040104@gibfest.dk>
In-Reply-To: <20100106235655.BA25C1CC0B@ptavv.es.net>
References:  <20100106235655.BA25C1CC0B@ptavv.es.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Oberman wrote:
>> Date: Wed, 06 Jan 2010 17:15:12 -0600
>> From: Stephen Montgomery-Smith <stephen@missouri.edu>
>> Sender: owner-freebsd-stable@freebsd.org
>>
>> FreeBSD Security Advisories wrote:
>>
>>     
>>> I.   Background
>>>
>>> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
>>> The named(8) daemon is an Internet Domain Name Server.
>>>
>>> DNS Security Extensions (DNSSEC) provides data integrity, origin
>>> authentication and authenticated denial of existence to resolvers.
>>>
>>> II.  Problem Description
>>>
>>> If a client requests DNSSEC records with the Checking Disabled (CD) flag
>>> set, BIND may cache the unvalidated responses.  These responses may later
>>> be returned to another client that has not set the CD flag.
>>>       
>> How do I find out if my named server is using DNSSEC?  I am using the 
>> vanilla defaults with named on FreeBSD.
>>     
>
> I think that it is VERY safe to say that if you don't know that you are
> using DNSSEC, you are not. And, even if you are, only a subset of those
> doing so are vulnerable.
>
> DNSSEC takes a fair amount of effort to sign your data and create and
> maintain keys. It takes a fair amount of planning and quite a bit of time
> to set it up, especially with versions of BIND prior to 9.7 (which is
> still in beta). Even with 9.7, it won't happen by accident.
>   
Hello,

While this is all true, this vulnerability is for caching servers,
not authorative ones. It is pretty easy to setup DLV validation on a
recursive bind server. However, it is not enabled by default on FreeBSD,
so Stephen should be safe.

By the way, to check if a given resolver is DNSSEC enabled (without
checking the config), you could for example do:
dig @resolverip +dnssec isc.org
and check under flags to see if the "ad" flag has been returned.

If the "ad" flag is present, like in this example...

$ dig +dnssec isc.org

; <<>> DiG 9.6.1-P1 <<>> +dnssec isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5628
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 14
-------------------^^ DNSSEC is enabled (remaining output removed).

...then DNSSEC is enabled and your bind is in a vulnerable configuration,
and you should update. If the "ad" flag is not present, update bind anyway,
and go enable DNSSEC! :)

Best regards

Thomas Rasmussen



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B452BC9.1040104>