CVE-2012-1033 (Ghost domain names) mitigation
Gilles Massen
gilles.massen at restena.lu
Thu Feb 9 15:20:20 UTC 2012
The easier way to mitigation is to enable dnssec validation on the
resolver (which is a good thing anyway). From my tests this changes the
behaviour of bind in so far that it respects the TTL of the NS set
rather strictly, and returns to the parent on expiry.
Looks like the most efficient long-term fix to me...
Best,
Gilles
--
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
More information about the bind-users
mailing list