A Word About Windows Binary BIND Distributions and OpenSSL Libraries

At ISC we have recently received several inquiries from customers who are using the binary packages of BIND that we distribute for Microsoft Windows. They have expressed concerns about security vulnerabilities present in older versions of OpenSSL.  BIND uses OpenSSL for securing communications between dynamic nameservers and clients and between master servers and slave servers.  To support this functionality, ISC uses functionality from the OpenSSL libraries and ships libraries from the OpenSSL package with binary distributions of BIND.  However, BIND only uses a small fraction of the features OpenSSL supports.

[Note:  this article applies only to customers who are using the Windows binary distributions of BIND provided by ISC.  If you are compiling your own version of BIND from source or if you are using a binary package of BIND provided by someone other than ISC, this article does not apply.]

ISC monitors the security announcements for OpenSSL and has determined that none of the security defects disclosed in OpenSSL 1.0.0c (used by previous binary distributions of BIND) or OpenSSL 1.0.0i (used by the newest BIND binary distributions released today — BIND 9.9.1, BIND 9.8.3, BIND 9.7.6, and BIND 9.6-ESV-R7) affect functionality used by BIND code.  Consequently, to the best of our knowledge, we believe the OpenSSL libraries we are distributing with the BIND binaries are safe for use with BIND only.  We have not tested, nor do we recommend them, for use with other software.

If you have another package that requires OpenSSL libraries we ask that you remember that the versions we distribute with our package are only screened for vulnerabilities affecting the features BIND uses.  For any other non-BIND uses we strongly recommend that you obtain copies directly from the OpenSSL project after consulting their bug fix and security announcement page at http://www.openssl.org/news.



Leave a reply

Last modified: June 17, 2013 at 3:59 pm