Blogs

  • H-Root will change its addresses on 1 December 2015. What does this mean for you?

      http://h.root-servers.org/renumber.html   The Internet DNS root nameservers are the servers which are authoritative for “.”, the apex of the DNS namespace. They are the starting point for resolving all public names. If you’re running a recursive server, you’re either relying on a built-in set of ‘root hints’, or you will have configured them manually. So isn’t renumbering one of these vital servers a

    Read more
    0
  • CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c

    CVE: CVE-2015-5986 Document Version: 2.0 Posting date: 02 September 2015 Program Impacted: BIND Versions affected: 9.9.7 -> 9.9.7-P2, 9.10.2 -> 9.10.2-P3. Severity: Critical Exploitable: Remotely Description: An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure.  This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query. Impact: A server which

    Read more
    0
  • CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c

    CVE:  CVE-2015-5722 Document Version:        2.0 Posting date:  2 September 2015 Program Impacted:  BIND Versions affected: BIND 9.0.0 -> 9.8.8,  BIND 9.9.0 -> 9.9.7-P2, BIND 9.10.0 -> 9.10.2-P3 Severity:  Critical Exploitable:  Remotely Description: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c.  It is possible for a remote attacker to deliberately trigger this condition, for example

    Read more
    0
  • What is a BIND Assertion Failure?

    With the recent spate of patch releases of BIND due to security issues, I thought that it was worth putting fingers to keyboard to shed some light on the sources of these problems and what ISC is doing about them. ISC has a formal process for handling reports of security bugs. If we think the reported issue is serious enough,

    Read more
    0
  • About CVE-2015-5477

    As the security incident manager for this particular vulnerability notification, I’d like to say a little extra, beyond our official vulnerability disclosure about this critical defect in BIND.

    Many of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category.

    Read more
    0
  • CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure

    A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service. CVE: CVE-2015-5477 Document Version:          2.0 Posting date:   28 July 2015 Program Impacted:  BIND Versions affected:  9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2 Severity:  Critical Exploitable:  Remotely Description: An error in the handling of TKEY queries can be exploited

    Read more
    0
  • 2014 Annual Report

    Letter from the President   We are now a trimmer and more functional organization, with financial controls, stability and predictability. We determined that BIND revenues had been subsidizing our other efforts, so we put more back into BIND, adding three DNS engineers in early 2015. On the operations side, we are cutting back on subsidized programs that no longer make

    Read more
    0
  • Resolver DDOS Mitigation

    Early in 2014 a couple of our BIND support customers told us about some intermittent periods of very heavy query activity that swamped their resolvers and asked us for help. It emerged that these were just the first signs of a long series of similar DDOS (Distributed Denial of Service) attacks that began in early 2014 and are continuing today around the Internet.

    Read more
    0
  • Benchmarking DNS Reliably on Multi-core Systems

    Introduction As part of an ongoing study into DNS server performance, we wanted to establish a baseline figure for the absolute maximum throughput that can be achieved using standard APIs.  To this end we have developed a tiny DNS server that does nothing except echo the received packet back to the client, albeit with the “QR” bit flipped to indicate

    Read more
    0
  • How Facebook is using Kea in the datacenter

      Angelo Failla, Production Engineer, Facebook Why did Facebook need a new DHCP solution? We use dhcp for provisioning servers in our production datacenters. We use it both for bare metal provisioning, (to install the operating system) and to assign addresses to the out of band management interfaces. Our old system was based on ISC dhcpd and static configuration files generated

    Read more
    0
  • CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating

    An attacker who can cause a validating resolver to query a zone containing specifically constructed contents can cause that resolver to fail an assertion and terminate due to a defect in validation code. The Knowledge Base article https://kb.isc.org/article/AA-01267 is the complete and official security advisory document. What is posted below is a snapshot of that document.   CVE: CVE-2015-4620 Document Version:  2.0 Posting

    Read more
    0
  • Partial EDNS compliance hampers deployment of new DNS features

    We at ISC want to encourage networking people around the Internet to focus attention for a few minutes on an obscure topic, EDNS compliance. EDNS is currently supported on better than 90% of all DNS servers ISC surveyed recently (research report). The percentage of DNS servers on the Internet that support EDNS drops significantly from 90% with some support, to 60 - 85% when you look at full compliance. As we add more applications that rely on EDNS, partial compliance can end up resulting in failures with increasingly significant impact. We cannot deploy DNS Cookies today without...

    Read more
    0

Last modified: February 22, 2016 at 1:27 pm