BIND Security Advisory (CVE-2009-0025; Severity: Low)
Steve Shockley
steve.shockley at shockley.net
Fri Jan 9 20:37:27 UTC 2009
On 1/8/2009 9:10 AM, David Coulthart wrote:
> Would someone be able to provide some more details as to what particular
> configurations of BIND this affects? My interpretation is it only
> impacts recursive nameservers that have DNSSEC validation enabled.
> Speaking in terms of BIND config options, the dnssec-validation option
> would need to be set to yes (so just having the default of dnssec-enable
> set to yes isn't enough to make the server vulnerable). Is this a
> correct interpretation?
The OpenSSL vulnerability affects DSA and ECDSA certificates; an
attacker is able to bypass validation of the certificate. Since DNSSEC
uses ECDSA, this means an attacker could use a forged certificate in a
man-in-the-middle attack.
If you're not using DNSSEC, then this vulnerability doesn't really
affect you, since you already have no way of knowing if a MITM attack is
occurring.
More information about the bind-users
mailing list