DNSSEC Bogus NXDOMAIN survives authenticating RR
Niobos
niobos at dest-unreach.be
Mon Jan 25 18:12:58 UTC 2010
On 2009-12-10 08:49, Niobos wrote:
> Thank you very much for your help; I'll forward the conversation to the bug-tracking list.
>
> Since these are my first DNSSEC experiments, I just wanted to make sure that it wasn't a problem with my understanding of the concept.
>
> Niobos
>
This has been confirmed as a security-bug by ISC a while back. Due to
the potential exploit, they asked me not to release this information
until the fix was released.
BIND 9.6.1-P3 now contains the fix:
827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
I can confirm that this version behaves as expected: keeps returning
SERVFAIL on bogus NXDOMAIN response.
Niobos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100125/5a1a3dea/attachment.html>
More information about the bind-users
mailing list