Is bind 9.18.19 a validating resolver to shield against CVE-2023-42119 ?
Rob van der Putten
rob at sput.nl
Tue Oct 3 14:09:38 UTC 2023
Hi there
On 02/10/2023 11:06, Kurt Jaeger wrote:
> In the light of the recent exim security issues[1,2]
> I'm trying to find out if bind 9.18.19, if used as resolver,
> does enough validation to shield exim instances from CVE-2023-42119 ?
I added 'check-names response fail;' to the internal view.
So far this blocked a few hosts with underscore and comma in the name,
which didn't break anything.
I'm assuming that this will protect DNS lookups. But that's just an
assumption.
> As details and reproducers for the CVE are not available, this is a
> more general question. Pointers on where I can read more about it
> are highly appreciated!
>
> There are probably two aspects to validation:
> - Validating DNSSEC (the more common use case of validation)
> - Validating DNS request/replies in general (bailiwick, cache polution etc).
>
> [1] https://lists.exim.org/lurker/message/20231001.165119.aa8c29f9.en.html
> [2] https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
Regards,
Rob
More information about the bind-users
mailing list