On Jul 29, 2009, at 2:19 PM, Ray Van Dolson wrote:
> Do you have a link to a mailing lists post describing this? Would
> like
> to pass it along...
This is the head of the thread:
https://lists.dns-oarc.net/pipermail/dns-operations/2009-July/004315.html
Some of the relevant discussion:
On Tue, Jul 28, 2009 at 06:21:22PM -0700,
Peter Losher <plosher@xxxxxxx> wrote
a message of 30 lines which said:
"Testing indicates that the attack packet has to be formulated against a
zone for which that machine is a master. Launching the attack against
slave zones does not trigger the assert.
We tested that removing the zones which are typically there by
default, and in mode master (such as localhost and
0.0.127.in-addr.arpa) works fine: the published exploit no longer
works afterwards.
This can be an interim solution for those who don't have a clean
upgrade path (for instance, RHEL did not push the patch yet).
_______________________________________________
dns-operations mailing list
dns-operations@xxxxxxxxxxxxxxxxxx
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
=================================================
like, for example, .localhost or 0.0.127.in-addr.arpa.
--bill
On Tue, Jul 28, 2009 at 11:47:46PM +0200, Michael Graff wrote:
A purely cache only server should not be affected. Being auth for a
single zone would make you be vulnerable.
--Michael
On Jul 28, 2009, at 23:26, Duane Wessels <wessels@xxxxxxxxxxxx> wrote:
On Tue, 28 Jul 2009, Keith Mitchell wrote:
dns_db_findrdataset() fails when the prerequisite section of the
dynamic
update message contains a record of type ?ANY? and where at least one
RRset for this FQDN exists on the server.
Does it affect only installations with authoritative data? Or are
caches affected
as well?
DW
_______________________________________________
dns-operations mailing list
dns-operations@xxxxxxxxxxxxxxxxxx
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
=================================================
Tom Daly wrote:
A purely cache only server should not be affected. Being auth for
a single zone would make you be vulnerable.
Some quick and dirty research/testing on our side indicates that
being an authoritative slave doesn't make you vulnerable either, it
is only if you are authoritative master, i.e.:
zone blat.com { type master; ... };
Our (FreeBSD) testing indicates the same.
Then again, if you choose to be RFC1912 compliant, you probably
made yourself vulnerable.
Unfortunately for this issue I added 1912 plus a bunch of other
default zones to our default resolver config, so if you use our stuff
out of the box you are vulnerable.
Doug
_______________________________________________
dns-operations mailing list
dns-operations@xxxxxxxxxxxxxxxxxx
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
