On Jul 29, 2009, at 2:19 PM, Ray Van Dolson wrote: > Do you have a link to a mailing lists post describing this? Would > like > to pass it along... This is the head of the thread: https://lists.dns-oarc.net/pipermail/dns-operations/2009-July/004315.html Some of the relevant discussion: On Tue, Jul 28, 2009 at 06:21:22PM -0700, Peter Losher <plosher at isc.org> wrote a message of 30 lines which said: "Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert. We tested that removing the zones which are typically there by default, and in mode master (such as localhost and 0.0.127.in-addr.arpa) works fine: the published exploit no longer works afterwards. This can be an interim solution for those who don't have a clean upgrade path (for instance, RHEL did not push the patch yet). _______________________________________________ dns-operations mailing list dns-operations at lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations ================================================= like, for example, .localhost or 0.0.127.in-addr.arpa. --bill On Tue, Jul 28, 2009 at 11:47:46PM +0200, Michael Graff wrote: A purely cache only server should not be affected. Being auth for a single zone would make you be vulnerable. --Michael On Jul 28, 2009, at 23:26, Duane Wessels <wessels at dns-oarc.net> wrote: On Tue, 28 Jul 2009, Keith Mitchell wrote: dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type ?ANY? and where at least one RRset for this FQDN exists on the server. Does it affect only installations with authoritative data? Or are caches affected as well? DW _______________________________________________ dns-operations mailing list dns-operations at lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ ================================================= Tom Daly wrote: A purely cache only server should not be affected. Being auth for a single zone would make you be vulnerable. Some quick and dirty research/testing on our side indicates that being an authoritative slave doesn't make you vulnerable either, it is only if you are authoritative master, i.e.: zone blat.com { type master; ... }; Our (FreeBSD) testing indicates the same. Then again, if you choose to be RFC1912 compliant, you probably made yourself vulnerable. Unfortunately for this issue I added 1912 plus a bunch of other default zones to our default resolver config, so if you use our stuff out of the box you are vulnerable. Doug _______________________________________________ dns-operations mailing list dns-operations at lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations