Home page logo

bugtraq logo Bugtraq mailing list archives

bind security: fear, uncertainty, and doubts
From: vixie () VIX COM (Paul A Vixie)
Date: Mon, 28 Jul 1997 21:56:09 -0700

if you don't enable updates for a zone, or you enable them only from hosts
within an intelligent (source routing prohibited, source addresses checked)
firewall, bind is immune to the "bind_nuke" attack published here recently.

updates aren't on by default, and according to rfc 2136 dns updates are not
recommended except from "localhost" which is assumed to be secure.  (though
i wish that more system vendors would disallow source-address from
coming in off the network.)  for this reason we have not published a patch
to bind-8.1.1.  i expect that we will put bind-8.1.2 into beta testing in a
few weeks.  (note that we still won't have support for rfc 2137 or TSIG; if
any system vendors would like to fund that effort, we'd love to work on it.)

mountain.  molehill.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]