[nsp-sec] BIND advisory
Michael Sinatra
michael at rancid.berkeley.edu
Tue Nov 24 23:03:20 EST 2009
On 11/24/09 16:53, jose nazario wrote:
> ----------- nsp-security Confidential --------
>
> noticed this on twitter, didn't see it mentioned here:
>
> https://www.isc.org/node/504
>
> BIND 9 Cache Update From Additional Section
> CVE: CVE-2009-4022
>
>> A nameserver with DNSSEC validation enabled may incorrectly add
>> records to its cache from the additional section of responses received
>> during resolution of a recursive client query. This behavior only
>> occurs when processing client queries with checking disabled (CD) at
>> the same time as requesting DNSSEC records (DO).
>
> affects 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P3, 9.5.0, 9.5.1,
> 9.5.2, 9.6.0, 9.6.1-P1.
It has just been released. It only affects you if you are doing DNSSEC
validation on your resolvers and have caching resolvers forwarding to
your validating resolvers (which will tend to set the CD bit on queries).
In short, probably few resolvers are affected, but I hope more people
start doing validation. :)
michael
More information about the nsp-security
mailing list