[nsp-sec] BIND advisory

[Florian Weimer]

* Michael Sinatra:

> It has just been released.  It only affects you if you are doing DNSSEC
> validation on your resolvers and have caching resolvers forwarding to
> your validating resolvers (which will tend to set the CD bit on queries).

Could you clarify if this bug allows bypassing the in-bailiwick checks
for that data?  The ISC advisory is rather ambiguous.

Looking at the patch, it seems that the bug only applies to secure
delegations, so you're affected only if you've installed trust
anchors, which limits the impact of this bug.

Do you know if the infinite loop alluded to in the patch can be
triggered in an unpatched BIND as well?

Oh, and if you find security vulnerabilities in ISC software, you
should make sure that you notify a coordinator prior to disclosure.
ISC does not do this, which means that most users lack a patch they
can install when the vulnerability is disclosed.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99