BIND vulnerability to "additional information" hack
Paul A Vixie
vixie at vix.com
Tue Jul 22 21:46:59 UTC 1997
since these questions are common, i've decided to publish the answer on NANOG.
> I was under the impression that the vulnerability to bogus "additional
> information" was a thing of pre-4.9 BINDs, and that all versions of
> 4.9.x are safe. What you wrote here implies that only 4.9.5-P1 and
> later are actually safe.
there are varying degrees of corruption. to protect against alternic,
you have to run 8.1.1 or 4.9.6. even 4.9.5-P1 is susceptible.
> I'm responsible for a number of nameservers on the Internet, at a
> number of sites. Most of them are running BIND 4.9.3 and a few are
> running 4.9.4 and 4.9.5; none are yet running any version of BIND 8.
4.9.6 is your friend. it's a drop-in, zero insertion force replacement
for 4.9.*. it's not as good in general as 8.1.1, but it protects against
alternic cache pollution as well as 8.1.1, which is as well as we can do
it without full DNSSEC.
> Although they will all eventually be upgraded, I'm considering how
> urgent it is to upgrade them all now. Are they vulnerable to this hack?
YES.
More information about the NANOG
mailing list