Date: Thu, 21 Jan 2010 16:30:20 -0500 (EST)
From: Dean Anderson
To: djbdns list, dnsop-honest, namedroppers-honest
Subject: Re: BIND named(8) cache poisoning with DNSSEC validation
Message-ID:
X-UIDL: A2p"!B0l"!fg\!!<]c!!
I reported this bug and many others on DNSOP and Namedroppers a long
time ago. They tried to silence me. I guess I can add another notch to
my vindication belt. :-)
Most officially, I discussed it in my DNSSEC NTIA comments:
http://www.ntia.doc.gov/dns/comments/comment027.pdf
in the section on Cache Poisoning. Notably, Vixie et al disputed this
when discussed on DNSOP and namedroppers. Guess they were wrong again.
If you want to engage in honest uncensored discussion of DNS issues,
subscribe to dnsop-honest or namedroppers-honest through the interface
at lists.iadl.org
--Dean
On Thu, 7 Jan 2010 chojrak11@gmail.com wrote:
> Hello,
>
> forgive this trolling, I just can't stand.
>
> This happens so quickly - any new BIND invention ends in bug either in
> design, or in implementation, or in both :)
> Another reason to drop this crappy DNSSEC and implement DNSCurve.
>
> http://security.freebsd.org/advisories/FreeBSD-SA-10:01.bind.asc
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
>
> Regards.
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-10:01.bind Security Advisory
> The FreeBSD Project
>
> Topic: BIND named(8) cache poisoning with DNSSEC validation
>
> Category: contrib
> Module: bind
> Announced: 2010-01-06
> Credits: Michael Sinatra
> Affects: All supported versions of FreeBSD.
> Corrected: 2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
> 2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
> 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
> 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
> 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
> CVE Name: CVE-2009-4022
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit .
>
> I. Background
>
> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> The named(8) daemon is an Internet Domain Name Server.
>
> DNS Security Extensions (DNSSEC) provides data integrity, origin
> authentication and authenticated denial of existence to resolvers.
>
> II. Problem Description
>
> If a client requests DNSSEC records with the Checking Disabled (CD) flag
> set, BIND may cache the unvalidated responses. These responses may later
> be returned to another client that has not set the CD flag.
>
> III. Impact
>
> If a client can send such queries to a server, it can exploit this
> problem to mount a cache poisoning attack, seeding the cache with
> unvalidated information.
>
> IV. Workaround
>
> Disabling DNSSEC validation will prevent BIND from caching unvalidated
> records, but also prevent DNSSEC authentication of records. Systems not
> using DNSSEC validation are not affected.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
> or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
> RELENG_6_3 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3, 6.4,
> 7.1, 7.2, and 8.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 6.3]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc
>
> [FreeBSD 6.4]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc
>
> [FreeBSD 7.1]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc
>
> [FreeBSD 7.2]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc
>
> [FreeBSD 8.0]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/bind
> # make obj && make depend && make && make install
> # cd /usr/src/usr.sbin/named
> # make obj && make depend && make && make install
> # /etc/rc.d/named restart
>
> NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get
> a more recent BIND version with more complete DNSSEC support. This
> can be done either by upgrading to FreeBSD 7.x or later, or installing
> BIND for the FreeBSD Ports Collection.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_6
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3
> src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6
> src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7
> RELENG_6_4
> src/UPDATING 1.416.2.40.2.13
> src/sys/conf/newvers.sh 1.69.2.18.2.15
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.3.2.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.4.1
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.9.2.1
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.4.1
> src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.4.2.1
> src/contrib/bind9/bin/named/query.c 1.1.1.1.4.5.2.1
> RELENG_6_3
> src/UPDATING 1.416.2.37.2.20
> src/sys/conf/newvers.sh 1.69.2.15.2.19
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.2.2.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.2.1
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.2
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.2.1
> src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.3.2.1
> src/contrib/bind9/bin/named/query.c 1.1.1.1.4.4.2.1
> RELENG_7
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.4
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.2.2
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.6
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.3
> src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.5
> src/contrib/bind9/bin/named/query.c 1.1.1.6.2.4
> RELENG_7_2
> src/UPDATING 1.507.2.23.2.9
> src/sys/conf/newvers.sh 1.72.2.11.2.10
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2.2.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.8.1
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4.2.1
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1.2.1
> src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.3.2.1
> src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2.2.1
> RELENG_7_1
> src/UPDATING 1.507.2.13.2.13
> src/sys/conf/newvers.sh 1.72.2.9.2.14
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.1.4.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.6.1
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.3.2.1
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.6.1
> src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.1.4.1
> src/contrib/bind9/bin/named/query.c 1.1.1.6.2.1.4.1
> RELENG_8
> src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.2
> src/contrib/bind9/lib/dns/include/dns/types.h 1.2.2.2
> src/contrib/bind9/lib/dns/resolver.c 1.6.2.2
> src/contrib/bind9/lib/dns/masterdump.c 1.3.2.2
> src/contrib/bind9/lib/dns/validator.c 1.4.2.2
> src/contrib/bind9/bin/named/query.c 1.3.2.2
> RELENG_8_0
> src/UPDATING 1.632.2.7.2.5
> src/sys/conf/newvers.sh 1.83.2.6.2.5
> src/contrib/bind9/lib/dns/rbtdb.c 1.3.4.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.2.4.1
> src/contrib/bind9/lib/dns/resolver.c 1.6.4.1
> src/contrib/bind9/lib/dns/masterdump.c 1.3.4.1
> src/contrib/bind9/lib/dns/validator.c 1.4.4.1
> src/contrib/bind9/bin/named/query.c 1.3.4.1
> - -------------------------------------------------------------------------
>
> Subversion:
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/6/ r200394
> releng/6.4/ r201679
> releng/6.3/ r201679
> stable/7/ r200393
> releng/7.2/ r201679
> releng/7.1/ r201679
> stable/8/ r200383
> releng/8.0/ r201679
> head/ r199958
> - -------------------------------------------------------------------------
>
> VII. References
>
> https://www.isc.org/node/504
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (FreeBSD)
>
> iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K
> RUb5Kn+O1qc/FUzEQ12AmrA=
> =Pfoo
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
>
>
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494
|
