Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: BIND OpenSSL follow-up SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BIND OpenSSL follow-up

As a follow-up to the story from yesterday on the BIND DNS server updates (as a result of the OpenSSL signature validation bug)... It is difficult to tell whether the default BIND9 configuration turns on DNSSEC support by default.  I reviewed the BIND documentation and the CHANGES file today.  It certainly appears that the default settings for DNSSEC have been recently changed in the 9.6.0b1 and 9.5.0a1 releases.  If you are running BIND DNS servers with DNSSEC, then you probably care that signatures check-out and you need to patch regardless of what the default settings are.  Otherwise, this isn't an exploitation bug and you don't need to patch immediately.

Kyle

112 Posts
Jan 9th 2009

Sign Up for Free or Log In to start participating in the conversation!