ISC BIND 9.6.1-P3 is now available

Cathy Almond cathya at isc.org
Wed Jan 20 14:30:52 UTC 2010


David Coulthart wrote:
> On Jan 19, 2010, at 12:28 PM, Evan Hunt wrote:
>> BIND 9.6.1-P3 is a SECURITY PATCH for BIND 9.6.1.  It addresses two
>> potential cache poisoning vulnerabilities, both of which could allow
>> a validating recursive nameserver to cache data which had not been
>> authenticated or was invalid.
> 
> Do these vulnerabilities only apply to recursive name servers that have
> DNSSEC trusted keys or lookaside keys configured?  Or do they also apply
> if the server has dnssec-enable & dnssec-validation enabled (as by
> default on 9.6.x) but no trusted keys or lookaside keys configured?

There is no validation until you have a trusted key or lookaside
configured.  The default enabling has no effect without the keys -
therefore you are not vulnerable either without the keys.






More information about the bind-users mailing list