CVE-2012-1033 (Ghost domain names) mitigation

Gilles Massen gilles.massen at restena.lu
Thu Feb 9 15:20:20 UTC 2012


The easier way to mitigation is to enable dnssec validation on the
resolver (which is a good thing anyway). From my tests this changes the
behaviour of bind in so far that it respects the TTL of the NS set
rather strictly, and returns to the parent on expiry.

Looks like the most efficient long-term fix to me...

Best,
Gilles

-- 
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473



More information about the bind-users mailing list