Bugtraq mailing list archives
(no subject)
From: David_Conrad () ISC ORG (David R. Conrad)
Date: Thu, 11 Nov 1999 11:33:48 -0800
Hi, The problem is with the reception of NXT records, so it doesn't matter what you have in your own zone files. Any nameserver running versions 8.2, 8.2 patchlevel 1, or 8.2.1 can be susceptible to the attack (albeit there are some pre-conditions that must be met for the issue to even come up). We, of course, recommend upgrading. In addition, we recommend running your nameserver as non-root and chrooted (I know setting this up is non-trivial -- it'll be much, much easier in BINDv9). Rgds, -drc Anonymous wrote:
Ooh, those pesky NXT records. Like I process those every day. Fascinating read in RFC 2535, but suppose I don't have any NXT records in my own zones, under what circumstances will my DNS server commit the sin of "the processing of NXT records"? In other words, are all of us vulnerable (even caching-only name servers if so, I imagine!), or only people with NXT records? This makes a big difference!
Current thread:
- (no subject) Anonymous (Nov 10)
- (no subject) David R. Conrad (Nov 11)
- Re: CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND Solar Designer (Nov 12)
- Buffer overflow exploit in the alpha linux Taeho Oh (Nov 13)
- Re: Buffer overflow exploit in the alpha linux Lamont Granquist (Nov 15)
- Re: your mail Brian Wellington (Nov 11)
- Re: your mail Alan Brown (Nov 12)
- [ Cobalt ] Security Advisory - Bind Jeff Bilicki (Nov 12)
- Microsoft Security Bulletin (MS99-049) Aleph One (Nov 12)
- Re: your mail Alain Thivillon (Nov 11)
- [w00giving '99 #3, w00news] UnixWare 7's /var/sadm Matt Conover (Nov 11)
- Re: your mail Firstname Lastname (Nov 12)
- (no subject) David R. Conrad (Nov 11)