Re: BIND vulnerability to "additional information" hack

[Paul A Vixie <vixie () vix com>]

since these questions are common, i've decided to publish the answer on NANOG.

> I was under the impression that the vulnerability to bogus "additional
> information" was a thing of pre-4.9 BINDs, and that all versions of
> 4.9.x are safe.  What you wrote here implies that only 4.9.5-P1 and
> later are actually safe.

there are varying degrees of corruption.  to protect against alternic,
you have to run 8.1.1 or 4.9.6.  even 4.9.5-P1 is susceptible.

> I'm responsible for a number of nameservers on the Internet, at a
> number of sites.  Most of them are running BIND 4.9.3 and a few are
> running 4.9.4 and 4.9.5; none are yet running any version of BIND 8.

4.9.6 is your friend.  it's a drop-in, zero insertion force replacement
for 4.9.*.  it's not as good in general as 8.1.1, but it protects against
alternic cache pollution as well as 8.1.1, which is as well as we can do
it without full DNSSEC.

> Although they will all eventually be upgraded, I'm considering how
> urgent it is to upgrade them all now.  Are they vulnerable to this hack?

YES.