North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BIND vulnerability to "additional information" hack
since these questions are common, i've decided to publish the answer on NANOG. > I was under the impression that the vulnerability to bogus "additional > information" was a thing of pre-4.9 BINDs, and that all versions of > 4.9.x are safe. What you wrote here implies that only 4.9.5-P1 and > later are actually safe. there are varying degrees of corruption. to protect against alternic, you have to run 8.1.1 or 4.9.6. even 4.9.5-P1 is susceptible. > I'm responsible for a number of nameservers on the Internet, at a > number of sites. Most of them are running BIND 4.9.3 and a few are > running 4.9.4 and 4.9.5; none are yet running any version of BIND 8. 4.9.6 is your friend. it's a drop-in, zero insertion force replacement for 4.9.*. it's not as good in general as 8.1.1, but it protects against alternic cache pollution as well as 8.1.1, which is as well as we can do it without full DNSSEC. > Although they will all eventually be upgraded, I'm considering how > urgent it is to upgrade them all now. Are they vulnerable to this hack? YES. |