This page is READ-ONLY. It is generated from the old site.
All timestamps are relative to 2013 (when this page is generated).
If you are looking for TeX support, please go to VietTUG.org

bind gặp lỗi trên freebsd

... lời ngài D.B đã nói
Added by about 4 years ago

How the BIND company makes money

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS Security Extensions (DNSSEC) are additional protocol options that add authentication as part of responses to DNS queries.

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

II. Problem Description

The DSA_do_verify() function from OpenSSL is used to determine if a DSA digital signature is valid. When DNSSEC is used within BIND it uses DSA_do_verify() to verify DSA signatures, but checks the function return value incorrectly.

III. Impact

It is in theory possible to spoof a DNS reply even though DNSSEC is set up to validate answers. This could be used by an attacker for man-in-the-middle or other spoofing attacks.

IV. Workaround

Disable the the DSA algorithm in named.conf. This will cause answers from zones signed only with DSA to be treated as insecure. Add the following to the options section of named.conf:

disable-algorithms . { DSA; };

NOTE WELL: If named(8) is not explicitly set to use DNSSEC the setup is not vulnerable to the issue as described in this Security Advisory.


Comments