[12543] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (David R. Conrad)
Fri Nov 12 12:12:42 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <382B1A1C.10F9E41B@isc.org>
Date: Thu, 11 Nov 1999 11:33:48 -0800
Reply-To: "David R. Conrad" <David_Conrad@ISC.ORG>
From: "David R. Conrad" <David_Conrad@ISC.ORG>
X-To: Anonymous <nobody@REPLAY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
The problem is with the reception of NXT records, so it doesn't matter what
you have in your own zone files. Any nameserver running versions 8.2, 8.2
patchlevel 1, or 8.2.1 can be susceptible to the attack (albeit there are some
pre-conditions that must be met for the issue to even come up). We, of
course, recommend upgrading. In addition, we recommend running your
nameserver as non-root and chrooted (I know setting this up is non-trivial --
it'll be much, much easier in BINDv9).
Rgds,
-drc
Anonymous wrote:
> Ooh, those pesky NXT records. Like I process those every day.
> Fascinating read in RFC 2535, but suppose I don't have any NXT
> records in my own zones, under what circumstances will my DNS server
> commit the sin of "the processing of NXT records"? In other words,
> are all of us vulnerable (even caching-only name servers if so, I
> imagine!), or only people with NXT records? This makes a big difference!
