Re: BIND vulnerability to "additional information" hack
since these questions are common, i've decided to publish the answer on NANOG.
I was under the impression that the vulnerability to bogus "additional information" was a thing of pre-4.9 BINDs, and that all versions of 4.9.x are safe. What you wrote here implies that only 4.9.5-P1 and later are actually safe.
there are varying degrees of corruption. to protect against alternic, you have to run 8.1.1 or 4.9.6. even 4.9.5-P1 is susceptible.
I'm responsible for a number of nameservers on the Internet, at a number of sites. Most of them are running BIND 4.9.3 and a few are running 4.9.4 and 4.9.5; none are yet running any version of BIND 8.
4.9.6 is your friend. it's a drop-in, zero insertion force replacement for 4.9.*. it's not as good in general as 8.1.1, but it protects against alternic cache pollution as well as 8.1.1, which is as well as we can do it without full DNSSEC.
Although they will all eventually be upgraded, I'm considering how urgent it is to upgrade them all now. Are they vulnerable to this hack?
YES.
participants (1)
-
Paul A Vixie