Re: FreeBSD Security Advisory FreeBSD-SA-07:02.bind




IV. Workaround

There is no workaround available, but systems which are not authoritative
servers for DNSSEC signed zones are not affected by the first issue; and
systems which do not permit untrusted users to perform recursive DNS
resolution are not affected by the second issue. Note that the default
configuration for named(8) in FreeBSD allows local access only (which on
many systems is equivalent to refusing access to untrusted users).

More precisely, systems which do not *validate* anwers are not
vulnerable to the first.

All nameservers which offer recursion are vulnerable to the
second.

From ISC's advisary (which I authored).

Workaround:

Disable / restrict recursion (to limit exposure).



Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"