Bug 104705

Summary: Delegation-only patch for bind
Product: [Retired] Red Hat Linux Reporter: Need Real Name <jmarquart>
Component: bindAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: high    
Version: 7.3CC: cstankaitis, redhat
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.isc.org/products/BIND/delegation-only.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-09-24 13:52:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2003-09-19 14:12:18 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030516
Mozilla Firebird/0.6

Description of problem:
Please see Bug #104569
Please consult media for reports on verisign mis-handling .com / .net wildcards.
Please consider the effects on email systems / spam blocking / security.
Please include delegation patch in update to RH7.3 (or ALL) bind packages.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Use non-patched bind
2. Permits wildcard lookup 
3. BAD BAD BAD - please add patch
    

Additional info:
Comment 1 Dean K. Gibson 2003-09-21 00:42:52 UTC 
I agree.  While technically not a bug, this fix is required for security 
features in other products to function properly;  eg, Sendmail and Postfix.  
Plus, having the fix available on RedHat would encourage wide adoption, which 
in turn would nullify the effects of VeriSign's "hijacking" of the purposes and 
RFC functions of the root servers.

The second BIND patch for this issue has been released.  I can understand if 
you want to wait a day or two for the dust to settle (the first patch has minor 
issues), but at least make some sort of announcement that a new RPM will be 
forthcoming.
Comment 2 Chris Stankaitis 2003-09-24 13:31:06 UTC 
Please add this patch to give RH users running bind the ability to block out
VeriSign SiteFinder.

RedHat seems to be laging behind in their response to this issue, it's a serious
concern to many System Admins and should be addressed with a new RPM patch ASAP.
Comment 3 Daniel Walsh 2003-09-24 13:52:07 UTC 
The patch is available on RawHide bind-9.2.2-23

Dan
Comment 4 Dean K. Gibson 2003-09-24 15:47:34 UTC 
No one who is following the ISC BIND9 list will want Bind-9.2.2-23, which only 
contains the first ISC patch and is defective and creates problems.  ISC's -P4 
patch is apparently stable, and should be built & released as an RPM.