A vulnerability was found that affects the large majority of popular DNS implementations which allow a malicious domain name to stay resolvable long after it has been removed from the upper level servers, including ISC BIND. According to Tsinghua University researchers, it exploits a flaw in DNS cache update policy, which prevents effective domain name revocation. There is currently no known exploit, and no fix has been produced by ISC as of yet. External References: https://www.isc.org/software/bind/advisories/cve-2012-1033
ISC has updated their CVE page to note that they do not intend to fix this as it is an issue at the DNS protocol level, and not in the implementation. They do intend to do further analysis and research, and suggest using DNSSEC to mitigate this if users deem it necessary, stating that "unsecured DNS is not designed to be relied on for security".
Of course they want to push DNSSEC instead of "fixing it". At least in sweden DNSSEC costs a lot of money, only huge businesses and the government can afford it I guess. This is why I disabled this (now default) behaviour in Mandriva, and due to huge latency. Well...
(In reply to comment #0) > https://www.isc.org/software/bind/advisories/cve-2012-1033 (In reply to comment #1) > ISC has updated their CVE page to note that they do not intend to fix this > as it is an issue at the DNS protocol level, and not in the implementation. > They do intend to do further analysis and research, and suggest using DNSSEC > to mitigate this if users deem it necessary, stating that "unsecured DNS is > not designed to be relied on for security". Even though ISC security advisory has not been updated, a fix addressing this as been included in newer bind releases: 3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884] That change is available in bind versions 9.9.0, 9.8.2, 9.7.5, and 9.6-ESV-R6.
(In reply to comment #17) > Even though ISC security advisory has not been updated, a fix addressing > this as been included in newer bind releases: > > 3282. [bug] Restrict the TTL of NS RRset to no more than that > of the old NS RRset when replacing it. > [RT #27792] [RT #27884] > > That change is available in bind versions 9.9.0, 9.8.2, 9.7.5, and > 9.6-ESV-R6. Revision 2.1 from May 29, 2012 is updated with the above information: http://www.isc.org/software/bind/advisories/cve-2012-1033
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0717 https://rhn.redhat.com/errata/RHSA-2012-0717.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0716 https://rhn.redhat.com/errata/RHSA-2012-0716.html