Re: PLEASE READ: An Important Security Announcement from ISC
Searching the title of the vulnerability with google results one PDF document. http://www.google.co.jp/#q=Ghost+Domain+Names:+Revoked+Yet+Still+Resolvable+PDF It shows details. -- Kazunori Fujiwara From: Michael McNally mcna...@isc.org PLEASE READ: An important security announcement from ISC ISC has been notified by Haixin Duan (a professor at Tsinghua University in Beijing China, who is currently visiting the International Computer Science Institute (ICSI) at the University of California, Berkeley) about a DNS resolver vulnerability that potentially allows a party to keep a domain name in the cache even after that domain name has been expired ISC is evaluating the risk of this vulnerability, but his published paper shows how this was demonstrated, live across the Internet. It lists several DNS implementations and open resolver deployments as vulnerable. All BIND 9 versions are currently considered vulnerable. A more detailed description of this vulnerability and ISC's planned response can be found at: https://www.isc.org/software/bind/advisories/cve-2012-1033 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
TTL of NSEC3PARAM RR
Hi, Why does BIND 9 set the TTL of NSEC3PARAM RR to zero ? dnssec-signzone sets TTL of NSEC3PARAM RR to 0. update add zone 3600 IN NSEC3PARAM 1 1 10 001122334455 adds NSEC3PARAM RR with TTL 0. # I know that the TTL of NSEC3PARAM RR is trivial. # # RFC 5155 describes NSEC3PARAM RR is not used for validation. # But RFC 5155 does not describe the TTL of NSEC3PARAM RR. I don't have any opinion and request for TTL of NSEC3PARAM. I only want to know the reason. LDNS and OpenDNSSEC seem to set TTL of NSEC3PARAM to 3600. Regards, -- Kazunori Fujiwara, JPRS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
From: Hauke Lampe la...@hauke-lampe.de http://data.iana.org/root-anchors/root-anchors.xml http://data.iana.org/root-anchors/root-anchors.asc The XML file contains a DS hash of the root KSK, but BIND needs a public key in the managed-keys clause. Are there any tools to retrieve the DNSKEY and validate it with the hash? Or even process the XML directly? You can check root DNSKEY RR and root-anchors.xml using dig and dnssec-dsfromkey. % dig . dnskey | grep -w 257 root.key; dnssec-dsfromkey -2 root.key If you checked that the DS data written in root-anchors.xml and root.key are equivalent, you can generate trusted-keys entry from root.key file. But I want new BIND 9 function DS style trust anchor configuration. -- Kazunori Fujiwara, JPRS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users