-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Daisuke,
On 04/11/2014 04:00 PM, Daisuke HIGASHI wrote: > (To unbound-users / nsd-users) > > Hi, > > OpenSSL heartbleed bug (CVE-2014-0160) affects Unbound/NSD? NSD and Unbound have DNSSEC that does not use TLS, so they are not affected by heartbleed for DNSSEC. > I believe that unbound-control, ssl-upstream(unbound's), and > nsd-control depends on OpenSSL to make secure channel. (though > remote control is usually allowed from localhost only...) Yes the default is from localhost. Additionally, nsd-control and unbound-control require a client certificate. This seems to stop the attack (when we tested it). Unbound's ssl-upstream, ssl-service and unbound-anchor are options and tools that create TLS connections. This is vulnerable to heartbleed. Unbound-anchor is a client side, short lived process with no secrets, it makes TLS connections in exceptional circumstances. ssl-upstream makes client connections. Unbound's ssl-service options create a TLS server, and this is vulnerable. The public TLS dnssec-trigger server has had openssl upgraded. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTR/yGAAoJEJ9vHC1+BF+NRYgP/28YG3rP9/4KOwqy6xaIQ/6O 6FjLK7DYVXDJEn3XMh7BOg+DvysnDTVPGlh2Vy6wHXYoAsUNV11GFQXV1dgnI3ii nbIRWsi5wYBB3/kWemIhsfHCMCL2bOuorgkNem3oHd52AMTVKTaF42P9c16wMdLx 2B4Dz2zku+3c74ETz/8n094UkeJQdZcVtD/rGqjUeedKPtEkvwYQwCPsMUoFxaxC 42642o+XtrA3WBMTMKz8ue3yaGRjThrBDfDC1y1TmsKNQoKB6rITdIrJEuqVuVqP KtQxk1qM9CzHOv7ubAI8ZNukaFcXr4Zwmuu/Nu4SV8+5jdXqTBptlN4djmkSD5zk x6Q8Vnq9IW/YWi/jVWGmQ1Sb/GKMIVjp913CIipOG8ujYpXKck01SrbRSBYY5Iqv NrtO7vPRag1kIDWlD9dM2i+q8iKirdYfer4tJuWyPQgb6tGSGN0hvr0cwj2TmfyA MinP9Q3hkhTyfKJGiPEFjQ4gNEcMGJTCdlky85JJC4lh2y448nhVQb+G9KjQblXt MtMAGVVgBvGKZWEUcnwXQ3aEuqevm01afx+xzI7nI3ev1CiKmw+SiLjpoDEPoyjE bEbakF7qStDjb0g3reTJkG5Sljl0vIKwwh5GC07zrUVcpor4EqAb2BmVnrA1Yy3f xPMFn+8rQC92jtBiE2M5 =vbeh -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
