date:20140411

BIND, DHCP, and CVE-2014-0160 (the OpenSSL Heartbleed bug)

2014-04-11 Thread Michael McNally

Earlier this week, the OpenSSL project (http://openssl.org) announced
CVE-2014-0160, disclosing a very serious security flaw in the OpenSSL
library, affecting versions 1.0.1 and 1.0.2-beta (including OpenSSL
1.0.1f and 1.0.2-beta1)  In many stories, this vulnerability is being
referred to as the Heartbleed bug.

Because ISC products can be built to link against OpenSSL libraries,
users of BIND 9 and ISC DHCP have asked us to clarify whether or not
their systems are at risk due to CVE-2014-0160.  Rather than answer
questions individually, we hope that this will clarify the matter for
our users and reassure them that their services are safe from this
security vulnerability.

   1)  Is BIND vulnerable?

   After consulting with our developers, we are pleased
   to report that BIND 9 does not make use of the vulnerable
   parts of the OpenSSL libraries, so BIND services are NOT
   at risk from CVE-2014-0160.

   2)  Is ISC DHCP vulnerable?

   ISC DHCP does not use the affected parts of the OpenSSL
   library, either.  ISC DHCP services are not at risk from
   CVE-2014-0160.

   3)  What about Windows binary packages?

   For the benefit of Windows users, ISC provides installable
   binary distributions of BIND 9 for those who wish to run it
   on Windows servers.  At the time of this message, the most
   recent Windows binary distributions include vulnerable
   versions of the OpenSSL shared libraries.  These shared
   library files are safe for use with BIND 9 because BIND
   does not use the flawed parts of the library, but operators
   should not use the provided libraries with other applications.
   Future versions of the Windows binary distributions will
   include updated OpenSSL libraries with the security issues
   fixed, but we have no current plans to release emergency
   security releases for Windows because the libraries provided
   are safe for BIND 9.

Michael McNally
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Windows dig resolv.conf

2014-04-11 Thread Frederic Woodbridge

Apologies if this has been discussed; I searched the archives and didn't find 
anything.

I'd like to know why the search and domain settings in the Windows 
%systemroot%\system32\drivers\etc\resolv.conf don't seem to make a difference.
Anyone know?

Thanks.

Fred Woodbridge
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Windows dig resolv.conf

2014-04-11 Thread Chris Thompson


On Apr 11 2014, Frederic Woodbridge wrote:


Apologies if this has been discussed; I searched the archives and didn't find 
anything.

I'd like to know why the search and domain settings in the Windows 
%systemroot%\system32\drivers\etc\resolv.conf don't seem to make a difference.
Anyone know?


If you are asking why doesn't dig take any notice of these settings,
that's not Windows-specific. From the dig man page:

+[no]search
Use [do not use] the search list defined by the
searchlist or domain directive in resolv.conf (if any).
The search list is not used by default.

--
Chris Thompson
Email: c...@cam.ac.uk


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Inline signing and views.

2014-04-11 Thread Jack Tavares

Hello -

Is it possible to enable inline signing of a zone in 2 different views with 2 
different keys?

I have the following config: 

view external {
match-clients {
1.1.1.1;
};
zone test.com. {
type master;
file external.test.com.;
allow-update {
localhost;
};
key-directory /config/external.keys;
auto-dnssec maintain;
inline-signing yes;
};
};
view internal {
match-clients {
any;
};
zone test.com. {
type master;
file internal.test.com.;
allow-update {
localhost;
};
key-directory /config/internal.keys;
auto-dnssec maintain;
inline-signing yes;
};
};

When I run bind I get these errors:
11-Apr-2014 10:35:30.414 dns_dnssec_findzonekeys2: error reading private key 
file test.com/RSASHA1/49440: file not found
11-Apr-2014 10:35:30.415 dns_dnssec_findzonekeys2: error reading private key 
file test.com/RSASHA1/6124: file not found
11-Apr-2014 10:35:30.435 zone test.com/IN/external (signed): reconfiguring zone 
keys
11-Apr-2014 10:35:30.436 zone test.com/IN/internal (signed): reconfiguring zone 
keys
11-Apr-2014 10:35:30.436 dns_dnssec_keylistfromrdataset: error reading private 
key file test.com/RSASHA1/49440: file not found
11-Apr-2014 10:35:30.437 dns_dnssec_keylistfromrdataset: error reading private 
key file test.com/RSASHA1/6124: file not found


Is what I am trying to do not possible, or do I have a config error?

I created the key files using 
dnssec-keygen test.com
dnssec-keygen -fk test.com

In the 2 different directorys.
All permissions and file owner ship is correct.

It works properly if I only have one (either of them) of these zones configured 
for auto signing,
so I believe the key files are ok.

The man page and tutorials that I have found do not address multiple views.
Thank you

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Clients Matching Multiple Views

2014-04-11 Thread John Wobus


On Apr 9, 2014, at 4:14 AM, Steven Carr wrote:

However, assuming you are using views on the same IP address and not
splitting it across internal/external servers as that would screw up
NS records), you can reuse the same zone file so those zones that
appear in both internal and external views refer back to the same zone
file, then when you update that zone file both views are updated.


My understanding has been that two views that are masters for
a zone can safely share a zone file if the zone isn't dynamic (e.g.
dnsupdate, dnssec auto signing, etc), but that two views of
a slave zone shouldn't do that: you could have two
different views independently rewriting the same file, a bad thing even
if the files are known to be identical.  Furthermore, allowing that  
could

conceivably show no problems very much of the time, masking the actual
risk.

If I'm wrong, that would be a good thing to know.

John Wobus
Cornell U
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Clients Matching Multiple Views

2014-04-11 Thread Marty Lee


On 11 Apr 2014, at 18:59, John Wobus jw...@cornell.edu wrote:

 On Apr 9, 2014, at 4:14 AM, Steven Carr wrote:
 However, assuming you are using views on the same IP address and not
 splitting it across internal/external servers as that would screw up
 NS records), you can reuse the same zone file so those zones that
 appear in both internal and external views refer back to the same zone
 file, then when you update that zone file both views are updated.
 
 My understanding has been that two views that are masters for
 a zone can safely share a zone file if the zone isn't dynamic (e.g.
 dnsupdate, dnssec auto signing, etc), but that two views of
 a slave zone shouldn't do that: you could have two
 different views independently rewriting the same file, a bad thing even
 if the files are known to be identical.  Furthermore, allowing that could
 conceivably show no problems very much of the time, masking the actual
 risk.
 
 If I'm wrong, that would be a good thing to know.
 
 John Wobus
 Cornell U

If you were to use a DLZ for the dynamic zone rather than a file,
then the multiple writer integrity can be handled by the DLZ code
(i.e. palming it off to a RDBMS to deal with).

Just a thought - but generally I agree that multiple writers to
a file is just asking for trouble…



-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845 869 2661
Maui Systems Ltd  f: +44 871 433 8922
Scotland, UK  w: http://www.maui-systems.co.uk



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Clients Matching Multiple Views

2014-04-11 Thread Doug Barton


On 04/11/2014 10:59 AM, John Wobus wrote:


My understanding has been that two views that are masters for
a zone can safely share a zone file if the zone isn't dynamic (e.g.
dnsupdate, dnssec auto signing, etc), but that two views of
a slave zone shouldn't do that: you could have two
different views independently rewriting the same file, a bad thing even
if the files are known to be identical.  Furthermore, allowing that could
conceivably show no problems very much of the time, masking the actual
risk.


You are correct. Include statements that reference the common data 
between the zones on the master has been the canonical way to handle 
this situation since day 1.


Doug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND, DHCP, and CVE-2014-0160 (the OpenSSL Heartbleed bug)

Windows dig resolv.conf

Re: Windows dig resolv.conf

Inline signing and views.

Re: Clients Matching Multiple Views

Re: Clients Matching Multiple Views

Re: Clients Matching Multiple Views

7 matches

Site Navigation

Mail list logo

Footer information