Re: Bug in bind 9.7.3?

This is reproducible and should only affected in 9.7.3. For the record, the problem has been fixed: http://www.isc.org/software/bind/advisories/cve-2011-1910 -JP ___ bind-users mailing list bind-users@lists.isc.org

BIND Security Advisory May 2011: Large RRSIG RRsets and Negative Caching can crash named

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 *Summary:* A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to

Re: Why DNSSEC errors for bund.de?

To follow up on this thread (there's been much more about it on DNS-OARC than here), it was a bug that is fixed (change 3020) together with the more serious security problem (change 3121) in the new BIND versions 9.6-ESV-R4-P1, 9.7.3-P1 and 9.8.0-P2. -- Chris Thompson Email: c...@cam.ac.uk

Updated Security Advisory: BIND 9.4-ESV-R4-P1 is now available.

Change: BIND 9.4-ESV-R4-P1 is now available. Title: Large RRSIG RRsets and Negative Caching can crash named. Summary: A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a

? bad cache hit (eduftcdnsp01.ed.gov/DS)

Hi, Running BIND 9.7.0-P2 Is this just me or other seeing this? Starting today got reports of unable to reach some student ad sites such as studentloans.gov # dig eduftcdnsp01.ed.gov ; DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 eduftcdnsp01.ed.gov ;; global options: +cmd ;; Got answer: ;;

Re: ? bad cache hit (eduftcdnsp01.ed.gov/DS)

On Fri, May 27, 2011 at 12:09 PM, Jim Glassford jmgl...@iup.edu wrote: Starting today got reports of unable to reach some student ad sites such as studentloans.gov There are problems with this and related sites. Specifically RRSIGs are not being returned with some RRsets, resulting in a

Re: ? bad cache hit (eduftcdnsp01.ed.gov/DS)

Hi Jim, We are seeing the same thing. The problem is an incorrectly signed zone (missing RRSIG records) at ed.gov. See: http://dnssec-debugger.verisignlabs.com/www.ed.gov http://dnsviz.net/d/www.ed.gov/dnssec/ cv On Fri, May 27, 2011 at 12:09 PM, Jim Glassford jmgl...@iup.edu wrote: Hi,

Re: BIND Security Advisory May 2011: Large RRSIG RRsets and Negative Caching can crash named

On Fri, 27 May 2011, Frank Kloeker wrote: Hello, I would want to say thank you very much for the wonderful work of the ISC team and the quick solution of the problem and a very professional appearance. I have come to expect such performance from everyone at ISC, but yesterday the exceeded

Re: Bug in bind 9.7.3?

Evan Hunt wrote: Yes. But the problem domain has been corrected, so you won't be able to reproduce it now. In the interest of preventing this happening again, either by accident (as it was in this case) or due to someone crafting a bad zone maliciously, we will be releasing a patch to all