If a query is made explicitly for a record of type 'RRSIG' to a validating
recursive server running BIND 9.7.1 or 9.7.1-P1, and the server has one or
more trust anchors configured statically and/or via DLV, then if the answer
is not already in cache, the server enters a loop which repeatedly generates
queries for RRSIGs to the authoritative servers for the zone containing the
queried name.
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0213
CERT: http://www.kb.cert.org/vuls/id/211905
Versions affected: 9.7.1, 9.7.1-P1
Severity: High
Exploitable: remotely
http://www.isc.org/software/bind/advisories/cve-2010-0213
code where the 9.7.x series tightened its adherence to the DNS protocol
as written, vs. the 9.6.x series which was more liberal in what it accepted.
Specifically:
1. Restore processing of certain forms of negative responses that do
not contain all of the required elements to avoid aggressive
re-querying of authority servers.
2. Accept answers from authority servers without the AA bit set
if they meet the other requirements of an answer packet.
More detail can be found here:
https://www.isc.org/community/blog/201007/compatibility-issues-bind-970-and-971
(QNAME,QTYPE) by prespecified answers. This class is to be used in test suites
where you want to have servers to show predefined behavior.
If the server will do a lookup based on QNAME,QTYPE and return the specified
data. If there is no QNAME, QTYPE match the server will return a SERVFAIL.
A log will be written to STDERR it contains time, IP/PORT, QNAME, QTYPE, RCODE.
WWW: http://search.cpan.org/dist/Net-DNS-TestNS/
PR: ports/148161
Submitted by: Sunpoet Po-Chuan Hsieh <sunpoet@sunpoet.net>
Feature safe: yes
fix was too hasty. Employ a more robust fix that removes the _perl_ dep for
both this file and bind9.xsl.h. The pre-generated versions of these files
are identical to the newly generated ones, which is why this perl issue
never came up previously.
I still have reservations about baking the ISC DLV key into named, but given
that this was already done in 9.7.0+ at least this way we don't violate POLA.
which is a problem, however what it's doing is baking the ISC
DLV key into named which is not something I think is reasonable
to do by default.
So, instead of adding perl as a build dependency eliminate the
need for the file altogether.
This version has numerous minor bug fixes, please refer to the
CHANGES file for details. Many (but not all) of the fixes are
DNSSEC-related, and all users who are doing DNSSEC validation
are encouraged to upgrade to this version.
This release was inadvertently dubbed 2.54 in its logging by Simon Kelley,
so adjust our PORTVERSION to match that, but still build the 2.53 tarball.
Simon will treat 2.53 and 2.54 the same and release 2.55 next time.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q2/004105.html
Check work/dnsmasq-2.53/src/config.h for VERSION after "make extract" to see.
Approved by: garga (mentor)
