MoinQ:

DNS/キャッシュサーバ/BIND/bugについて、ここに記述してください。

DNS/BIND/bug http://www.isc.org/software/bind/security/matrix (bind9)

1. CVE-2008-1447

29      2008-1447       DNS cache poisoning issue

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

2. CVE-2009-4022

security matrix より

32      2009-4022       Cache Update From Additional Section

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022

DNSSECを使っていなくても、影響がありそう。 (それが分かるか)

Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. 

--- 9.6.1-P2 released ---

2772.   [security]      When validating, track whether pending data was from
                        the additional section or not and only return it if
                        validates as secure. [RT #20438]


-- ToshinoriMaeno 2011-08-17 00:03:36

説明には間違いや誤誘導される記述が含まれているので、動作確認が必要だと思われる。