Bug#690569: DNS wildcards fail to resolve with DNSsec enabled

[Matthew Grant]

Package: bind9
Version: 1:9.8.1.dfsg.P1-4.2
Followup-For: Bug #690569

Problem exists in current Debian Version of bind9.  This is broken behaviour
with regards RFC4035 Section 3.1.3 and maybe some parts of RFC4952.

This means the version of bind in unstable and testing is non functional for
the purposes of being used as a resolver when DNSSEC validation is required.

Turning off DNSSEC resolution to work around this significantly reduces the
authenticity around the DNS response.  This makes this version of bind9
far more open to Kaminsky DNS cache posioning attacks.

Severity of bug whould be raised to grave.  Resolution is obvious, move
cod base to at least latest ISC 9.8.x Bind 9, which is 9.8.4. 

Cheers,

Matthew Grant

shalom: -grantma- [~] 
$ dig  www.nuonexclusief.nl @shalom-svc.internal.anathoth.net.

; <<>> DiG 9.8.1-P1 <<>> www.nuonexclusief.nl @shalom-svc.internal.anathoth.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44296
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nuonexclusief.nl.          IN      A

;; Query time: 3104 msec
;; SERVER: 172.31.10.1#53(172.31.10.1)
;; WHEN: Tue Oct 16 13:26:40 2012
;; MSG SIZE  rcvd: 38


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bind9 depends on:
ii  adduser                3.113+nmu3
ii  bind9utils             1:9.8.1.dfsg.P1-4.2
ii  debconf [debconf-2.0]  1.5.46
ii  libbind9-80            1:9.8.1.dfsg.P1-4.2
ii  libc6                  2.13-35
ii  libcap2                1:2.22-1.2
ii  libdns81               1:9.8.1.dfsg.P1-4.2
ii  libgssapi-krb5-2       1.10.1+dfsg-2
ii  libisc83               1:9.8.1.dfsg.P1-4.2
ii  libisccc80             1:9.8.1.dfsg.P1-4.2
ii  libisccfg82            1:9.8.1.dfsg.P1-4.2
ii  liblwres80             1:9.8.1.dfsg.P1-4.2
ii  libssl1.0.0            1.0.1c-4
ii  lsb-base               4.1+Debian7
ii  net-tools              1.60-24.2
ii  netbase                5.0

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.8.1.dfsg.P1-4.2
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf.local changed [not included]

-- debconf-show failed


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org