{"id":4720,"date":"2009-11-25T16:57:01","date_gmt":"2009-11-26T00:57:01","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=4720"},"modified":"2020-05-06T10:31:47","modified_gmt":"2020-05-06T17:31:47","slug":"various-varieties-of-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/","title":{"rendered":"Various Varieties of Vulnerabilities"},"content":{"rendered":"<p>Just yesterday,\u00a0<a href=\"https:\/\/www.isc.org\/node\/504\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ISC announced the release of several versions of BIND to address a new vulnerability<\/a>. The vulnerability could allow unsigned data to be cached on a recursive name server configured to perform DNSSEC validation.<\/p>\n<p>While that&#8217;s alarming, it&#8217;s\u00a0<em>not<\/em>\u00a0a systemic problem with DNSSEC; it&#8217;s simply a flaw in BIND&#8217;s implementation of DNSSEC. (How could it be anything else if it was addressed by releasing new versions?) Implementations of the latest incarnation of DNSSEC are still relatively new, so it should come as no surprise that we&#8217;re still finding flaws. (I&#8217;m proud to say that this particular defect was found by Michael Sinatra, who works for\u00a0<a href=\"http:\/\/www.calbears.com\/sports\/m-footbl\/recaps\/112109aaa.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">my alma mater, Berkeley<\/a>.)<\/p>\n<p>If you&#8217;re curious as to the nature of the vulnerability, it works like this: A querier sends a recursive query to our validating name server with the DO and CD bits set. The DO (DNSSEC OK) bit says, &#8220;Please return DNSSEC records,&#8221; while the CD (Checking Disabled) bit says, &#8220;You don&#8217;t need to validate any DNSSEC records in the response before sending them to me, because I&#8217;m going to do that myself.&#8221; The problem is that our validating name server would add records from the response&#8217;s Additional Data section to its cache without validating them. That&#8217;s not the behavior prescribed by the RFCs; that data should be passed through to the querier but only added to the cache if it validates.<\/p>\n<p>ISC&#8217;s advisory suggests that restricting access to recursion on the vulnerable name server is a workaround, but it&#8217;s not a complete fix, since it&#8217;s possible an authorized querier could send a query that would induce a vulnerable name server to cache unvalidated records, or that someone with access to an authorized querier acting in collusion with a hacker could do the same. If you do DNSSEC validation, the real solution is to upgrade.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Just yesterday,\u00a0ISC announced the release of several versions of BIND to address a new vulnerability. The vulnerability could allow unsigned data to be cached on a recursive name server configured to perform DNSSEC validation. While that&#8217;s alarming, it&#8217;s\u00a0not\u00a0a systemic problem with DNSSEC; it&#8217;s simply a flaw in BIND&#8217;s implementation of DNSSEC. (How could it be [&hellip;]<\/p>\n","protected":false},"author":178,"featured_media":2128,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[30,229,16,15],"class_list":{"0":"post-4720","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-dns","9":"tag-dnssec","10":"tag-infoblox","11":"tag-security","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Various Varieties of Vulnerabilities<\/title>\n<meta name=\"description\" content=\"Just yesterday, ISC announced the release of several versions of BIND to address a new vulnerability.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Various Varieties of Vulnerabilities\" \/>\n<meta property=\"og:description\" content=\"Just yesterday, ISC announced the release of several versions of BIND to address a new vulnerability.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2009-11-26T00:57:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-06T17:31:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/moller-insights.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Cricket Liu\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cricket Liu\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/\"},\"author\":{\"name\":\"Cricket Liu\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/bb6b62b1b99a7cbcd7c528d5763778d5\"},\"headline\":\"Various Varieties of Vulnerabilities\",\"datePublished\":\"2009-11-26T00:57:01+00:00\",\"dateModified\":\"2020-05-06T17:31:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/\"},\"wordCount\":323,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/moller-insights.jpg\",\"keywords\":[\"DNS\",\"DNSSEC\",\"Infoblox\",\"Security\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/\",\"name\":\"Various Varieties of Vulnerabilities\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/moller-insights.jpg\",\"datePublished\":\"2009-11-26T00:57:01+00:00\",\"dateModified\":\"2020-05-06T17:31:47+00:00\",\"description\":\"Just yesterday, ISC announced the release of several versions of BIND to address a new vulnerability.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/moller-insights.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/moller-insights.jpg\",\"width\":660,\"height\":454},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/various-varieties-of-vulnerabilities\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Various Varieties of Vulnerabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/bb6b62b1b99a7cbcd7c528d5763778d5\",\"name\":\"Cricket Liu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"caption\":\"Cricket Liu\"},\"description\":\"Cricket is one of the world\u2019s leading experts on the Domain Name System (DNS) and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an internet consulting and training company, Acme Byte &amp; Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including \u201cDNS and BIND,\u201d one of the most widely used references in the field, now in its fifth edition.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/cricket-liu\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Various Varieties of Vulnerabilities","description":"Just yesterday, ISC announced the release of several versions of BIND to address a new vulnerability.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/","og_locale":"en_US","og_type":"article","og_title":"Various Varieties of Vulnerabilities","og_description":"Just yesterday, ISC announced the release of several versions of BIND to address a new vulnerability.","og_url":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/","og_site_name":"Infoblox Blog","article_published_time":"2009-11-26T00:57:01+00:00","article_modified_time":"2020-05-06T17:31:47+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/moller-insights.jpg","type":"image\/jpeg"}],"author":"Cricket Liu","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Cricket Liu","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/"},"author":{"name":"Cricket Liu","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/bb6b62b1b99a7cbcd7c528d5763778d5"},"headline":"Various Varieties of Vulnerabilities","datePublished":"2009-11-26T00:57:01+00:00","dateModified":"2020-05-06T17:31:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/"},"wordCount":323,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/moller-insights.jpg","keywords":["DNS","DNSSEC","Infoblox","Security"],"articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/","url":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/","name":"Various Varieties of Vulnerabilities","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/moller-insights.jpg","datePublished":"2009-11-26T00:57:01+00:00","dateModified":"2020-05-06T17:31:47+00:00","description":"Just yesterday, ISC announced the release of several versions of BIND to address a new vulnerability.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/moller-insights.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/moller-insights.jpg","width":660,"height":454},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/security\/various-varieties-of-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.infoblox.com\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Various Varieties of Vulnerabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/bb6b62b1b99a7cbcd7c528d5763778d5","name":"Cricket Liu","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","caption":"Cricket Liu"},"description":"Cricket is one of the world\u2019s leading experts on the Domain Name System (DNS) and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an internet consulting and training company, Acme Byte &amp; Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including \u201cDNS and BIND,\u201d one of the most widely used references in the field, now in its fifth edition.","url":"https:\/\/www.infoblox.com\/blog\/author\/cricket-liu\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4720","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/178"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=4720"}],"version-history":[{"count":1,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4720\/revisions"}],"predecessor-version":[{"id":4721,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4720\/revisions\/4721"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/2128"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=4720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=4720"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=4720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}