On Wed, Oct 17, 2012 at 1:57 PM, Michael Gilbert <firstname.lastname@example.org>
On Tue, Oct 16, 2012 at 6:49 PM, Matthew Grant wrote:
> Can Bug #690569 (DNS wildcards fail to resolve with DNSsec enabled - breaks
> RFC 4035)be reclassified as grave, or at least Important severity?
You implied a bug severity increase. Its now at important.
> We need to get something done about this one. Having to turn off DNSSEC
> validation to get correct resolution behaviour is not good for security re
> DNS cache poisoning attacks, which is why DNSSEC was implemented in DNS.
I did a diff between 9.6-R5 and -R6 and extracted the parts seeming to
relate to wildcard handling. Someone will have to look at whether
those are the right changes and if they're complete, and then port it
to the current version. See attached.
Checked diff. Its looks a mess. Have you compiled bind9 package and checked that it handles wiildcard query?
I am not confident that data structures are handled correctly. (Used to be professional router C programmer, and have extensive kernel patch experience)
Could someone on the security team who knows bind9 look at this please to see if they can patch bind9 9.8.1.dfsg-4.2 and 9.7.3 (squeeze)?
> Also, to resolve this, is it alright to NMU Bind 9.8.4 (latest 9.8.x)
> please. Lamount Jones, it would be good if you could do this please? Does
> not look that hard. Have looked in bind9 package git.
No. We're in the freeze now. Fixes need to be backported.
If backporting a fix is not possible with the certainty of no introduced bugs, we have no choice.
Debian Bind9 cannot ship with a basic DNS protocol handling error. As it stands it is severely broken in the resolver. DNSSEC on the Internet is now a must.
ISC have been diligent in backporting fixes to their 9.8.x minor version stream. There are only one or 2 new features, and I believe 1 or 2 configuration changes that are backwards compatible Consequently Bind 9.8.4 (or 9.7.7) is mostly coherent with Debian's policy of back porting fixes. (ISC really know their own data structures, but also unfortunately do not make their VCS publicly available, only release complete tarballs, so finding the 100% correct patch can be a major problem.) I believe a policy exception is possible in this case if needed, given that bind9 is such an important piece of software.
My case is put. Could the security team please help to determine what to do.