diff options
| author | peter <peter@FreeBSD.org> | 1996-12-31 19:51:17 +0000 |
|---|---|---|
| committer | peter <peter@FreeBSD.org> | 1996-12-31 19:51:17 +0000 |
| commit | b13db018fbb01d60dabb34ce9bd3f06994fd81b7 (patch) | |
| tree | a2327c4e40b3c074798fd7f0ddd86f66879ceab5 /contrib/bind/doc/bog | |
| parent | 2d3cf9fcaf1ca2528c5fe3ba683d1f6c1268dc41 (diff) | |
| download | FreeBSD-src-b13db018fbb01d60dabb34ce9bd3f06994fd81b7.zip FreeBSD-src-b13db018fbb01d60dabb34ce9bd3f06994fd81b7.tar.gz | |
Import Paul Vixie/ISC's bind-4.9.5-patch1 onto the vendor branch.
This has some (all?) of the DNSSEC key management/distribution mechanism
in place. (The SIG and KEY RR's)
Obtained from: Paul Vixie / ISC / ftp.isc.org
Diffstat (limited to 'contrib/bind/doc/bog')
| -rw-r--r-- | contrib/bind/doc/bog/00title.me | 2 | ||||
| -rw-r--r-- | contrib/bind/doc/bog/Makefile | 3 | ||||
| -rw-r--r-- | contrib/bind/doc/bog/files.me | 8 | ||||
| -rw-r--r-- | contrib/bind/doc/bog/ns.me | 39 |
4 files changed, 45 insertions, 7 deletions
diff --git a/contrib/bind/doc/bog/00title.me b/contrib/bind/doc/bog/00title.me index 616202b..c9e708c 100644 --- a/contrib/bind/doc/bog/00title.me +++ b/contrib/bind/doc/bog/00title.me @@ -57,7 +57,7 @@ .b "Name Server Operations Guide" .b "for \s-1BIND\s+1" .sz -\fIRelease 4.9.4\fP +\fIRelease 4.9.5\fP .eh 'SMM:10-%''Name Server Operations Guide for \s-1BIND\s+1' .oh 'Name Server Operations Guide for \s-1BIND\s+1''\s-1SMM\s+1:10-%' .sp diff --git a/contrib/bind/doc/bog/Makefile b/contrib/bind/doc/bog/Makefile index 3cd50eb..32456a0 100644 --- a/contrib/bind/doc/bog/Makefile +++ b/contrib/bind/doc/bog/Makefile @@ -62,6 +62,9 @@ ME= -me NROFF= nroff -rb3 PRINTER= -Pdp TBL= dtbl $(PRINTER) +# For Linux: +#PRINTER= +#TBL= tbl $(PRINTER) TROFF= ditroff $(PRINTER) GROFF= groff -Tps -t $(ME) diff --git a/contrib/bind/doc/bog/files.me b/contrib/bind/doc/bog/files.me index 4a28da4..7e75525 100644 --- a/contrib/bind/doc/bog/files.me +++ b/contrib/bind/doc/bog/files.me @@ -250,7 +250,7 @@ Slave mode is activated by placing the simple command \fIoptions forward-only\fP .)b in the bootfile. If this option is used, then you must specify forwarders. -When in slave mode, the server will forward each query to each of the the +When in slave mode, the server will forward each query to each of the forwarders until an answer is found or the list of forwarders is exhausted. The server will not try to contact any remote name server other than those named in the \fIforwarders\fP list. @@ -829,7 +829,7 @@ protocol per address. Note that RFC1123 says of \fIWKS\fP records: ... The TXT and WKS RR types have not been widely used by Internet sites; as a result, an application cannot rely - on the the existence of a TXT or WKS RR in most + on the existence of a TXT or WKS RR in most domains. .)l .sh 3 "CNAME - Canonical Name" @@ -1046,6 +1046,10 @@ recognize it. .sh 2 "Discussion about the TTL" .pp +The use of different Time To Live fields with in a RRset have been +deprecated and this is enforced by the server when loading a primary +zone. See the Security section for more discussion of differing TTLs. +.pp The Time To Live assigned to the records and to the zone via the Minimum field in the SOA record is very important. High values will lead to lower BIND network traffic and faster response time. Lower diff --git a/contrib/bind/doc/bog/ns.me b/contrib/bind/doc/bog/ns.me index ec3ca3c..b507e94 100644 --- a/contrib/bind/doc/bog/ns.me +++ b/contrib/bind/doc/bog/ns.me @@ -1,5 +1,3 @@ -.\" ++Copyright++ 1986, 1988 -.\" - .\" Copyright (c) 1986, 1988 .\" The Regents of the University of California. All rights reserved. .\" @@ -48,8 +46,6 @@ .\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS .\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS .\" SOFTWARE. -.\" - -.\" --Copyright-- .\" .\" @(#)ns.me 6.3 (Berkeley) 9/19/89 .\" @@ -94,3 +90,38 @@ Berkeley would look as follows: .)b The top level domain for educational organizations is EDU; Berkeley is a subdomain of EDU and monet is the name of the host. +.sh 1 Security +.pp +This section examines some of the know security implications of various +versions of BIND. Some of these have been used to attack the nameservers +in the past. +.sh 2 "Unnecessary Glue" +.pp +Unnecessary glue can lead to incorrect records being loaded into the +server. This can result in connections going to the wrong machines. +.pp +To prevent unnecessary glue being loaded, all the servers of zones being +servered by a server and the servers of the parent zones need to be +upgraded to BIND 4.9.3 or later. +.sh 2 "Insertion of data into a zone that is being servered" +.pp +BIND versions prior to BIND 4.9.2 are subject to the insertion of +resource records into zone that they are serving. +.sh 2 "Denial of Service: Hash Bug Exploit" +.pp +September 1996 saw the COM TLD subject to a denial of service attack by +injecting into the DNS a record with a final label of COM, eight spaces +and COM. This effected BIND 4.9.4 servers. Similar attacks are possible +on BIND 4.9.3 and BIND 4.9.3-P1. +.pp +It is recommend that you run a BIND 4.9.4-P1 or later server to avoid +this exploit. +.sh 2 "Denial of Service: TTL Inconsistency Attacks" +.pp +If you are still using multiple TTL values within a RRset you can be +subject to a denial of service attack. BIND 4.9.5 onwards uses multiple +ttl values within a RRset to reject obviously bad RRset. +.pp +It is recommend that you upgrade to BIND 4.9.5 or later as these server +prevent you loading multiple TTL values and doesn't merge answers received +across the network. |
