FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- BIND named(8) cache poisoning with DNSSEC validation

Affected packages
6.3 <= FreeBSD < 6.3_15
6.4 <= FreeBSD < 6.4_9
7.1 <= FreeBSD < 7.1_10
7.2 <= FreeBSD < 7.2_6
8.0 <= FreeBSD < 8.0_2

Details

VuXML ID e500b9bf-ca3e-11df-aade-0050568f000c
Discovery 2010-01-06
Entry 2010-10-24
Modified 2016-08-09

Problem Description:

If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag.

References

FreeBSD Advisory SA-10:01.bind