home.social

Search

70 results for “isecdotorg”

  1. Patrick Ben Koetter 🕺🏼 @[email protected] ·

    My favorite moment from last weeks #ripe92 in Edinburgh. My two colleagues and friends Peter ‚Pete‘ Eckel and @cstrotm having breakfast in the lovely apartment we had rented. Laptops in front of them and in the midst of a discussion on some DNS stuff. 🥰

    Later that day we presented the PoC we at @sys4 had prepared for our working group along with @iscdotorg , @nlnetlabs , @knotfeed, @PowerDNS and DeNIC.

    #ripe92
  2. 🇺🇸 Peter 🇳🇱 @[email protected] ·

    As I was cleaning out my home office I found this relic. Published in 2001 and as the cover says it covers Bind 9, to be more specific Bind 9.1. Today, Bind is at version 9.18, released in 2020. It shows you that software that was written well does not need tons of updates. #DNS #SystemsAdministration @iscdotorg

    #systemsadministration #dns
  3. Royce Williams @[email protected] ·
    CW: New multi-implementation DNSSEC validation DoS vulnerabilities - CVE-2023-50387 ("KeyTrap"), CVE-2023-50868 (NSEC3 vuln)

    (living doc, updated regularly - if you prefer a low-edit post to boost, use infosec.exchange/@tychotithonu)

    Looks like DNS-OARC coordinated fixes in advance, but no centralized analysis at first other than the announcement from the team who discovered KeyTrap:

    Details may be still partially embargoed until patching ramps up.

    Analysis:

    DoS of all major DNSSEC-validating DNS resolvers (servers, but also maybe local resolvers like systemd's?) at the implementation level. Exploitation described as 'trivial'. Both are CVSS 7.5. DNS is a rich ransom target - but some resolver setups don't even validate DNSSEC.

    "In 2012 the vulnerability made its way into the implementation requirements for DNSSEC validation, standards RFC 6781 and RFC 6840" (per ATHENE)

    Per the Unbound writeup, both vulns require query to a malicious zone (which is probably not hard to trigger, for any DNSSEC-enabled client or server).

    Resolution: patch (recommended); disable DNSSEC validation (discouraged, but can buy you time / mitigate active DoS)

    Fixes mitigate the exhaustion by putting caps on validation activities. These caps appear to have been missing from most implementations.

    Details:

    Two DNSSEC DoS CVEs:

    CVE-2023-50387 ("KeyTrap"): "DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers" (CVSS 7.5)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    seclists.org/oss-sec/2024/q1/1

    (KeyTrap was discovered by ATHENE - their press release here has very important detail:
    athene-center.de/en/news/press)

    CVE-2023-50868: "NSEC3 closest encloser proof can exhaust CPU" (CVSS 7.5)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    MITRE links (now populated):
    cve.mitre.org/cgi-bin/cvename.
    cve.mitre.org/cgi-bin/cvename.

    Vulmon queries:
    vulmon.com/searchpage?q=CVE-20
    vulmon.com/searchpage?q=CVE-20

    VulDB:
    vuldb.com/?id.253829

    Resolver status:

    BIND (patched - vuln since 2000?):
    fosstodon.org/@iscdotorg/11192
    kb.isc.org/docs/cve-2023-50387
    kb.isc.org/docs/cve-2023-50868
    seclists.org/oss-sec/2024/q1/1
    isc.org/blogs/2024-bind-securi
    (note: posts say "Versions prior to 9.11.37 were not assessed." but also have a range of affected versions starting at 9.0.0 - typo?)

    BIND tools:
    dig: no validation
    kdig: no validation
    delv: affected, patched

    dnsmasq (patched - 2.90 has fix):
    thekelleys.org.uk/dnsmasq/CHAN
    lists.thekelleys.org.uk/piperm

    Knot (patched in 5.7.1):
    knot-resolver.cz/2024-02-13-kn
    (kzonecheck also affected, patched?)

    ldns-verify-zone:
    affected per ATHENE paper

    OPNsense (patched):
    forum.opnsense.org/index.php?t

    pfSense:
    (Bundled Unbound: plan appears to be to make a separate package available for manual update?; BIND: optional package)
    forum.netgate.com/topic/186145
    redmine.pfsense.org/issues/152

    Pi-Hole (uses dnsmasq - patch available)
    patreon.com/posts/dnssec-fix-9
    pi-hole.net/blog/2024/02/13/fi

    PowerDNS (patched - all versions affected):
    blog.powerdns.com/2024/02/13/p
    github.com/PowerDNS/pdns/pull/
    github.com/PowerDNS/pdns/pull/
    seclists.org/oss-sec/2024/q1/1

    Stubby:
    [?]
    github.com/getdnsapi/stubby

    systemd.resolved:
    [?]

    Ubiquiti
    [?]

    Unbound (patched - vuln since Aug 2007):
    nlnetlabs.nl/news/2024/Feb/13/
    nlnetlabs.nl/downloads/unbound
    seclists.org/oss-sec/2024/q1/1

    Library status:*
    dnspython (GitHub patched):
    affected per ATHENE paper
    github.com/rthalley/dnspython/

    getdns (used by stubby - no patched release?):
    affected per ATHENE paper
    getdnsapi.net/releases/

    ldns (not yet patched?):
    affected per ATHENE paper
    github.com/NLnetLabs/ldns

    libunbound (used by Unbound):
    affected per ATHENE paper
    no recent patches?
    github.com/NLnetLabs/unbound/t

    Cloud status:

    Akamai:
    akamai.com/blog/security/dns-e

    Cloudflare:
    blog.cloudflare.com/remediatin

    Google DNS:
    (stated as patched in Register and SecurityWeek articles)
    [?]

    NextDNS (patched per forum reply):
    help.nextdns.io/t/h7yxwc5/does

    OS status:

    Debian:
    BIND:
    lists.debian.org/debian-securi
    pdns-recursor:
    lists.debian.org/debian-securi
    Unbound:
    lists.debian.org/debian-securi

    Fedora:
    bodhi.fedoraproject.org/update

    FreeBSD:
    cgit.freebsd.org/ports/commit/

    Gentoo:
    bugs.gentoo.org/show_bug.cgi?i

    Mageia:
    bugs.mageia.org/show_bug.cgi?i

    OpenBSD (unwind):

    Red Hat:
    bugzilla.redhat.com/show_bug.c
    access.redhat.com/security/cve
    access.redhat.com/security/cve

    SUSE:
    suse.com/security/cve/CVE-2023
    bugzilla.suse.com/show_bug.cgi

    Ubuntu:
    ubuntu.com/security/CVE-2023-5
    ubuntu.com/security/CVE-2023-5
    ubuntu.com/security/notices/US

    Windows (Server, DNS Role):
    msrc.microsoft.com/update-guid

    Package status:

    BIND:
    repology.org/project/bind/vers

    dnsmasq:
    repology.org/project/dnsmasq/v

    Unbound:
    repology.org/project/unbound/v

    GitHub:
    github.com/advisories/GHSA-845

    Go (Knot module?)
    github.com/golang/vulndb/issue

    Non-coverage: (no mentions known yet)

    AWS :
    [?]

    Azure (Microsoft Server DNS?):
    [?]

    Cisco Umbrella:
    umbrella.cisco.com/blog [?]

    CoreDNS:
    coredns.io/blog/ [?]

    Infoblox:
    blogs.infoblox.com/ [?]

    Quad9 DNS:
    quad9.net/news/blog/ [?]

    News/Press/Forums

    pducklin.com/2024/02/18/the-sc

    theregister.com/2024/02/13/dns

    securityweek.com/keytrap-dns-a

    bleepingcomputer.com/news/secu

    news.ycombinator.com/item?id=3

    darkreading.com/cloud-security

    Detection/Validation:

    Check to see if a server is doing DNSSEC validation (if not an open recursive resolver, you may need to query a zone the server is authoritative for):

    # zone signed, server DNSSEC-enabled:
    $ delv example.net @8.8.8.8
    ; fully validated
    example.net.            4437    IN      A       93.184.216.34
    example.net.            4437    IN      RRSIG   A 13 2 86400 20240225232039 20240204162038 18113 example.net. 94G2PRXins1G9ntfklvCq2mvcgqjB0z9FqQXp77lD/wXR4J3D67ceih1 yNgsYYqlIAOoWKXUekux6Zq9aIwszQ==

    # zone unsigned, server DNSSEC-enabled:
    $ delv google.com @8.8.8.8
    ; unsigned answer
    google.com.             100     IN      A       142.250.69.206

    Tenable:
    tenable.com/plugins/pipeline/i

    Snyk:
    security.snyk.io/vuln/SNYK-UNM

    Exploits:

    (multiple sources describe as "trivial")

    github.com/knqyf263/CVE-2023-5 (not tested)

    #keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
    #dns #dnssec

    #keytrap #nsec3 #cve202350387 #cve202350868 #cve_2023_50387 #cve_2023_50868
  4. ISC.org @iscdotorg ·

    Our May 2026 maintenance releases of BIND 9 are available at isc.org/download : 9.18.49 and 9.20.23 (stable) and 9.21.22 (development). Packages and container images provided by ISC will be updated later today.

    In addition to bug fixes and feature improvements, these releases also contain fixes for security vulnerabilities:

    - kb.isc.org/docs/cve-2026-3039
    - kb.isc.org/docs/cve-2026-3592
    - kb.isc.org/docs/cve-2026-3593
    - kb.isc.org/docs/cve-2026-5946
    - kb.isc.org/docs/cve-2026-5947
    - kb.isc.org/docs/cve-2026-5950

  5. ISC.org @iscdotorg ·

    RE: mastodns.net/@dualkei/11657348

    Looking forward to and . The ISC team will be there too.

    #oarc46 #ripe92
  6. ISC.org @iscdotorg ·

    After winning a preliminary injunction in the Wash, DC courts, OTF is funded again, and back in the business of funding projects in support of Internet freedom and privacy.

    They are open for applications at opentech.fund/get-support/

    (OTF funded development of the privacy-protecting qname-minimization feature in ISC's BIND 9 software. We found they were easy to work with, committed, and all in all a great team. )

    #internetfreedom #otf
  7. ISC.org @iscdotorg ·

    The ICANN Security and Stability Advisory Committee has just released a report, explaining that the DNS relies heavily on open source software. This report was written as a backgrounder for policy makers who may not know much about the DNS, or about Open Source. Several of us from open source DNS projects contributed, as did several experienced DNS operators and researchers. The report is here: itp.cdn.icann.org/en/files/sec

    #nlnetlabs #powerdns #dns
  8. ISC.org @iscdotorg ·

    Rinse Kloek gave a talk at the recent on his experience migrating DHCP services for the Delta Fiber service provider network from ISC-DHCP to Kea. Includes a heart-stopping network disaster which is part of all good networking stories. youtube.com/live/sbzeU4OrF38?t

    #nlnog
  9. ISC.org @[email protected] ·

    Rinse Kloek gave a talk at the recent #nlnog on his experience migrating DHCP services for the Delta Fiber service provider network from ISC-DHCP to Kea. Includes a heart-stopping network disaster which is part of all good networking stories. youtube.com/live/sbzeU4OrF38?t

    #nlnog
  10. ISC.org @[email protected] ·

    Rinse Kloek gave a talk at the recent #nlnog on his experience migrating DHCP services for the Delta Fiber service provider network from ISC-DHCP to Kea. Includes a heart-stopping network disaster which is part of all good networking stories. youtube.com/live/sbzeU4OrF38?t

    #nlnog
  11. ISC.org @[email protected] ·

    Rinse Kloek gave a talk at the recent #nlnog on his experience migrating DHCP services for the Delta Fiber service provider network from ISC-DHCP to Kea. Includes a heart-stopping network disaster which is part of all good networking stories. youtube.com/live/sbzeU4OrF38?t

    #nlnog
  12. ISC.org @[email protected] ·

    Rinse Kloek gave a talk at the recent #nlnog on his experience migrating DHCP services for the Delta Fiber service provider network from ISC-DHCP to Kea. Includes a heart-stopping network disaster which is part of all good networking stories. youtube.com/live/sbzeU4OrF38?t

    #nlnog
  13. ISC.org @[email protected] ·

    Thank you to our friends at #Nominet for creating the Nominet DNS Fund! It's for projects that "improve the security, long-term sustainability, and resilience of DNS open source projects." We like the sound of that and encourage potential recipients to apply.

    nominet.uk/our-impact/nominet-

    #nominet
  14. ISC.org @iscdotorg ·

    Thank you to our friends at for creating the Nominet DNS Fund! It's for projects that "improve the security, long-term sustainability, and resilience of DNS open source projects." We like the sound of that and encourage potential recipients to apply.

    nominet.uk/our-impact/nominet-

    #nominet
  15. ISC.org @[email protected] ·

    Thank you to our friends at #Nominet for creating the Nominet DNS Fund! It's for projects that "improve the security, long-term sustainability, and resilience of DNS open source projects." We like the sound of that and encourage potential recipients to apply.

    nominet.uk/our-impact/nominet-

    #nominet
  16. ISC.org @[email protected] ·

    Thank you to our friends at #Nominet for creating the Nominet DNS Fund! It's for projects that "improve the security, long-term sustainability, and resilience of DNS open source projects." We like the sound of that and encourage potential recipients to apply.

    nominet.uk/our-impact/nominet-

    #nominet
  17. ISC.org @[email protected] ·

    Thank you to our friends at #Nominet for creating the Nominet DNS Fund! It's for projects that "improve the security, long-term sustainability, and resilience of DNS open source projects." We like the sound of that and encourage potential recipients to apply.

    nominet.uk/our-impact/nominet-

    #nominet
  18. ISC.org @iscdotorg ·

    Did you know ISC had a Hackathon recently? It was hosted by , , and in Stockholm on March 14-15. We proposed a project, the DNS Zone Viewer, to integrate another DNS implementation (besides 9) with Stork, our graphical management interface.

    Read more about it at isc.org/blogs/2025-dns-hackath !

    #dns #ripe_ncc #dnsoarc #netnod #bind
  19. ISC.org @[email protected] ·

    Did you know ISC had a #DNS Hackathon recently? It was hosted by #RIPE_NCC , #dnsoarc , and #Netnod in Stockholm on March 14-15. We proposed a project, the DNS Zone Viewer, to integrate another DNS implementation (besides #BIND 9) with Stork, our graphical management interface.

    Read more about it at isc.org/blogs/2025-dns-hackath !

    #dns #ripe_ncc #dnsoarc #netnod #bind
  20. ISC.org @[email protected] ·

    Did you know ISC had a #DNS Hackathon recently? It was hosted by #RIPE_NCC , #dnsoarc , and #Netnod in Stockholm on March 14-15. We proposed a project, the DNS Zone Viewer, to integrate another DNS implementation (besides #BIND 9) with Stork, our graphical management interface.

    Read more about it at isc.org/blogs/2025-dns-hackath !

    #dns #ripe_ncc #dnsoarc #netnod #bind
  21. ISC.org @[email protected] ·

    Did you know ISC had a #DNS Hackathon recently? It was hosted by #RIPE_NCC , #dnsoarc , and #Netnod in Stockholm on March 14-15. We proposed a project, the DNS Zone Viewer, to integrate another DNS implementation (besides #BIND 9) with Stork, our graphical management interface.

    Read more about it at isc.org/blogs/2025-dns-hackath !

    #bind #netnod #dnsoarc #ripe_ncc #dns
  22. ISC.org @[email protected] ·

    Did you know ISC had a #DNS Hackathon recently? It was hosted by #RIPE_NCC , #dnsoarc , and #Netnod in Stockholm on March 14-15. We proposed a project, the DNS Zone Viewer, to integrate another DNS implementation (besides #BIND 9) with Stork, our graphical management interface.

    Read more about it at isc.org/blogs/2025-dns-hackath !

    #dns #ripe_ncc #dnsoarc #netnod #bind
  23. ISC.org @iscdotorg ·

    Do you want to be a (bigger) part of the open source DNS community?

    Come join ISC's Marcin Siodelski at the DNS Hackathon in Stockholm, sponsored by , , and ! We'd really appreciate your help, especially if you're a user.

    Get more details and sign up at isc.org/blogs/2025-dns-hackath , and thank you!

    #netnod #dnsoarc #ripe_ncc #powerdns
  24. ISC.org @[email protected] ·

    Do you want to be a (bigger) part of the open source DNS community?

    Come join ISC's Marcin Siodelski at the DNS Hackathon in Stockholm, sponsored by #Netnod , #dnsoarc , and #RIPE_NCC ! We'd really appreciate your help, especially if you're a #Powerdns user.

    Get more details and sign up at isc.org/blogs/2025-dns-hackath , and thank you!

    #netnod #dnsoarc #ripe_ncc #powerdns
  25. ISC.org @[email protected] ·

    Do you want to be a (bigger) part of the open source DNS community?

    Come join ISC's Marcin Siodelski at the DNS Hackathon in Stockholm, sponsored by #Netnod , #dnsoarc , and #RIPE_NCC ! We'd really appreciate your help, especially if you're a #Powerdns user.

    Get more details and sign up at isc.org/blogs/2025-dns-hackath , and thank you!

    #netnod #dnsoarc #ripe_ncc #powerdns
  26. ISC.org @[email protected] ·

    Do you want to be a (bigger) part of the open source DNS community?

    Come join ISC's Marcin Siodelski at the DNS Hackathon in Stockholm, sponsored by #Netnod , #dnsoarc , and #RIPE_NCC ! We'd really appreciate your help, especially if you're a #Powerdns user.

    Get more details and sign up at isc.org/blogs/2025-dns-hackath , and thank you!

    #powerdns #ripe_ncc #dnsoarc #netnod
  27. ISC.org @[email protected] ·

    Do you want to be a (bigger) part of the open source DNS community?

    Come join ISC's Marcin Siodelski at the DNS Hackathon in Stockholm, sponsored by #Netnod , #dnsoarc , and #RIPE_NCC ! We'd really appreciate your help, especially if you're a #Powerdns user.

    Get more details and sign up at isc.org/blogs/2025-dns-hackath , and thank you!

    #netnod #dnsoarc #ripe_ncc #powerdns
  28. ISC.org @iscdotorg ·

    Don't miss this chance to meet ISC staff live and in person! Stop by our table at the Sponsor Showcase today from 1:30-4:30 PM and say hi! (We have M&Ms...)

    #nanog93
  29. ISC.org @iscdotorg ·

    ISC will be at in Atlanta! Please stop by our table at the Monday Afternoon Showcase on February 3 and say hi! We'd love to chat with you.

    #nanog93
  30. ISC.org @iscdotorg ·

    has been a long-time supporter of F-Root as part of its “For Good of the Internet” program, which supports nonprofit DNS providers and other organizations working to benefit the Internet as a whole. Equinix has recently upgraded its F-Root node in Warsaw, Poland, and ISC is grateful for its partnership.

    Thank you, Equinix! linkedin.com/company/equinix/

    #equinix
Next page