[nsd-users] OpenSSL heartbleed bug
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Fri Apr 11 14:30:30 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Daisuke,
On 04/11/2014 04:00 PM, Daisuke HIGASHI wrote:
> (To unbound-users / nsd-users)
>
> Hi,
>
> OpenSSL heartbleed bug (CVE-2014-0160) affects Unbound/NSD?
NSD and Unbound have DNSSEC that does not use TLS, so they are not
affected by heartbleed for DNSSEC.
> I believe that unbound-control, ssl-upstream(unbound's), and
> nsd-control depends on OpenSSL to make secure channel. (though
> remote control is usually allowed from localhost only...)
Yes the default is from localhost. Additionally, nsd-control and
unbound-control require a client certificate. This seems to stop the
attack (when we tested it).
Unbound's ssl-upstream, ssl-service and unbound-anchor are options and
tools that create TLS connections. This is vulnerable to heartbleed.
Unbound-anchor is a client side, short lived process with no secrets,
it makes TLS connections in exceptional circumstances. ssl-upstream
makes client connections. Unbound's ssl-service options create a TLS
server, and this is vulnerable. The public TLS dnssec-trigger server
has had openssl upgraded.
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTR/yGAAoJEJ9vHC1+BF+NRYgP/28YG3rP9/4KOwqy6xaIQ/6O
6FjLK7DYVXDJEn3XMh7BOg+DvysnDTVPGlh2Vy6wHXYoAsUNV11GFQXV1dgnI3ii
nbIRWsi5wYBB3/kWemIhsfHCMCL2bOuorgkNem3oHd52AMTVKTaF42P9c16wMdLx
2B4Dz2zku+3c74ETz/8n094UkeJQdZcVtD/rGqjUeedKPtEkvwYQwCPsMUoFxaxC
42642o+XtrA3WBMTMKz8ue3yaGRjThrBDfDC1y1TmsKNQoKB6rITdIrJEuqVuVqP
KtQxk1qM9CzHOv7ubAI8ZNukaFcXr4Zwmuu/Nu4SV8+5jdXqTBptlN4djmkSD5zk
x6Q8Vnq9IW/YWi/jVWGmQ1Sb/GKMIVjp913CIipOG8ujYpXKck01SrbRSBYY5Iqv
NrtO7vPRag1kIDWlD9dM2i+q8iKirdYfer4tJuWyPQgb6tGSGN0hvr0cwj2TmfyA
MinP9Q3hkhTyfKJGiPEFjQ4gNEcMGJTCdlky85JJC4lh2y448nhVQb+G9KjQblXt
MtMAGVVgBvGKZWEUcnwXQ3aEuqevm01afx+xzI7nI3ev1CiKmw+SiLjpoDEPoyjE
bEbakF7qStDjb0g3reTJkG5Sljl0vIKwwh5GC07zrUVcpor4EqAb2BmVnrA1Yy3f
xPMFn+8rQC92jtBiE2M5
=vbeh
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list