Maintained by: NLnet Labs

[Unbound-users] OpenSSL heartbleed bug

W.C.A. Wijngaards
Fri Apr 11 16:30:30 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Daisuke,

On 04/11/2014 04:00 PM, Daisuke HIGASHI wrote:
> (To unbound-users / nsd-users)
> 
> Hi,
> 
> OpenSSL heartbleed bug (CVE-2014-0160) affects Unbound/NSD?

NSD and Unbound have DNSSEC that does not use TLS, so they are not
affected by heartbleed for DNSSEC.

> I believe that unbound-control, ssl-upstream(unbound's), and
> nsd-control depends on OpenSSL to make secure channel. (though
> remote control is usually allowed from localhost only...)

Yes the default is from localhost.  Additionally, nsd-control and
unbound-control require a client certificate.  This seems to stop the
attack (when we tested it).

Unbound's ssl-upstream, ssl-service and unbound-anchor are options and
tools that create TLS connections.  This is vulnerable to heartbleed.
 Unbound-anchor is a client side, short lived process with no secrets,
it makes TLS connections in exceptional circumstances.  ssl-upstream
makes client connections.  Unbound's ssl-service options create a TLS
server, and this is vulnerable.  The public TLS dnssec-trigger server
has had openssl upgraded.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTR/yGAAoJEJ9vHC1+BF+NRYgP/28YG3rP9/4KOwqy6xaIQ/6O
6FjLK7DYVXDJEn3XMh7BOg+DvysnDTVPGlh2Vy6wHXYoAsUNV11GFQXV1dgnI3ii
nbIRWsi5wYBB3/kWemIhsfHCMCL2bOuorgkNem3oHd52AMTVKTaF42P9c16wMdLx
2B4Dz2zku+3c74ETz/8n094UkeJQdZcVtD/rGqjUeedKPtEkvwYQwCPsMUoFxaxC
42642o+XtrA3WBMTMKz8ue3yaGRjThrBDfDC1y1TmsKNQoKB6rITdIrJEuqVuVqP
KtQxk1qM9CzHOv7ubAI8ZNukaFcXr4Zwmuu/Nu4SV8+5jdXqTBptlN4djmkSD5zk
x6Q8Vnq9IW/YWi/jVWGmQ1Sb/GKMIVjp913CIipOG8ujYpXKck01SrbRSBYY5Iqv
NrtO7vPRag1kIDWlD9dM2i+q8iKirdYfer4tJuWyPQgb6tGSGN0hvr0cwj2TmfyA
MinP9Q3hkhTyfKJGiPEFjQ4gNEcMGJTCdlky85JJC4lh2y448nhVQb+G9KjQblXt
MtMAGVVgBvGKZWEUcnwXQ3aEuqevm01afx+xzI7nI3ev1CiKmw+SiLjpoDEPoyjE
bEbakF7qStDjb0g3reTJkG5Sljl0vIKwwh5GC07zrUVcpor4EqAb2BmVnrA1Yy3f
xPMFn+8rQC92jtBiE2M5
=vbeh
-----END PGP SIGNATURE-----