June 12, 2001

ISS Xforce: BIND inadvertent local exposure of HMAC-MD5 keys

Author: JT Smith

LinuxSecurity: "A flaw exists in the dnskeygen utility under BIND version 8 and the dnssec-keygen utility
included with BIND version 9. The keys generated by these utilities are stored in two files. In
the case of HMAC-MD5 shared secret keys that are used for dynamic updates to DNS servers,
the same secret keying material is present in both files. Only one of the files is configured by
default with strong access control. The resulting exposure may allow unauthorized local users
to obtain the keying information. This may allow attackers to update DNS servers that support
dynamic DNS updates."


  • Linux
Click Here!