BIND's vulnerability to packet forgery
D. J. Bernstein
75628121832146-bind at sublist.cr.yp.to
Sun Jul 29 13:48:24 UTC 2001
Jim Reid writes:
> Wrong. From setup_lookup():
> lookup->sendmsg->id = (unsigned short)(random() & 0xFFFF);
Wrong. I said ``cryptographic randomization.'' The output of random() is
not cryptographically secure. In fact, it is quite easily predictable.
This is a standard exercise in first-semester cryptography courses.
> Randomising the port number for each query achieves precisely nothing.
Wrong. Randomizing the port number makes a huge difference in the cost
of a forgery for blind attackers---i.e., most attackers on the Internet.
Here's the picture:
normal colliding sniffing
blind attack blind attack attack
------------ ------------ --------
nothing 1 1 1
ID (BIND) 65536 256 1
ID+port (djbdns) 4227727360 65020 1
It's funny that the BIND company has gone to so much effort to move from
the first line to the second, but now pooh-poohs the third line.
> > Wrong. As discussed in http://cr.yp.to/djbdns/forgery.html, the
> > current reality is that DNSSEC does nothing to prevent forgeries.
> Really? When were RSA and DSA broken?
Do you think that ``RSA'' is a magic word that makes security problems
disappear? Withotu a central key distribution system---a system that
doesn't exist now and won't exist for the foreseeable future---DNSSEC
doesn't stop forgeries.
---Dan
More information about the bind-users
mailing list