BIND's vulnerability to packet forgery
D. J. Bernstein
75628121832146-bind at sublist.cr.yp.to
Sun Jul 29 11:31:28 UTC 2001
BIND company employee Jim Reid writes:
> The "packet forgery" you refer to applies to verifying and signing DNS
> data with DNSSEC.
Wrong. As discussed in http://cr.yp.to/djbdns/forgery.html, the current
reality is that DNSSEC does nothing to prevent forgeries. I'm talking
about the protections that _do_ stop some attacks right now:
(1) cryptographic randomization of DNS query IDs and
(2) cryptographic randomization of the UDP port for each query.
Apparently BIND doesn't do #1 without /dev/random, and it doesn't do #2
at all. In contrast, djbdns does both #1 and #2 automatically.
> The reason for the irony is that your DNS software doesn't support
> DNSSEC or Secure Dynamic Update at all.
My software supports secure outage-free upates. Security is provided by
standard external tools, typically IPSEC or ssh.
---Dan
More information about the bind-users
mailing list