BIND's vulnerability to packet forgery

Jim Reid jim at rfc1035.com
Sun Jul 29 12:17:43 UTC 2001 

>>>>> "djb" == D J Bernstein <75628121832146-bind at sublist.cr.yp.to> writes:

    djb> BIND company employee Jim Reid writes:
    >> The "packet forgery" you refer to applies to verifying and
    >> signing DNS data with DNSSEC.

    djb> Wrong. As discussed in http://cr.yp.to/djbdns/forgery.html,
    djb> the current reality is that DNSSEC does nothing to prevent
    djb> forgeries.

Really? When were RSA and DSA broken?

    djb> I'm talking about the protections that _do_ stop
    djb> some attacks right now:

    djb>  (1) cryptographic randomization of DNS query IDs and 
    djb>  (2) cryptographic randomization of the UDP port for each query.

And neither of these things is a significant improvement. They barely
raise the barrier for an attacker. Both the port number and query id
are known when the query leaves the server, so responding with a fake
reply is trivial. Or don't you classify that fake reply as "forgery"?

    djb> Apparently BIND doesn't do #1 without /dev/random, 

Wrong. From setup_lookup():

	lookup->sendmsg->id = (unsigned short)(random() & 0xFFFF);

Last time I looked random() was not the same as /dev/random. Now some
might argue that random() isn't random enough. Even so it's probably
good enough as an entropy source for the purpose it gets used for
here.

    djb> and it doesn't do #2 at all. In contrast, djbdns does both #1
and #2
    djb> automatically.

So what? Randomising the port number for each query achieves precisely
nothing. Apart from making the OS and name server do more work by
explicitly naming that socket; an extra system call per query. An
attacker can still see that query in all its glory and fake a reply to
it.
    >> The reason for the irony is that your DNS software doesn't
    >> support DNSSEC or Secure Dynamic Update at all.

    djb> My software supports secure outage-free upates. Security is
    djb> provided by standard external tools, typically IPSEC or ssh.

Perhaps: for your definition of security. How does your code detect a
forged or tampered reply? Well if the reply was signed and your code
supported DNSSEC, it could do that. But it doesn't. So it can't.

More information about the bind-users mailing list