BIND's vulnerability to packet forgery

Michael Kjorling michael at kjorling.com
Sun Jul 29 13:07:48 UTC 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't want to involve in flame wars, but I have to reply to this
since it is so obviously wrong.

First your point #1 - "cryptographic randomization of DNS query IDs".
Let me tell you that I seriously doubt that /dev/random is a
cryptographically secure PRNG (pseudo-random number generator), on any
platform. Relying on it for anything but a few bits of entropy every
few hours, or less, would probably be a VERY bad thing to do. Besides,
I fail to see how this would help against attacks? Query IDs are used
to match queries with their respective answers - so unless you can
guess exactly when a query with a specific ID is being asked, you will
be having a hard time spoofing the response. Or do you mean flooding a
DNS client with responses until one eventually matches?

(2) - same thing here. You are talking about cryptographically secure
random numbers generated by /dev/random when /dev/random is inherently
not adapted for that kind of work. Period. I might be wrong on some
very specific platforms - one that comes to my mind is OpenBSD which
has a record of being secure. But that would be the exception. And
again, how would you expect a "more random" source port would help
security? Any system connected to the Internet today should be behind
a firewall; those who aren't probably have bigger problems than
spoofed DNS responses. Most firewalls are stateful - they allow the
query to go out, then remember the port and IP quads that were used
and allow responses back in. Do you mean that someone is going to run
the entire IP space and probable port range (say 1024-5000) down the
throat of someone hoping to get one right?

You have been bashing DNSSEC and TSIG because they are not yet widely
deployed. Yet, you bring up completely unrelated technologies like SSH
(which doesn't have to do with DNS at all!) - and how many have
implemented IPsec on a large scale so far? I don't have numbers but I
dare say not many.

What cryptographically secure PRNG are you using in djbdns? Not that I
think most people here care, but it would be interesting for me to
know.


Michael Kjörling
PS. A note to the moderator - if my post is too harsh in wording, feel
free to drop it. I won't be offended.


On Jul 29 2001 11:31 -0000, D. J. Bernstein wrote:

> BIND company employee Jim Reid writes:
> > The "packet forgery" you refer to applies to verifying and signing DNS
> > data with DNSSEC.
>
> Wrong. As discussed in http://cr.yp.to/djbdns/forgery.html, the current
> reality is that DNSSEC does nothing to prevent forgeries. I'm talking
> about the protections that _do_ stop some attacks right now:
>
>    (1) cryptographic randomization of DNS query IDs and
>    (2) cryptographic randomization of the UDP port for each query.
>
> Apparently BIND doesn't do #1 without /dev/random, and it doesn't do #2
> at all. In contrast, djbdns does both #1 and #2 automatically.
>
> > The reason for the irony is that your DNS software doesn't support
> > DNSSEC or Secure Dynamic Update at all.
>
> My software supports secure outage-free upates. Security is provided by
> standard external tools, typically IPSEC or ssh.
>
> ---Dan

- -- 
Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)

^..^     Support the wolves in Norway -- go to     ^..^
 \/   http://home.no.net/ulvelist/protest_int.htm   \/

***** Please only send me emails which concern me *****

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7ZAqvKqN7/Ypw4z4RAkOCAKC9rVsCm2Pyoq0ytm7OpaYgzlXFhgCgh8b0
tbt3g/g9bPUgZ4GvKffa27k=
=QvQT
-----END PGP SIGNATURE-----

More information about the bind-users mailing list