Bugtraq mailing list archives

Re: Comments re ISC's announcement on bind9 security

From: "Network Protocol Security" <netprotosec () gmail com>
Date: Wed, 31 Oct 2007 23:28:36 +0200

On 10/31/07, Shane Kerr <Shane_Kerr () isc org> wrote:


There seem to be two ideas you are presenting here, both intended to imply that
the developers at ISC are technically incompetent:

1. Using a pseudo-random number generator should be called "crypto".


No, but a pseudo random number generator whose output *should not be
predictable* is a *cryptographic* random number generator, hence
"crypto". Isn't it obvious that a DNS server should generate an
*unpredictable* DNS ID? and if the chosen algorithm can be predicted
easily, doesn't this constitute "extremely weak crypto"?

2. The particular pseudo-random number generator that BIND 9 now uses is a poor
   choice.


No, that is not what I said. Don't change the subject. The discussion
is about bind 9.4.1, not 9.4.1-P1. This is obvious from the use of
past tense in both your original statement and my previous email. So I
still maintain that bind9 had (up to and inc. 9.4.1) extremely weak
crypto.

Current thread:

Re: Comments re ISC's announcement on bind9 security Henrik Langos (Nov 01)
- <Possible follow-ups>
- Re: Comments re ISC's announcement on bind9 security Network Protocol Security (Nov 01)
- Re: Re: Comments re ISC's announcement on bind9 security ntn (Nov 01)
  - Re: Comments re ISC's announcement on bind9 security Theo de Raadt (Nov 01)
    - Re: Comments re ISC's announcement on bind9 security Tim (Nov 01)
    - Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
    - Re: Comments re ISC's announcement on bind9 security Tim (Nov 02)
    - Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
    - Re: Comments re ISC's announcement on bind9 security Tim (Nov 05)