Re: SNI-12: BIND Vulnerabilities and Solutions

[daw () CS BERKELEY EDU (David Wagner)]

In article <5jjnjr$b5r () joseph cs berkeley edu>,
David Wagner  <daw () CS BERKELEY EDU> wrote:
> However, I think your patch won't fix the problem.
>
> It attempts to make the query ID unpredictable, but fails -- the "random"
> numbers it generates are still predictable (after a trivial 2^16 offline
> trials).  And the seeding is terrible -- two years ago Netscape used
> timeofday and pid to seed their PRNG, too, and look what happened to them.
>
> Tell me I'm missing something.

Allow me to partially retract my claim.  As far as I can tell the patch
works as intended on OpenBSD systems, and my concerns do not apply to
OpenBSD-based boxes.  I'd like to publicly apologize to OpenBSD and Theo
de Raadt for tarring OpenBSD with too broad a brush.

However, I still believe the patch won't fix the problem on most systems:
as far as I can tell, it won't fix the hole on systems not running OpenBSD.
The secnet advisory probably should have included a note to this effect.