Bugtraq mailing list archives

Re: Comments re ISC's announcement on bind9 security

From: Tim <tim-security () sentinelchicken org>
Date: Thu, 1 Nov 2007 16:50:20 -0400

It _is_ a 16 bit ID space, and that is not fixable inside the strict
DNS protocol, but that still leaves us room to do the best job with
what we have, rather than do nothing at all.  Some people appear to be
on the edge of arguing that we do nothing.



I have to agree with Theo on this.  It doesn't help a lot in theory, but
it helps quite a bit in practice.  Note that in spoofing responses one
does typically have timing issues involved which makes it tougher than
just guessing one of 65536 values alone.

On another note, why is it that everyone arguing the all-or-nothing case
likes to ignore the other very-usable-now mitigation of randomizing
source ports?  I don't use BIND and I don't care to check it's current
behavior, but has the ISC finally gotten around to randomizing the
source ports?  If not, why not?  The extra few bits of entropy can go a
long way, particularly if a good PRNG is used.

tim

Current thread:

Re: Comments re ISC's announcement on bind9 security Henrik Langos (Nov 01)
- <Possible follow-ups>
- Re: Comments re ISC's announcement on bind9 security Network Protocol Security (Nov 01)
- Re: Re: Comments re ISC's announcement on bind9 security ntn (Nov 01)
  - Re: Comments re ISC's announcement on bind9 security Theo de Raadt (Nov 01)
    - Re: Comments re ISC's announcement on bind9 security Tim (Nov 01)
    - Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
    - Re: Comments re ISC's announcement on bind9 security Tim (Nov 02)
    - Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
    - Re: Comments re ISC's announcement on bind9 security Tim (Nov 05)