Bugtraq mailing list archives
Re: Comments re ISC's announcement on bind9 security
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 1 Nov 2007 16:50:20 -0400
It _is_ a 16 bit ID space, and that is not fixable inside the strict DNS protocol, but that still leaves us room to do the best job with what we have, rather than do nothing at all. Some people appear to be on the edge of arguing that we do nothing.
I have to agree with Theo on this. It doesn't help a lot in theory, but it helps quite a bit in practice. Note that in spoofing responses one does typically have timing issues involved which makes it tougher than just guessing one of 65536 values alone. On another note, why is it that everyone arguing the all-or-nothing case likes to ignore the other very-usable-now mitigation of randomizing source ports? I don't use BIND and I don't care to check it's current behavior, but has the ISC finally gotten around to randomizing the source ports? If not, why not? The extra few bits of entropy can go a long way, particularly if a good PRNG is used. tim
Current thread:
- Re: Comments re ISC's announcement on bind9 security Henrik Langos (Nov 01)
- <Possible follow-ups>
- Re: Comments re ISC's announcement on bind9 security Network Protocol Security (Nov 01)
- Re: Re: Comments re ISC's announcement on bind9 security ntn (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Theo de Raadt (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 05)
- Re: Comments re ISC's announcement on bind9 security Theo de Raadt (Nov 01)