Bugtraq mailing list archives
Re: Comments re ISC's announcement on bind9 security
From: Shane Kerr <Shane_Kerr () isc org>
Date: Fri, 02 Nov 2007 11:45:53 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim,
On another note, why is it that everyone arguing the all-or-nothing case likes to ignore the other very-usable-now mitigation of randomizing source ports? I don't use BIND and I don't care to check it's current behavior, but has the ISC finally gotten around to randomizing the source ports? If not, why not? The extra few bits of entropy can go a long way, particularly if a good PRNG is used.
Yes, ISC has finally gotten around to randomizing the source ports, as of 9.5.0a2. It is controlled by the "use-queryport-pool" option in the server section of the BIND configuration file. It defaults to "yes". You can control how big the pool is with the "queryport-pool-ports" option. It defaults to 8 (an extra 3 bits of entropy). This set of ports is refreshed periodically, with a frequency controlled by the "queryport-pool-updateinterval" option. (Personally I think this option adds no little value from a security point of view, but it doesn't hurt.) - -- Shane -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHKv/gMsfZxBO4kbQRAq0KAJ4h0r4x1GMsucrfkRxptywSCzONxwCfc4U/ gRtVT40M1wud2wlviLwoQ9c= =EQk/ -----END PGP SIGNATURE-----
Current thread:
- Re: Comments re ISC's announcement on bind9 security Henrik Langos (Nov 01)
- <Possible follow-ups>
- Re: Comments re ISC's announcement on bind9 security Network Protocol Security (Nov 01)
- Re: Re: Comments re ISC's announcement on bind9 security ntn (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Theo de Raadt (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 05)
- Re: Comments re ISC's announcement on bind9 security Theo de Raadt (Nov 01)