nanog mailing list archives
Re: DNSSEC?
From: Robert Drake <rdrake () direcpath com>
Date: Fri, 11 Apr 2014 19:03:52 -0400
On 4/11/2014 5:47 PM, Matt Palmer wrote:
That's not DNSSEC that's broken, then. - Matt
You're correct about that, but everything depends on your level of paranoia.
The bug has a potential to show 64k of memory that may or may not be a part of the TLS/SSL connection*. In that 64k their may be ssh keys, dnssec keys, pictures of cats, or anything else that needs to be safely protected. If something is very important to keep secure and it was on a box that has a TLS/SSL connection then you should regenerate keys for it, but largely this effort would be just in case and not because it's compromised.
* technically it is part of the connection, it's just malloc() and not zeroed so whatever data was in it before was not cleared. If you can be sure all your cat picture applications zero memory on exit and none of them exited uncleanly then this isn't a problem. At high levels of paranoia this isn't really something that you can be sure of though. I'm not even sure if it's done in most crypto apps aside from gpg. OpenSSL is double-faulted here for both not checking the length and not zeroing the memory on malloc**.
** probably making this all up since I haven't done a real look at the library, I'm just going by what I've read on the internet.
I expect we may see more bugs revealed in openssl soon. It's getting lots of scrutiny from this so I expect the code is being audit by everyone and that's good.
Current thread:
- DNSSEC? Barry Shein (Apr 11)
- Re: DNSSEC? Doug Barton (Apr 11)
- Re: DNSSEC? Barry Shein (Apr 11)
- Re: DNSSEC? Christopher Morrow (Apr 11)
- Re: DNSSEC? Barry Shein (Apr 11)
- Re: DNSSEC? Bill Woodcock (Apr 11)
- Re: DNSSEC? Chris Adams (Apr 11)
- Re: DNSSEC? Carsten Bormann (Apr 11)
- Re: DNSSEC? Matt Palmer (Apr 11)
- Re: DNSSEC? Robert Drake (Apr 11)
- Re: DNSSEC? Mark Andrews (Apr 11)
- Re: DNSSEC? Jimmy Hess (Apr 11)
- Re: DNSSEC? Mark Andrews (Apr 11)
- Re: DNSSEC? shawn wilson (Apr 12)
- Re: DNSSEC? Michael Thomas (Apr 12)
- Re: DNSSEC? Jimmy Hess (Apr 12)
- Re: DNSSEC? Michael Thomas (Apr 12)
- Re: DNSSEC? Carsten Bormann (Apr 11)
- Re: DNSSEC? Doug Barton (Apr 11)