Re: DNSSEC?

[Robert Drake <rdrake () direcpath com>]

On 4/11/2014 5:47 PM, Matt Palmer wrote:
> That's not DNSSEC that's broken, then. - Matt 

You're correct about that, but everything depends on your level of 
paranoia.

The bug has a potential to show 64k of memory that may or may not be a 
part of the TLS/SSL connection*.  In that 64k their may be ssh keys, 
dnssec keys, pictures of cats, or anything else that needs to be safely 
protected.  If something is very important to keep secure and it was on 
a box that has a TLS/SSL connection then you should regenerate keys for 
it, but largely this effort would be just in case and not because it's 
compromised.

* technically it is part of the connection, it's just malloc() and not 
zeroed so whatever data was in it before was not cleared.  If you can be 
sure all your cat picture applications zero memory on exit and none of 
them exited uncleanly then this isn't a problem. At high levels of 
paranoia this isn't really something that you can be sure of though.  
I'm not even sure if it's done in most crypto apps aside from gpg.  
OpenSSL is double-faulted here for both not checking the length and not 
zeroing the memory on malloc**.

** probably making this all up since I haven't done a real look at the 
library, I'm just going by what I've read on the internet.

I expect we may see more bugs revealed in openssl soon.  It's getting 
lots of scrutiny from this so I expect the code is being audit by 
everyone and that's good.