BIND's vulnerability to packet forgery

D. J. Bernstein 75628121832146-bind at sublist.cr.yp.to
Sun Jul 29 13:48:24 UTC 2001


Jim Reid writes:
> Wrong. From setup_lookup():
> lookup->sendmsg->id = (unsigned short)(random() & 0xFFFF);

Wrong. I said ``cryptographic randomization.'' The output of random() is
not cryptographically secure. In fact, it is quite easily predictable.
This is a standard exercise in first-semester cryptography courses.

> Randomising the port number for each query achieves precisely nothing.

Wrong. Randomizing the port number makes a huge difference in the cost
of a forgery for blind attackers---i.e., most attackers on the Internet.
Here's the picture:

                     normal         colliding      sniffing
                     blind attack   blind attack   attack
                     ------------   ------------   --------
   nothing           1              1              1
   ID (BIND)         65536          256            1
   ID+port (djbdns)  4227727360     65020          1

It's funny that the BIND company has gone to so much effort to move from
the first line to the second, but now pooh-poohs the third line.

> > Wrong. As discussed in http://cr.yp.to/djbdns/forgery.html, the
> > current reality is that DNSSEC does nothing to prevent forgeries.
> Really? When were RSA and DSA broken?

Do you think that ``RSA'' is a magic word that makes security problems
disappear? Withotu a central key distribution system---a system that
doesn't exist now and won't exist for the foreseeable future---DNSSEC
doesn't stop forgeries.

---Dan


More information about the bind-users mailing list