From: 75628121832146-bind@sublist.cr.yp.to ("D. J. Bernstein") Newsgroups: mailing.unix.bind-users Subject: Re: BIND's vulnerability to packet forgery Date: 29 Jul 2001 22:14:25 +0800 Organization: NCTU CSIE FreeBSD Server Lines: 36 Message-ID: <9k15o1$ofr$1@FreeBSD.csie.NCTU.edu.tw> NNTP-Posting-Host: freebsd.csie.nctu.edu.tw X-Trace: FreeBSD.csie.NCTU.edu.tw 996416065 25084 140.113.209.200 (29 Jul 2001 14:14:25 GMT) X-Complaints-To: usenet@FreeBSD.csie.NCTU.edu.tw NNTP-Posting-Date: 29 Jul 2001 14:14:25 GMT Jim Reid writes: > Wrong. From setup_lookup(): > lookup->sendmsg->id = (unsigned short)(random() & 0xFFFF); Wrong. I said ``cryptographic randomization.'' The output of random() is not cryptographically secure. In fact, it is quite easily predictable. This is a standard exercise in first-semester cryptography courses. > Randomising the port number for each query achieves precisely nothing. Wrong. Randomizing the port number makes a huge difference in the cost of a forgery for blind attackers---i.e., most attackers on the Internet. Here's the picture: normal colliding sniffing blind attack blind attack attack ------------ ------------ -------- nothing 1 1 1 ID (BIND) 65536 256 1 ID+port (djbdns) 4227727360 65020 1 It's funny that the BIND company has gone to so much effort to move from the first line to the second, but now pooh-poohs the third line. > > Wrong. As discussed in http://cr.yp.to/djbdns/forgery.html, the > > current reality is that DNSSEC does nothing to prevent forgeries. > Really? When were RSA and DSA broken? Do you think that ``RSA'' is a magic word that makes security problems disappear? Withotu a central key distribution system---a system that doesn't exist now and won't exist for the foreseeable future---DNSSEC doesn't stop forgeries. ---Dan