A sniffing attacker can easily forge responses to your DNS requests. He can steal your outgoing mail, for example, and intercept your ``secure'' web transactions. This is obviously a problem. We know how to solve this problem with cryptographic techniques. DNSSEC has InterNIC digitally sign all DNS records, usually through a chain of intermediate authorities. Attackers can't forge the signatures. Of course, this system still allows InterNIC to steal your outgoing mail, and intercept your ``secure'' web transactions. We know how to solve this problem too. The solution is simpler and faster than DNSSEC, though it only works for long domain names: use cryptographic signature key hashes as domain names. But all this cryptographic work accomplishes _nothing_ if the servers are subject to buffer overflows! An attacker doesn't have to bother guessing or sniffing query times and IDs, and forging DNS responses, if he can simply take over the DNS server. This NXT buffer overflow isn't part of some old code that Paul Vixie inherited from careless graduate students. It's new code. It's part of BIND's DNSSEC implementation. I don't find the irony amusing. Obviously ISC's auditing is inadequate. Does anyone seriously believe that the current BIND code is secure? If it isn't, adding DNSSEC to it doesn't help anybody. Is ISC going to rewrite the client and server in a way that gives us confidence in their security? David R. Conrad writes: > In addition, we recommend running your nameserver as non-root and > chrooted (I know setting this up is non-trivial -- it'll be much, much > easier in BINDv9). ``I wouldn't consider installing named any other way,'' I told Vixie in September 1996. He didn't respond. Of course, DNSSEC is equally useless either way; the only question is whether an attacker can also take over the rest of the machine. ---Dan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:02 PDT