[41911] in cryptography@c2.net mail archive
Re: Exponent 3 damage spreads...
daemon@ATHENA.MIT.EDU (James A. Donald)
Sun Sep 10 11:20:33 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 10 Sep 2006 08:30:53 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: Ben Laurie <ben@algroup.co.uk>
Cc: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <45018806.2050604@algroup.co.uk>
--
Ben Laurie wrote:
> Subject:
> [dnsop] BIND and OpenSSL's RSA signature forging issue
> From:
> Ben Laurie <ben@algroup.co.uk>
> Date:
> Fri, 08 Sep 2006 11:40:44 +0100
> To:
> DNSEXT WG <namedroppers@ops.ietf.org>, "(DNSSEC deployment)"
> <dnssec-deployment@shinkuro.com>, dnsop@lists.uoregon.edu
>
> To:
> DNSEXT WG <namedroppers@ops.ietf.org>, "(DNSSEC deployment)"
> <dnssec-deployment@shinkuro.com>, dnsop@lists.uoregon.edu
>
>
> I've just noticed that BIND is vulnerable to:
>
> http://www.openssl.org/news/secadv_20060905.txt
>
> Executive summary:
>
> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
> default. Note that the issue is in the resolver, not the server.
>
> Fix:
>
> Upgrade OpenSSL.
>
> Issue:
>
> Since I've been told often that most of the world won't upgrade
> resolvers, presumably most of the world will be vulnerable to this
> problem for a long time.
>
> Solution:
>
> Don't use exponent 3 anymore. This can, of course, be done server-side,
> where the responsible citizens live, allegedly.
>
> Side benefit:
>
> You all get to test emergency key roll! Start your motors, gentlemen!
This seems to presuppose that Secure DNS is actually in use. I was
unaware that this is the case.
What is the penetration of Secure DNS?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
fLselD6l8fdbF1p4sjg3RQ2GXi+NnQ//1CymnfKs
4+JAX1zwW3fSIStp6glgbAygK1zCuoMeiTigr4qmd
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
