[14824] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: glibc resolver weakness

daemon@ATHENA.MIT.EDU (D. J. Bernstein)
Sun May 7 15:36:45 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id:  <20000507021743.32453.qmail@cr.yp.to>
Date:         Sun, 7 May 2000 02:17:43 -0000
Reply-To: "D. J. Bernstein" <djb@CR.YP.TO>
From: "D. J. Bernstein" <djb@CR.YP.TO>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

Steven M. Bellovin writes:
  [ random ID to make blind DNS packet forgery more difficult ]
> 16 bits was far too small to do it right,

Unpredictable IDs and port numbers make large-scale blind forgeries
vastly more expensive. That's more than DNSSEC has ever accomplished.
See http://cr.yp.to/dnscache/forgery.html for further comments.

> http://www.research.att.com/~smb/papers/dnshack.ps

Cache poisoning is a solved problem. A modern DNS cache simply discards
records outside the server's bailiwick.

---Dan


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[14824] in bugtraq

Re: glibc resolver weakness

daemon@ATHENA.MIT.EDU (D. J. Bernstein)Sun May 7 15:36:45 2000

daemon@ATHENA.MIT.EDU (D. J. Bernstein)
Sun May 7 15:36:45 2000