Security and the Net
Mar. 05, 2009
Last week, Matthew Dempsky posted an attack against Dan Bernstein.s
djbdns software. Djbdns is one of several alternatives for the popular
BIND nameserver, and is backed by a unique security guarantee that
offers $1000 to the first person to publicly report a verifiable
security hole in djbdns. The problem found by Dempsky allows an attacker
to poison DNS records:
The security hole here is that an administrator that uses djbdns
1.05 to serve DNS content does not expect that configuring his name
server as above will cause it to send records for names outside of
burlap.dempsky.org. I.e., an attacker can trick the administrator.s
name servers to include arbitrary DNS records in response to queries
for names within domains he controls.
Less than a week later, D.J. Bernstein has acknowledged that this was
indeed a security issue:
Even though this bug affects very few users, it is a violation of
the expected security policy in a reasonable situation, so it is a
security hole in djbdns. Third-party DNS service is discouraged in
the djbdns documentation but is nevertheless supported. Dempsky is
hereby awarded $1000.
There will be a new release of djbdns soon that will fix this bug and
will come with a new security guarantee. This is a big contrast with the
way a supposed security issue in qmail was handled. In that case,
Bernstein denied there was a security issue because "Nobody gives
gigabytes of memory to each qmail-smtpd process, so there is no problem
with qmail's assumption that allocated array lengths fit comfortably
into 32 bits."
Best Selling Security Books and More!