AOH :: IS1792.HTM

Security issue in djbdns confirmed

Security issue in djbdns confirmed
Security issue in djbdns confirmed 

Security and the Net
Mar. 05, 2009 

Last week, Matthew Dempsky posted an attack against Dan Bernstein.s 
djbdns software. Djbdns is one of several alternatives for the popular 
BIND nameserver, and is backed by a unique security guarantee that 
offers $1000 to the first person to publicly report a verifiable 
security hole in djbdns. The problem found by Dempsky allows an attacker 
to poison DNS records:

    The security hole here is that an administrator that uses djbdns 
    1.05 to serve DNS content does not expect that configuring his name 
    server as above will cause it to send records for names outside of I.e., an attacker can trick the administrator.s 
    name servers to include arbitrary DNS records in response to queries 
    for names within domains he controls.

Less than a week later, D.J. Bernstein has acknowledged that this was 
indeed a security issue:

    Even though this bug affects very few users, it is a violation of 
    the expected security policy in a reasonable situation, so it is a 
    security hole in djbdns. Third-party DNS service is discouraged in 
    the djbdns documentation but is nevertheless supported. Dempsky is 
    hereby awarded $1000.

There will be a new release of djbdns soon that will fix this bug and 
will come with a new security guarantee. This is a big contrast with the 
way a supposed security issue in qmail was handled. In that case, 
Bernstein denied there was a security issue because "Nobody gives 
gigabytes of memory to each qmail-smtpd process, so there is no problem 
with qmail's assumption that allocated array lengths fit comfortably 
into 32 bits."


Best Selling Security Books and More! 

Site design & layout copyright © 1986-2014 CodeGods