[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC - Signature Only vs the MX/A issue.

To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Tue, 12 Dec 2006 09:34:27 +0100
Cc: "Hallam-Baker, Phillip" <pbaker@verisign.com>, Paul Vixie <paul@vix.com>, Christian Huitema <huitema@windows.microsoft.com>, Ralph Droms <rdroms@cisco.com>, namedroppers@ops.ietf.org
Delivery-date: Tue, 12 Dec 2006 08:36:49 +0000
Envelope-to: namedroppers-data@psg.com
User-agent: Mutt/1.5.9i

On Tue, Dec 12, 2006 at 04:20:19PM +0900, Masataka Ohta wrote:

> Complex protocols are more complex to implement and operate and,
> thus, insecure.
> 
> For example, it is a lot more likely that DNSSEC software has
> buffer overflow valunerability than plain DNS software.

This is not only a lot more likely, but actual fact if we look at most DNS
security advisories of the past few years.

For example, look at SIG Query Processing (CVE-2006-4095), "BIND: Self Check
Failing" (2005-25-01), "BIND: Remote Execution of Code"  A/K/A "sigrec",
"OpenSSL buffer overflow", "tsig bug", "sigdiv0 bug", etc, all found on
the fine page http://www.isc.org/index.pl?/sw/bind/bind-security.php

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by Date: Noah's principle
Previous by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by thread: RE: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread