This is the mail archive of the
libc-alpha@sourceware.cygnus.com
mailing list for the glibc project.
Re: glibc resolver weakness
- To: aj at suse dot de
- Subject: Re: glibc resolver weakness
- From: Mark Kettenis <kettenis at wins dot uva dot nl>
- Date: Sat, 6 May 2000 17:58:50 +0200
- CC: libc-alpha at sourceware dot cygnus dot com
- References: <u8snvvrag1.fsf@gromit.rhein-neckar.de>
From: Andreas Jaeger <aj@suse.de>
Date: 06 May 2000 16:59:42 +0200
I've been pointed to the appended bugtraq article (see
http://www.securityfocus.com/).
The code we use is the same as in the latest bind8 release - and bind9
seems to use a completly new way.
What should we do about this?
Probably nothing. I get the impression that the person who reported
this is a bit clueless (not that I know a lot about these issues). As
you already noticed, we're using code from BIND. So probably every
system out there has exactly the same "vulnerability".
I belive the ID is simply a way to match queries and answers, and that
it isn't used for security at all. I don't think further attempts to
randomize the ID would really improve security. It's not that it's a
secret. Anybody who manages to intercept the query doesn't have to
guess it. People simply have to live with the fact that DNS isn't
really secure. That's why we'll have secure DNS in the future.
That's why SSH has host keys.
It's a bit unfortunate though that the report (only) mentions glibc.
Makes us look bad :-(.
Mark