Re: djbdns (was: negative vote for maintainer Michael Gilbert)

To: debian-newmaint@lists.debian.org
Cc: 516394@bugs.debian.org
Subject: Re: djbdns (was: negative vote for maintainer Michael Gilbert)
From: Russ Allbery <rra@debian.org>
Date: Fri, 06 Jan 2012 11:46:02 -0800
Message-id: <[🔎] 87r4zcty11.fsf_-_@windlord.stanford.edu>
In-reply-to: <[🔎] CAPRDrAGA3LAS6r33T-G1i7wK_JmzHjbr6m1Hnn9JY7U=HjsnxA@mail.gmail.com> (Sergiusz Pawlowicz's message of "Fri, 6 Jan 2012 18:45:48 +0000")
References: <[🔎] 20120104135448.GA13550@emil.homelinux.net> <[🔎] 20120104152950.GA22171@pryan.ekaia.org> <[🔎] CAPRDrAGPooHo=hNTMfm1z6Z_umWyPy2N6=2OYqKCShx677epsw@mail.gmail.com> <[🔎] 4F047C77.3000506@debian.org> <[🔎] CAPRDrAHP6Xgr4Pv7Dt=M+GbGB8JBJuz95BC6_6aRAyJOKQ307Q@mail.gmail.com> <[🔎] 4F0487DE.3050003@debian.org> <[🔎] CAPRDrAFdq8Kvy=g4zrqf9Pbx6ag+P-=Dehj3GPYgtisf9_YgoA@mail.gmail.com> <[🔎] 877h17exuj.fsf@windlord.stanford.edu> <[🔎] CAPRDrAHtfxZQdTCha6qraCUv8br_WbeJBi_8=n45hmycJ6eqAw@mail.gmail.com> <[🔎] 4F0573B9.1060703@debian.org> <[🔎] CAPRDrAGbdxXm3NZGcbPa4q-6qPviKGrOXhVqhCKo+Wd4rxF6tw@mail.gmail.com> <[🔎] CANTw=MOdWig4X2JWoeOnNeAwyV_JO52zefx2nnanERXBK9qGCw@mail.gmail.com> <[🔎] CAPRDrAGjv-jJqKrA+QWACub2SY88LU5LCUx=bBYk7CRK4m2qsQ@mail.gmail.com> <[🔎] 87ty48vjks.fsf@windlord.stanford.edu> <[🔎] CAPRDrAEubrnx9nSar+Lq0GJeisOPidy=U7KB3E8VkTswWTOuTg@mail.gmail.com> <[🔎] 4F0735F5.30506@fenski.pl> <[🔎] 877h14vfyf.fsf@windlord.stanford.edu> <[🔎] CAPRDrAGA3LAS6r33T-G1i7wK_JmzHjbr6m1Hnn9JY7U=HjsnxA@mail.gmail.com>

debian-newmaint really isn't the place for this discussion, so I'll copy
the bug and will send further discussion directly there.  I'm not
subscribed to the bug, so please copy me if you want me to see replies.

Sergiusz Pawlowicz <sergiusz@pawlowicz.name> writes:

> As dnscache in Debian package is not configured to be run out of the
> box, security team effectively prohibits the community from using
> absolutely free, safe and efficient software, as there is no exploits
> available when you configure it on the loopback interface or for hosts
> you trust, e.g. for your cloud of services.

Well, there aren't *no* exploits; there's still the standard DNS cache
poisoning attacks by brute-force port guessing after inducing queries that
are inherent in non-DNSSEC and present in every server, and which can be
done (with more difficulty) even if you can't query the server directly if
you can induce a trusted service to do DNS queries.  But that isn't a
djbdns-specific problem.

The remaining statement on this bug from the security team is:

| djbdns should not be part of squeeze until it is properly hardened
| against cache poisoning.  It is between 100 and 200 times easier than
| with other DNS servers.

I don't understand the basis of that comment just from the bug log.  The
djbdns-specific attack I'm aware of is on SOA, but the bug discussion
indicates that protecting against SOA isn't sufficient and any cache miss
will do.  So apparently there's some hardening other than UDP port
randomization (which djbdns has done for eons) that needs to be done here
from the security team perspective?  It looks like the hardening that they
want to implement is duplicate query merging?

So far as I understand the additional protection provided by duplicate
query merging, the attack that protects against practically requires
direct access to the caching resolver, so listening only on localhost (or
the equivalent) would make dnscache equivalently secure to any other DNS
caching resolver.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Bug#516394: djbdns
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- negative vote for maintainer Michael Gilbert
  - From: Emil <ee@la.mine.nu>
- Re: negative vote for maintainer Michael Gilbert
  - From: Ana Guerrero <ana@debian.org>
- Re: negative vote for maintainer Michael Gilbert
  - From: Sergiusz Pawlowicz <sergiusz@pawlowicz.name>
- Re: negative vote for maintainer Michael Gilbert
  - From: Patrick Matthäi <pmatthaei@debian.org>
- Re: negative vote for maintainer Michael Gilbert
  - From: Sergiusz Pawlowicz <sergiusz@pawlowicz.name>
- Re: negative vote for maintainer Michael Gilbert
  - From: Patrick Matthäi <pmatthaei@debian.org>
- Re: negative vote for maintainer Michael Gilbert
  - From: Sergiusz Pawlowicz <sergiusz@pawlowicz.name>
- Re: negative vote for maintainer Michael Gilbert
  - From: Russ Allbery <rra@debian.org>
- Re: negative vote for maintainer Michael Gilbert
  - From: Sergiusz Pawlowicz <sergiusz@pawlowicz.name>
- Re: negative vote for maintainer Michael Gilbert
  - From: Thomas Goirand <zigo@debian.org>
- Re: negative vote for maintainer Michael Gilbert
  - From: Sergiusz Pawlowicz <sergiusz@pawlowicz.name>
- Re: negative vote for maintainer Michael Gilbert
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: negative vote for maintainer Michael Gilbert
  - From: Sergiusz Pawlowicz <sergiusz@pawlowicz.name>
- Re: negative vote for maintainer Michael Gilbert
  - From: Russ Allbery <rra@debian.org>
- Re: negative vote for maintainer Michael Gilbert
  - From: Sergiusz Pawlowicz <sergiusz@pawlowicz.name>
- Re: negative vote for maintainer Michael Gilbert
  - From: Bartosz Feński <bartosz@fenski.pl>
- Re: negative vote for maintainer Michael Gilbert
  - From: Russ Allbery <rra@debian.org>
- Re: negative vote for maintainer Michael Gilbert
  - From: Sergiusz Pawlowicz <sergiusz@pawlowicz.name>

Prev by Date: Re: negative vote for maintainer Michael Gilbert
Next by Date: AM report for Mathieu Malaterre
Previous by thread: Re: negative vote for maintainer Michael Gilbert
Next by thread: Re: Bug#516394: djbdns
Index(es):
- Date
- Thread