severity 491809 important retitle 491809 DNS stub resolver could be hardened. thanks On Fri, Jul 25, 2008 at 10:06:01PM +0000, Florian Weimer wrote: > reopen 491809 > thanks > > * Pierre Habouzit: > > > Kaminsky agrees confirm the issue, so I can say for sure that the > > glibc isn't vulnerable to the attack he describes, as it needs a > > resolver that caches additionnal RRs, which the glibc doesn't do. > > > As of attacks that would use non randomized source port use, this is > > addressed by recent kernels hence is fixed enough. > > I've trouble parsing what you wrote. What I mean, is that the glibc performs no additionnal RR caching, which is how the attack poisons caches. Moreover the glibc is _not_ a recursive resolver either. And finally it also uses random source ports, which is the simplest way to prevent Kaminsky's attack. > Based on information provided at the DNS summit, I do think we should > harden the glibc stub resolver. That's another matter which doesn't warrant a critical severity at all. The glibc stub resolver is already "safe enough" by many standards. I don't deny it could be hardened though (Improving the RNG is probably not a bad idea). -- ·O· Pierre Habouzit ··O madcoder@debian.org OOO http://www.madism.org
Attachment:
pgpQdjzfKd3lg.pgp
Description: PGP signature