Re: Comments re ISC's announcement on bind9 security

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Comments re ISC's announcement on bind9 security
From: "Network Protocol Security" <netprotosec@xxxxxxxxx>
Date: Wed, 31 Oct 2007 23:28:36 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Dcg7pM2n7biYwIjpNw5d0MRDnILLyJFdWIdHnqmfIYw=; b=gGQi7WEb4G+noq2MQvQsgyATjmt5W5eCdydcVkiVUxdFZhMbDN3WNBGBPe5EYFTwJWRqTE8BhZ55ZoE60tlI1PGd06SxdePppJAbS3CDHbWSANS1E21yLib4iy905zUjo0YgkOBUJ0rHMJjuKYa7sajsHwx5fEI+6mS8XL2PLEM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=K7WndMWWR1x4pciSpWURHzNDASpVxQT1OxZCTn9wmSyDKVRWemK8ETfKQ8FYMevuGieTiDIq5rJZBQ0jHs+z3OEUUQWJ4v95FXTrju64ZFnBRhhsR86Ewmk+Ql6btIDgJUD5e6d0WvuNXLdcMJDExNGzcs6zSXutTCPxLCv6iY8=
In-reply-to: <472886C3.9000609@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <472886C3.9000609@xxxxxxx>

On 10/31/07, Shane Kerr <Shane_Kerr@xxxxxxx> wrote:
>
> There seem to be two ideas you are presenting here, both intended to imply 
> that
> the developers at ISC are technically incompetent:
>
> 1. Using a pseudo-random number generator should be called "crypto".
>

No, but a pseudo random number generator whose output *should not be
predictable* is a *cryptographic* random number generator, hence
"crypto". Isn't it obvious that a DNS server should generate an
*unpredictable* DNS ID? and if the chosen algorithm can be predicted
easily, doesn't this constitute "extremely weak crypto"?

> 2. The particular pseudo-random number generator that BIND 9 now uses is a 
> poor
>    choice.

No, that is not what I said. Don't change the subject. The discussion
is about bind 9.4.1, not 9.4.1-P1. This is obvious from the use of
past tense in both your original statement and my previous email. So I
still maintain that bind9 had (up to and inc. 9.4.1) extremely weak
crypto.

References:
- Re: Comments re ISC's announcement on bind9 security
  - From: Shane Kerr

Prev by Date: ZDI-07-062: RealNetworks RealPlayer PLS File Memory Corruption Vulnerability
Next by Date: ZDI-07-063: RealPlayer RA Field Size File Processing Heap Oveflow Vulnerability
Previous by thread: Re: Comments re ISC's announcement on bind9 security
Next by thread: Re: Re: Comments re ISC's announcement on bind9 security
Index(es):
- Date
- Thread