Re: Comments re ISC's announcement on bind9 security

To: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Subject: Re: Comments re ISC's announcement on bind9 security
From: Shane Kerr <Shane_Kerr@xxxxxxx>
Date: Fri, 02 Nov 2007 11:45:53 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20071101205019.GG2631@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: ISC
References: <20071101191406.14284.qmail@xxxxxxxxxxxxxxxxx> <200711011951.lA1Jpujr031735@xxxxxxxxxxxxxxx> <20071101205019.GG2631@xxxxxxxxxxxxxxxxxxx>
Reply-to: shane_kerr@xxxxxxx
User-agent: Thunderbird 2.0.0.6 (X11/20070806)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim,

> On another note, why is it that everyone arguing the all-or-nothing case
> likes to ignore the other very-usable-now mitigation of randomizing
> source ports?  I don't use BIND and I don't care to check it's current
> behavior, but has the ISC finally gotten around to randomizing the
> source ports?  If not, why not?  The extra few bits of entropy can go a
> long way, particularly if a good PRNG is used.

Yes, ISC has finally gotten around to randomizing the source ports, as of
9.5.0a2. It is controlled by the "use-queryport-pool" option in the server
section of the BIND configuration file. It defaults to "yes".

You can control how big the pool is with the "queryport-pool-ports" option. It
defaults to 8 (an extra 3 bits of entropy).

This set of ports is refreshed periodically, with a frequency controlled by the
"queryport-pool-updateinterval" option. (Personally I think this option adds no
little value from a security point of view, but it doesn't hurt.)

- --
Shane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHKv/gMsfZxBO4kbQRAq0KAJ4h0r4x1GMsucrfkRxptywSCzONxwCfc4U/
gRtVT40M1wud2wlviLwoQ9c=
=EQk/
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Comments re ISC's announcement on bind9 security
  - From: Tim

References:
- Re: Re: Comments re ISC's announcement on bind9 security
  - From: ntn
- Re: Comments re ISC's announcement on bind9 security
  - From: Theo de Raadt
- Re: Comments re ISC's announcement on bind9 security
  - From: Tim

Prev by Date: Secunia Research: ACDSee Products Image and Archive Plug-ins Buffer Overflows
Next by Date: Scribe <= 2.0 Remote PHP Code Execution
Previous by thread: Re: Comments re ISC's announcement on bind9 security
Next by thread: Re: Comments re ISC's announcement on bind9 security
Index(es):
- Date
- Thread