Dan Bernstein Confirms Security Flaw In Djbdns 66
secmartin writes "Dan Bernstein has just admitted that a security issue has been found in the djbdns software, one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug. The bug allows a nameserver running djbdns to be poisoned using just a single packet. Other researchers have found a separate issue that allows dnscache, the DNS cache that is also part of the djbdns package, to be poisoned within just 18 minutes when using the default configuration. Anyone using djbdns is strongly encouraged to patch their servers immediately."
Reader emad contributes a link to the djbdns mailing list post containing both a patch and a sample exploit, and adds: "In the words of Dan Kaminsky (of recent DNS security fame): 'However, Dempsky's bug in djb's tinydns is way more surprising, if only because ... holy crap, he pulled an exploitable scenario out of THAT?!'"
Re:Hell must have frozen over (Score:3, Insightful)
Re:Hell must have frozen over (Score:5, Insightful)
I hear that DJB never visits his father for years at a stretch. What does that tell you about his upbringing?
Yeah, well, I heard that he eats babies. If you want to smear the guy's reputation go with the part that most people here actually care about: his work. There's ample opportunity in that department to bash him, sometimes even rightly so.
oh, _that_'s the bug? (Score:5, Insightful)
Since I'm one of the admins who's enjoyed having an vulnerability-free djbdns installation for years, I thought I'd look more into the vuln.
Say what you will about DJB, other than being seemingly ornery he appears to be forthright and focused on correctness. In under a week he confirms the vuln and posts a patch and awards the security guarantee money. This is the kind of behavior I want from the people who build my software. http://article.gmane.org/gmane.network.djbdns/13864 [gmane.org]
Here's the bug:
If the administrator of example.com publishes the example.com DNS data
through tinydns and axfrdns, and includes data for sub.example.com
transferred from an untrusted third party, then that third party can
control cache entries for example.com, not just sub.example.com.
How many of you are running domains like this? It's not something I need to bother patching for. Ah, I guess that's another great thing about the relative rarity of bugs. If one is found it's less likely to be relevant for your particular situation.
The article submitter says:
"Anyone using djbdns is strongly encouraged to patch their servers immediately."
I think "anyone" is a bit strong here.
what about the man's attitude? (Score:5, Insightful)
I just realized this:
The next release of djbdns will be backed by a new security guarantee.
In the meantime, if any users are in the situation described above,
those users are advised to apply Dempsky's patch and requested to accept
my apologies.
He's apologizing. How's that for forthright behavior? He's not being evasive. He's not pointing fingers. He's owning up to personal error, and expressing what appears to be compunction. For one bug in a decade.
Yeah, tell me how you don't like his attitude. I think it's fine.
Mr. Bernstein, good work I say. Thank you very much for your efforts and skill and honesty.
Re:what about the man's attitude? (Score:1, Insightful)