Hosting Provided By

Re: Comments re ISC's announcement on bind9 security

From: Network Protocol Security <netprotosec(at)gmail.com>
Date: Wed Oct 31 2007 - 17:28:36 EDT

On 10/31/07, Shane Kerr <Shane_Kerr@isc.org> wrote:
>
> There seem to be two ideas you are presenting here, both intended to imply that
> the developers at ISC are technically incompetent:
>
> 1. Using a pseudo-random number generator should be called "crypto".
>

No, but a pseudo random number generator whose output *should not be predictable* is a *cryptographic* random number generator, hence "crypto". Isn't it obvious that a DNS server should generate an *unpredictable* DNS ID? and if the chosen algorithm can be predicted easily, doesn't this constitute "extremely weak crypto"?

> 2. The particular pseudo-random number generator that BIND 9 now uses is a poor
> choice.

No, that is not what I said. Don't change the subject. The discussion is about bind 9.4.1, not 9.4.1-P1. This is obvious from the use of past tense in both your original statement and my previous email. So I still maintain that bind9 had (up to and inc. 9.4.1) extremely weak crypto. Received on Thu Nov 1 13:52:57 2007

This message: [ Message body ]
Next message: zdi-disclosures(at)3com.com: "ZDI-07-063: RealPlayer RA Field Size File Processing Heap Oveflow Vulnerability"
Previous message: zdi-disclosures(at)3com.com: "ZDI-07-062: RealNetworks RealPlayer PLS File Memory Corruption Vulnerability"
In reply to: Shane Kerr: "Re: Comments re ISC's announcement on bind9 security"
Next in thread: ntn(at)networkontap.com: "Re: Re: Comments re ISC's announcement on bind9 security"
Maybe reply: ntn(at)networkontap.com: "Re: Re: Comments re ISC's announcement on bind9 security"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Jul 16 2008 - 14:09:35 EDT