James A. Donald wrote: > -- > Ben Laurie wrote: >> Subject: >> [dnsop] BIND and OpenSSL's RSA signature forging issue >> From: >> Ben Laurie <[EMAIL PROTECTED]> >> Date: >> Fri, 08 Sep 2006 11:40:44 +0100 >> To: >> DNSEXT WG <firstname.lastname@example.org>, "(DNSSEC deployment)" >> <[EMAIL PROTECTED]>, email@example.com >> >> To: >> DNSEXT WG <firstname.lastname@example.org>, "(DNSSEC deployment)" >> <[EMAIL PROTECTED]>, email@example.com >> >> >> I've just noticed that BIND is vulnerable to: >> >> http://www.openssl.org/news/secadv_20060905.txt >> >> Executive summary: >> >> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's >> default. Note that the issue is in the resolver, not the server. >> >> Fix: >> >> Upgrade OpenSSL. >> >> Issue: >> >> Since I've been told often that most of the world won't upgrade >> resolvers, presumably most of the world will be vulnerable to this >> problem for a long time. >> >> Solution: >> >> Don't use exponent 3 anymore. This can, of course, be done server-side, >> where the responsible citizens live, allegedly. >> >> Side benefit: >> >> You all get to test emergency key roll! Start your motors, gentlemen! > > This seems to presuppose that Secure DNS is actually in use. I was > unaware that this is the case.
Does it? All it presupposes, I thought, was that secure DNS was being tested. Which it is. > What is the penetration of Secure DNS? Anyone who is running any vaguely recent version of BIND is DNSSEC enabled, whether they are using it now or not. Unless they upgrade, they will be vulnerable when they start to use it. So, the question of whether to use exponent 3 is unrelated to the penetration of DNSSEC use now, it is related to the penetration of broken implementations of DNSSEC now. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]