James A. Donald wrote:
>     --
> Ben Laurie wrote:
>> Subject:
>> [dnsop] BIND and OpenSSL's RSA signature forging issue
>> From:
>> Ben Laurie <[EMAIL PROTECTED]>
>> Date:
>> Fri, 08 Sep 2006 11:40:44 +0100
>> To:
>> DNSEXT WG <namedroppers@ops.ietf.org>, "(DNSSEC deployment)"
>> <[EMAIL PROTECTED]>, dnsop@lists.uoregon.edu
>> To:
>> DNSEXT WG <namedroppers@ops.ietf.org>, "(DNSSEC deployment)"
>> <[EMAIL PROTECTED]>, dnsop@lists.uoregon.edu
>> I've just noticed that BIND is vulnerable to:
>> http://www.openssl.org/news/secadv_20060905.txt
>> Executive summary:
>> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
>> default. Note that the issue is in the resolver, not the server.
>> Fix:
>> Upgrade OpenSSL.
>> Issue:
>> Since I've been told often that most of the world won't upgrade
>> resolvers, presumably most of the world will be vulnerable to this
>> problem for a long time.
>> Solution:
>> Don't use exponent 3 anymore. This can, of course, be done server-side,
>> where the responsible citizens live, allegedly.
>> Side benefit:
>> You all get to test emergency key roll! Start your motors, gentlemen!
> This seems to presuppose that Secure DNS is actually in use.  I was
> unaware that this is the case.

Does it? All it presupposes, I thought, was that secure DNS was being
tested. Which it is.

> What is the penetration of Secure DNS?

Anyone who is running any vaguely recent version of BIND is DNSSEC
enabled, whether they are using it now or not. Unless they upgrade, they
will be vulnerable when they start to use it. So, the question of
whether to use exponent 3 is unrelated to the penetration of DNSSEC use
now, it is related to the penetration of broken implementations of



http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to