| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 31 Oct 2007 23:28:36 +0200 From: "Network Protocol Security" <netprotosec@...il.com> To: bugtraq@...urityfocus.com Subject: Re: Comments re ISC's announcement on bind9 security On 10/31/07, Shane Kerr <Shane_Kerr@....org> wrote: > > There seem to be two ideas you are presenting here, both intended to imply that > the developers at ISC are technically incompetent: > > 1. Using a pseudo-random number generator should be called "crypto". > No, but a pseudo random number generator whose output *should not be predictable* is a *cryptographic* random number generator, hence "crypto". Isn't it obvious that a DNS server should generate an *unpredictable* DNS ID? and if the chosen algorithm can be predicted easily, doesn't this constitute "extremely weak crypto"? > 2. The particular pseudo-random number generator that BIND 9 now uses is a poor > choice. No, that is not what I said. Don't change the subject. The discussion is about bind 9.4.1, not 9.4.1-P1. This is obvious from the use of past tense in both your original statement and my previous email. So I still maintain that bind9 had (up to and inc. 9.4.1) extremely weak crypto.
Powered by blists - more mailing lists