Re: SNI-12: BIND Vulnerabilities and Solutions

David Wagner (daw@CS.BERKELEY.EDU)
Wed, 23 Apr 1997 02:18:56 -0700

In article <5jjnjr$b5r@joseph.cs.berkeley.edu>,
David Wagner <daw@CS.BERKELEY.EDU> wrote:
> However, I think your patch won't fix the problem.
>
> It attempts to make the query ID unpredictable, but fails -- the "random"
> numbers it generates are still predictable (after a trivial 2^16 offline
> trials). And the seeding is terrible -- two years ago Netscape used
> timeofday and pid to seed their PRNG, too, and look what happened to them.
>
> Tell me I'm missing something.

Allow me to partially retract my claim. As far as I can tell the patch
works as intended on OpenBSD systems, and my concerns do not apply to
OpenBSD-based boxes. I'd like to publicly apologize to OpenBSD and Theo
de Raadt for tarring OpenBSD with too broad a brush.

However, I still believe the patch won't fix the problem on most systems:
as far as I can tell, it won't fix the hole on systems not running OpenBSD.
The secnet advisory probably should have included a note to this effect.