[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Comments re ISC's announcement on bind9 security
From:       "Network Protocol Security" <netprotosec () gmail ! com>
Date:       2007-10-31 21:28:36
Message-ID: d9aee4770710311428j4b6bfdd2t19d2ba2a2bed0aa6 () mail ! gmail ! com
[Download RAW message or body]

On 10/31/07, Shane Kerr <Shane_Kerr@isc.org> wrote:
>
> There seem to be two ideas you are presenting here, both intended to imply that
> the developers at ISC are technically incompetent:
>
> 1. Using a pseudo-random number generator should be called "crypto".
>

No, but a pseudo random number generator whose output *should not be
predictable* is a *cryptographic* random number generator, hence
"crypto". Isn't it obvious that a DNS server should generate an
*unpredictable* DNS ID? and if the chosen algorithm can be predicted
easily, doesn't this constitute "extremely weak crypto"?

> 2. The particular pseudo-random number generator that BIND 9 now uses is a poor
>    choice.

No, that is not what I said. Don't change the subject. The discussion
is about bind 9.4.1, not 9.4.1-P1. This is obvious from the use of
past tense in both your original statement and my previous email. So I
still maintain that bind9 had (up to and inc. 9.4.1) extremely weak
crypto.
[prev in list] [next in list] [prev in thread] [next in thread]