Re: DNSSEC - Signature Only vs the MX/A issue.
On Tue, Dec 12, 2006 at 04:20:19PM +0900, Masataka Ohta wrote:
> Complex protocols are more complex to implement and operate and,
> thus, insecure.
> For example, it is a lot more likely that DNSSEC software has
> buffer overflow valunerability than plain DNS software.[/color]
This is not only a lot more likely, but actual fact if we look at most DNS
security advisories of the past few years.
For example, look at SIG Query Processing (CVE-2006-4095), "BIND: Self Check
Failing" (2005-25-01), "BIND: Remote Execution of Code" A/K/A "sigrec",
"OpenSSL buffer overflow", "tsig bug", "sigdiv0 bug", etc, all found on
the fine page [url]http://www.isc.org/index.pl?/sw/bind/bind-security.php[/url]
[url]http://www.PowerDNS.com[/url] Open source, database driven DNS Software
[url]http://netherlabs.nl[/url] Open and Closed source services
to unsubscribe send a message to [email]email@example.com[/email] with
the word 'unsubscribe' in a single line as the message text body.