* Gerrit Pape: > The attack under discussion is a bruteforce attack.
No, it's not, it's about 100 times faster than brute force. > o Don't apply a patch against the djbdns binary package, but document the > fact more prominently. In fact it's already documented for years by > upstream, and again detailled in his 'Februar 2009 comments'. This is incorrect, the old version cannot be reasonably interpreted to mean that a resolver running dnscache can be poisoned within 20 minutes. > o Apply a patch to dbndns, the Debian fork of djbdns, that limits > concurrent outgoing SOA queries to 20. I'm of the opinion that this > makes the attack significantly harder. No, it doesn't. Any cache miss will do. There is just a slight inefficiency when you have to switch names to get the next round of cache misses. > AFAIK from private discussion, the Debian security team doesn't agree > with my assessment. I don't know what their plans are for stable. I still hope to get a better patch. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
