On Fri, Jan 6, 2012 at 19:46, Russ Allbery <r...@debian.org> wrote:

> Sergiusz Pawlowicz <sergi...@pawlowicz.name> writes:
>
>> As dnscache in Debian package is not configured to be run out of the
>> box, security team effectively prohibits the community from using
>> absolutely free, safe and efficient software, as there is no exploits
>> available when you configure it on the loopback interface or for hosts
>> you trust, e.g. for your cloud of services.
>
> Well, there aren't *no* exploits; there's still the standard DNS cache
> poisoning attacks by brute-force port guessing after inducing queries that
> are inherent in non-DNSSEC and present in every server, and which can be
> done (with more difficulty) even if you can't query the server directly if
> you can induce a trusted service to do DNS queries.  But that isn't a
> djbdns-specific problem.

Dear Russ,
I would like to repeat my statement, this bug, #516394, is not exploitable
if your DNS cache is not directly available for an attacker.

Because of the design of DNS, I do not propose anyone to make any DNS
cache available for any third-parties. But, again, the djbdns Debian package
has no such a service from out of the box, and it must be enabled by an
administrator.

I can prove and admin can configure e.g. httpd to show all your / filesystem
tree, does it mean we must remove httpd from Debian?

Serge



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to