Dan Bernstein Confirms Security Flaw In Djbdns

secmartin writes "Dan Bernstein has just admitted that a security issue has been found in the djbdns software, one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug. The bug allows a nameserver running djbdns to be poisoned using just a single packet. Other researchers have found a separate issue that allows dnscache, the DNS cache that is also part of the djbdns package, to be poisoned within just 18 minutes when using the default configuration. Anyone using djbdns is strongly encouraged to patch their servers immediately." Reader emad contributes a link to the djbdns mailing list post containing both a patch and a sample exploit, and adds: "In the words of Dan Kaminsky (of recent DNS security fame): 'However, Dempsky's bug in djb's tinydns is way more surprising, if only because ... holy crap, he pulled an exploitable scenario out of THAT?!'"

Re:Hell must have frozen over

[Slumdog]

DBJ admitted to a bug. I run qmail by the way. DJB writes good stable software but I get the impression he is not a good listener.

I'll give you a bit of "Trivia" fact about D.J. Bernstein. His father is Dr. H.J.Bernstein, another professor who is not a good listener, but talks a lot and complains a lot (he was kicked out of SUNY Stony Brook.) I hear that DJB never visits his father for years at a stretch. What does that tell you about his upbringing?