[Dnsmasq-discuss] Impact of CVE-2008-1447 forgery resilience?

Simon Kelley simon at thekelleys.org.uk
Wed Jul 9 11:02:50 BST 2008

Gilles Espinasse wrote:
> An important flaw in dns protocol has been announced yesterday.
> http://www.kb.cert.org/vuls/id/800113
> http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
> As the result, bind is delivering patched version that will implement a forgery
> resilience extension (per-query source port randomization).
> What is the consequence for dnsmasq (short and long term)?
> I understand Simon position on dnssec stated on december
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2007q4/001704.html

Good question.

I wasn't contacted in advance about this, and no patch for dnsmasq has
been released. Since the exact nature of the new vulnerability has not
(as far as I know) been announced, I don't know if dnsmasq is vulnerable.

My current plan is to implement query-port randomization, and I'm
working on that right now. If all goes well, it will go into 2.43, and
be released ASAP. To help with this, I'd like to gather as many testers
as possible. The changes are quite intrusive, and to be confident about
releasing them quickly, I'd like to get as many people as I can testing.

Since query-port randomisation is potentially quite resource-heavy (it
needs a socket per query), and will break many firewall configs, the
current plan is to make it optional, and not the default behaviour.



More information about the Dnsmasq-discuss mailing list