upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-26 03:12:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
bind9/lib
History
Ondřej Surý 8330b49fb9
Use cryptographically-secure pseudo-random generator everywhere 
It was discovered in an upcoming academic paper that a xoshiro128**
internal state can be recovered by an external 3rd party allowing to
predict UDP ports and DNS IDs in the outgoing queries.  This could lead
to an attacker spoofing the DNS answers with great efficiency and
poisoning the DNS cache.

Change the internal random generator to system CSPRNG with buffering to
avoid excessive syscalls.

Thanks Omer Ben Simhon and Amit Klein of Hebrew University of Jerusalem
for responsibly reporting this to us.  Very cool research!

(cherry picked from commit cffcab9d5f)
2025-10-02 13:53:14 +02:00
..
bind9 Remove redundant parentheses from the return statement 2024-11-19 16:06:16 +01:00
dns Retry lookups with unsigned DNAME over TCP 2025-10-02 13:07:06 +02:00
irs Reduce sizeof isc_sockaddr from 152 to 48 bytes 2025-01-22 14:12:38 +01:00
isc Use cryptographically-secure pseudo-random generator everywhere 2025-10-02 13:53:14 +02:00
isccc Remove redundant parentheses from the return statement 2024-11-19 16:06:16 +01:00
isccfg Deprecate the "tkey-domain" statement 2025-09-01 22:04:28 +02:00
ns Reset DNS_{GETDB_STALEFIRST,DBFIND_STALETIMEOUT} in ns__query_start() 2025-07-03 14:24:55 +02:00
.gitignore The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
Makefile.am move samples/resolve.c to bin/tests/system 2021-04-16 14:29:43 +02:00