[Opendnssec-user] svn r6114

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Feb 2 13:17:55 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/02/2012 02:01 PM, Bernhard Reutner-Fischer wrote:
> On 2 February 2012 13:40, Matthijs Mekking <matthijs at nlnetlabs.nl>
> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> Using mkstemp will not solve this attack, since you can do the
>> same trick for /the/zone-name (without .tmp), or any other file
>> location
> 
> If the target filename of the rename is a symlink, the symlink will
> be overwritten.
> 
> But anyway, that spot caught my attention and prompted me to think 
> aloud, that's all :)

And it is greatly appreciated! But rather than blindly accepting
proposals, I want to have better understandings of the threat.

So the signed zone file is safe against this, but OpenDNSSEC uses more
file locations where the trick still can be applied.

I think the chances that such an attack is successful is rather low,
as you are required to have access on the OpenDNSSEC box.
Nevertheless, I have created a story for this, so that we will think
over this twice.

Thanks for your input.

Best regards,
  Matthijs


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPKo0CAAoJEA8yVCPsQCW5Rw8H+wY3p+F2kzzm9w/Vfj6D1tRy
H03wZwGtgVRP2ANaWou+HVprKpNiEyD7Bfodj6XG+N8pipzQzfpH6xP/dInKOsS7
0nWYuxNsg4h4axFiZh9fHjzXMHH1zLu9Rx8n2vTa/BTC2Ub3tjxMz+uum5XWJ1lr
060atEhGCnUKOEQSvKihFLOsLjzlV0j9NQVY9HB6msUOkuBhoyfjLXAVRLUQtLww
h7CFtqz3OMJ68nIIM/JKq7jwnLQ0dv5sabAVoECnuTBEIE3NmG6YoNaAHBNl6yVg
8Jrcy8WiBSnBbeFYBWBBZXqKL1BB6ToTSn4bgYH6Q/YfZBuladS7sHAWcG0EcNY=
=SIHU
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list