[Opendnssec-user] svn r6114
matthijs at nlnetlabs.nl
Thu Feb 2 13:17:55 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 02/02/2012 02:01 PM, Bernhard Reutner-Fischer wrote:
> On 2 February 2012 13:40, Matthijs Mekking <matthijs at nlnetlabs.nl>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> Using mkstemp will not solve this attack, since you can do the
>> same trick for /the/zone-name (without .tmp), or any other file
> If the target filename of the rename is a symlink, the symlink will
> be overwritten.
> But anyway, that spot caught my attention and prompted me to think
> aloud, that's all :)
And it is greatly appreciated! But rather than blindly accepting
proposals, I want to have better understandings of the threat.
So the signed zone file is safe against this, but OpenDNSSEC uses more
file locations where the trick still can be applied.
I think the chances that such an attack is successful is rather low,
as you are required to have access on the OpenDNSSEC box.
Nevertheless, I have created a story for this, so that we will think
over this twice.
Thanks for your input.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Opendnssec-user