Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id AFE852D20571 for <bind9-bugs@bugs.isc.org>; Thu, 18 Sep 2014 20:54:06 +0000 (UTC)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 843601FCAF3 for <bind9-bugs@isc.org>; Thu, 18 Sep 2014 20:54:04 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id CF57616005A for <bind9-bugs@isc.org>; Thu, 18 Sep 2014 20:56:53 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id A1575160058 for <bind9-bugs@isc.org>; Thu, 18 Sep 2014 20:56:53 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 7D7261FBC004 for <bind9-bugs@isc.org>; Fri, 19 Sep 2014 06:54:02 +1000 (EST)
Delivered-To: bind9-bugs@bugs.isc.org
Subject: Re: [ISC-Bugs #37220] dig verifying malformed RRSIG enters endless loop 
Return-Path: <marka@isc.org>
In-Reply-To: Your message of "Thu, 18 Sep 2014 11:01:12 +0000." <rt-3.8.6-2416-1411038072-778.37220-3-0@isc.org>
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
X-Original-To: bind9-bugs@bugs.isc.org
Date: Fri, 19 Sep 2014 06:54:02 +1000
References: <RT-Ticket-37220@isc.org> <CABVsBPaozhy7vZxWr_rSqQuxhyc7HRrGtH0oS8mHEi7S-2zQbA@mail.gmail.com> <rt-3.8.6-2416-1411038072-778.37220-3-0@isc.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org
Content-Type: text/plain; charset="utf-8"
Message-ID: <20140918205402.7D7261FBC004@rock.dv.isc.org>
To: bind9-bugs@isc.org
X-RT-Original-Encoding: utf-8
From: Mark Andrews <marka@isc.org>
RT-Message-ID: <rt-3.8.6-2416-1411073647-1614.37220-0-0@isc.org>
Content-Length: 747



In message <rt-3.8.6-2416-1411038072-778.37220-3-0@isc.org>, "Filippo Valsorda via RT" writes:
> If dig +sigchase encounters a RRSIG with inception in the future it will
> enter a tight endless loop.
> 
> This is probably a DoS minor security vulnerability.
> 
> It might be worth to check if the same verification code is used in other
> products that might be affected.

+sigchase is off by default at compile time in part because it is
contributed code which hasn't had all the bugs removed from it.

The validator used in both named and delv has a different design
to the one used in dig +sigchase.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org