[dns-operations] knot-dns

David Conrad drc at virtualized.org
Sun Dec 14 22:52:05 UTC 2014


On Dec 14, 2014, at 12:28 PM, Matthew Ghali <mghali at snark.net> wrote:
> How many different responses did we see to the recent recursion cve?

What I've seen so far:

Vulnerable:
- BIND 9, Unbound, PowerDNS Recursor

Not Vulnerable:
- Nominum, dnsmasq, djbdns, BIND 8

Haven't heard about Microsoft's recursor yet.

> How does code diversity fix protocol vulns?

Because different people implement the protocol differently (as evidenced by the above)?

Of course, one might argue that the fact that there were different behaviors might suggest a bug in the protocol specification, but that doesn't argue against code diversity.  Code diversity is to help mitigate implementation bugs.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141214/303c8ef3/attachment.sig>


More information about the dns-operations mailing list