Dan Bernstein confirms DJBDNS security hole, pays $1,000

Bernstein (left), described the flaw vulnerability as a "violation of the expected security policy in a reasonable situation" and awarded the bounty to Matthew Dempsky, the researcher who discovered and reported the issue.

[ SEE: How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability ]

Here's the gist of Bernstein's public acknowledgement:

If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

Bernstein, a cryptographer who is also responsible for qmail, said the next release of djbdns will be backed by a new security guarantee.

He recommended that users exposed to the attack scenario apply the patch created by Dempsky.

The patch is also recommended for other users; it corrects the bug without any side effects.

Also see this Slashdot discussion.