New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNSSEC security audit #263
Comments
Hi, I would welcome an external security audit. So thanks in advance for arranging something.
Large parts of the DNSSEC code in dnsjava served as the prototype for the validator in Unbound, and you can still find identical comments in both code bases. Please let this know anyone doing the audit. A bug in Unbound's validator is likely to affect dnsjava as well. CVE-2017-15105 was such an example. |
As another developer with admin rights that is mostly absent (sorry) I also welcome an audit. For time sensitive issued feel free to reach out. |
Thank you so much @ibauersachs and @nresare! That's really helpful. I'll be applying for the audit in a few weeks, and it'll be part of a much bigger assessment of our projects and their key dependencies, so it might take 1-2 months to get it approved and maybe an extra month for the 3rd party auditors to start their work... So it'll probably happen early next year. I'll keep you posted. |
@gnarea Is there any feedback you can share? |
@ibauersachs, I had to defer the application once again, but I recently started the process and expect to complete it within a couple of weeks. Once I've submitted it, it'll take weeks or maybe months until it's approved. |
Hey folks. I finally got round to requesting the security earlier this week. I'll let you know when they're ready to start. It'll probably be in a few months. |
Hey folks,
Since we're going to be using dnsjava in Vera, I'm planning to request an independent security audit of your DNSSEC implementation, but I have a few questions I was hoping you could answer:
Thanks!
The text was updated successfully, but these errors were encountered: