Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC security audit #263

Open
gnarea opened this issue Sep 21, 2022 · 6 comments
Open

DNSSEC security audit #263

gnarea opened this issue Sep 21, 2022 · 6 comments

Comments

@gnarea
Copy link

gnarea commented Sep 21, 2022

Hey folks,

Since we're going to be using dnsjava in Vera, I'm planning to request an independent security audit of your DNSSEC implementation, but I have a few questions I was hoping you could answer:

  • Has there been any independent assessment of the DNSSEC implementation and, if so, is the report public? I couldn't find any reference to security audits but I wanted to double check.
  • Would you be happy to engage directly with the team conducting the audit? It's unclear at this point whether this would be necessary or ideal. The alternative is to communicate the findings to me, and I'll pass them on to you.
  • What's the best way to report security vulnerabilities? Assuming they find any and I'm the "liaison".

Thanks!
@ibauersachs
Copy link
Member

Hi, I would welcome an external security audit. So thanks in advance for arranging something.

  • No, there has not been any external audit.
  • Yes, feel free to contact me either here on GitHub via mentioning or you can find my e-mail address on my profile.
  • I guess that would depend on the criticality. Low-impact stuff can probably be a public GitHub issue, otherwise please just drop me an e-mail.

Large parts of the DNSSEC code in dnsjava served as the prototype for the validator in Unbound, and you can still find identical comments in both code bases. Please let this know anyone doing the audit. A bug in Unbound's validator is likely to affect dnsjava as well. CVE-2017-15105 was such an example.

@nresare
Copy link
Member

nresare commented Sep 23, 2022

As another developer with admin rights that is mostly absent (sorry) I also welcome an audit. For time sensitive issued feel free to reach out.

@gnarea
Copy link
Author

gnarea commented Sep 26, 2022

Thank you so much @ibauersachs and @nresare! That's really helpful.

I'll be applying for the audit in a few weeks, and it'll be part of a much bigger assessment of our projects and their key dependencies, so it might take 1-2 months to get it approved and maybe an extra month for the 3rd party auditors to start their work... So it'll probably happen early next year. I'll keep you posted.

@ibauersachs
Copy link
Member

@gnarea Is there any feedback you can share?

@gnarea
Copy link
Author

gnarea commented Aug 2, 2023

@ibauersachs, I had to defer the application once again, but I recently started the process and expect to complete it within a couple of weeks. Once I've submitted it, it'll take weeks or maybe months until it's approved.

@gnarea
Copy link
Author

gnarea commented Sep 30, 2023

Hey folks. I finally got round to requesting the security earlier this week. I'll let you know when they're ready to start. It'll probably be in a few months.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gnarea @nresare @ibauersachs