On 03/10/2023 16:48, Johnnie W Adams via Exim-users wrote:
> What I take from this mitigation statement--Use a trustworthy DNS
> resolver which is able to validate the data according to the DNS record
> types--is that if our DNS service is solid, we are not vulnerable. Is this
> accurate, or am I oversimplifying things?
It's in that vein, but not quite. The issue pointed to by ZDI was the trusting
of the "chunk sizes" for the possibly multiple chunks of an RR, versus the whole
RR size.
An opinion from another (non-Exim, but a name I recognize) dev was
- yes there's at least one resolver out there that doesn't check these
- this would pass straight though glibc (ie, my inference: libc does not check this)
> The mitigation statement from ZDI
> was much more ominous, but I'm still parsing "network-adjacent attackers".
I wasn't sure about that, either.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/