BIND and OpenSSL's RSA signature forging issue

Ben Laurie ben at
Fri Sep 8 06:40:44 EDT 2006

I've just noticed that BIND is vulnerable to:

Executive summary:

RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
default. Note that the issue is in the resolver, not the server.


Upgrade OpenSSL.


Since I've been told often that most of the world won't upgrade
resolvers, presumably most of the world will be vulnerable to this
problem for a long time.


Don't use exponent 3 anymore. This can, of course, be done server-side,
where the responsible citizens live, allegedly.

Side benefit:

You all get to test emergency key roll! Start your motors, gentlemen!




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

More information about the Dnssec-deployment mailing list