I very strongly encourage people still using MaraDNS 1.x's recursive code to upgrade to MaraDNS 2, and use Deadwood to process recursive queries. I have completely rewritten the code from the ground up -- Deadwood shares no code whatsoever with MaraDNS -- and did a better job of it the second time around.
The new Deadwood recursive resolver, for example, has been using randomized hashes since 2007, and today's hash randomization attack making the rounds has never affected Deadwood. The older MaraDNS 1.x recursive code, however, did not use a randomized hash. While people really should be using Deadwood for recursive queries, I have released MaraDNS 1.4.08 and MaraDNS 1.3.07.12 with an updated randomized hash.
For anyone who is still using MaraDNS 1, it is important to upgrade to this version in order so that hashes are randomized and not vulnerable to hash collision denial of service attacks. Or better yet, upgrade to MaraDNS 2.
Note that a randomized hash needs a source of entropy; that in mind, the *NIX version of MaraDNS 1.4.08/1.3.07.12 requires /dev/urandom and the Windows version of MaraDNS needs "secret.txt" in the same directory as "maradns.exe". People running MaraDNS 1 on *NIX systems without /dev/urandom are on their own -- I do not support MaraDNS on anything besides CentOS, Scientific Linux, and Windows.
Note that this security bug only affects you if:
recursive_acl = "127.0.0.1/8"The tarballs files can be found here:
http://maradns.org/download/1.3The patch is here:
http://maradns.org/download/1.4 (also has Windows binary)
http://maradns.org/download/patches/maradns-1.3-secret_hash.patchNo, MaraDNS 2.0's authoritative server does not use a randomized hash. No, this is not a problem because a remote attacker can not control the hash keys. Yes, this could be an issue if an untrusted attacker were able to control MaraDNS' zone files, but that is a much smaller attack surface. I will fix this in MaraDNS 2.0, but only once Deadwood 3.2 is out the door next year.
To post a comment about an entry, send me an email and I may or may not post your comment (with or without editing)