Full Disclosure mailing list archives
Re DNS spoofing issue discussion
From: Mary and Glenn Everhart <Everhart () gce com>
Date: Thu, 31 Jul 2008 20:29:13 -0400
To: Valdis.Kletnieks () vt edu Subject: RE: [Full-disclosure] DNS spoofing issue. Thoughts on I chose my wording to cover not only DNSSEC but possible alternatives that could be devised. Certs are not the only way to do it, but it needs to be installed all over. The BGP fixes were devised after the last meltdown, but question again is whether they are installed. If DNSSEC had been installed, Kaminsky's issue would not exist. Since the number of sites running BGP among themselves is not that huge, it is probably not as practical an attack vector. Last meltdown that happened was said to be solved largely because most of the BGP site operators knew each other well enough to recognize voices on the phone. Net's bigger now tho. The fact that the recent youtube route hijack and the kenya routing insecurity incidents happened suggests that the md5 security is not in fact in place much (needs predefined secrets installed and apparently people don't configure it to do anything). That being the case, a reminder that maybe it could be good to reexamine this seems not totally daft. Glenn Everhart Everhart () gce com (posting from home; I am the same one who has posted from work also.) -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Wednesday, July 30, 2008 11:30 AM To: Everhart, Glenn (Card Services) Cc: pschmehl_lists_nada () tx rr com; randallm () fidmail com; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] DNS spoofing issue. Thoughts on On Sun, 27 Jul 2008 14:07:03 EDT, Glenn.Everhart@c<censored>h.a.sx.com said:
The need for something more like ssl certs in there remains
It's called DNSSEC, which has been out for a decade and more.
(Also needed for bgp I suspect).
RFC2385 (TCP MD5 protection for BGP) addresses most of the issues, at least on a peer-to-peer basis, and has been out for a decade. There's a discussion of the issues in RFC5123. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re DNS spoofing issue discussion Mary and Glenn Everhart (Jul 31)
- Re: Re DNS spoofing issue discussion don bailey (Jul 31)
- Re: Re DNS spoofing issue discussion Paul Schmehl (Jul 31)
- Re: Re DNS spoofing issue discussion don bailey (Jul 31)
- Re: Re DNS spoofing issue discussion Paul Schmehl (Jul 31)
- Re: Re DNS spoofing issue discussion don bailey (Jul 31)
- Re: Re DNS spoofing issue discussion Paul Schmehl (Jul 31)
- Re: Re DNS spoofing issue discussion don bailey (Jul 31)