nanog mailing list archives
Re: Dan Kaminsky
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Tue, 4 Aug 2009 14:40:34 -0400
There is NO fix. There never will be as the problem is architecturalto the most fundamental operation of DNS. Other than replacing DNS (notfeasible), the only way to prevent this form of attack is DNSSEC. The "fix" only makes it much harder to exploit.
Randomizing source ports and QIDs simply increases entropy, making it harder to spoof an answer. If this is not a "fix", then DNSSEC is not a fix either, as it only increases entropy as well.
Admitted, DNSSEC increases it a great deal more, but by your definition, it is not a "fix".
-- TTFN, patrick On Aug 4, 2009, at 2:32 PM, Kevin Oberman wrote:
Date: Tue, 04 Aug 2009 13:32:42 -0400 From: Curtis Maurand <cmaurand () xyonet com> andrew.wallace wrote:On Thu, Jul 30, 2009 at 11:48 PM, Dragos Ruiu<dr () kyx net> wrote:at the risk of adding to the metadiscussion. what does any of this have todo with nanog?(sorry I'm kinda irritable about character slander being spammed outunnecessarily to unrelated public lists lately ;-P )What does this have to do with Nanog, the guy found a critical security bug on DNS last year.He didn't find it. He only publicized it. the guy who wrote djbdnsfount it years ago. Powerdns was patched for the flaw a year and a halfbefore Kaminsky published his article. http://blog.netherlabs.nl/articles/2008/07/09/some-thoughts-on-the-recent-dns-vulnerability "However - the parties involved aren't to be lauded for their current fix. Far from it. It has been known since 1999 that all nameserver implementations were vulnerable for issues like the one we are facingnow. In 1999, Dan J. Bernstein <http://cr.yp.to/djb.html> released hisnameserver (djbdns <http://cr.yp.to/djbdns.html>), which already contained the countermeasures being rushed into service now. Let me repeat this. Wise people already saw this one coming 9 years ago, and had a fix in place."Dan K. has never claimed to have "discovered' the vulnerability. As thearticle says, it's been know for years and djb did suggest a means to MINIMIZE this vulnerability. There is NO fix. There never will be as the problem is architecturalto the most fundamental operation of DNS. Other than replacing DNS (notfeasible), the only way to prevent this form of attack is DNSSEC. The "fix" only makes it much harder to exploit.What Dan K. did was to discover a very clever way to exploit the design flaw in DNS that allowed the attack. What had been a known problem that was not believed to be generally exploitable became a real threat to theInternet. Suddenly people realized that an attack of this sort was not only possible, but quick and easy (relatively). Dan K. did what a security professional should do...he talked to the folks who were responsible for most DNS implementations that did caching and a work-around was developed before the attack mechanism was made public.He was given credit for finding the attack method, but the press seemed to get it wrong (as they often do) and lots of stories credited him withfinding the vulnerability. By the way, I know that Paul Vixie noted this vulnerability quite some years ago, but I don't know if his report was before or after djb's. Now, rather then argue about the history of this problem(non-operational), can we stick to operational issues like implementingDNSSEC to really fix it (operational)? Is your DNS data signed? (No, mine is not and probably won't be for another week or two.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman () es net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Current thread:
- Re: Dan Kaminsky andrew.wallace (Aug 01)
- Re: Dan Kaminsky Cord MacLeod (Aug 01)
- Re: Dan Kaminsky Richard A Steenbergen (Aug 03)
- Re: Dan Kaminsky Cord MacLeod (Aug 03)
- Re: Dan Kaminsky andrew.wallace (Aug 03)
- Re: Dan Kaminsky Dragos Ruiu (Aug 04)
- Re: Dan Kaminsky Richard A Steenbergen (Aug 03)
- Re: Dan Kaminsky Cord MacLeod (Aug 01)
- Re: Dan Kaminsky Curtis Maurand (Aug 04)
- Re: Dan Kaminsky Valdis . Kletnieks (Aug 04)
- Re: Dan Kaminsky Mikael Abrahamsson (Aug 04)
- Re: Dan Kaminsky Kevin Oberman (Aug 04)
- Re: Dan Kaminsky Patrick W. Gilmore (Aug 04)
- Re: Dan Kaminsky Leo Bicknell (Aug 05)
- Re: Dan Kaminsky Florian Weimer (Aug 05)
- DNS alternatives (was Re: Dan Kaminsky) Roland Dobbins (Aug 05)
- Re: DNS alternatives (was Re: Dan Kaminsky) Mark Andrews (Aug 05)
- Re: DNS alternatives (was Re: Dan Kaminsky) Roland Dobbins (Aug 05)
- RE: DNS alternatives (was Re: Dan Kaminsky) Erik Soosalu (Aug 05)
- Re: DNS alternatives (was Re: Dan Kaminsky) Roland Dobbins (Aug 05)
- Re: Dan Kaminsky Valdis . Kletnieks (Aug 04)
- Re: Dan Kaminsky Leo Bicknell (Aug 05)
- Re: Dan Kaminsky Jorge Amodio (Aug 05)
- Re: Dan Kaminsky Phil Regnauld (Aug 05)