Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Big holes in net's heart revealed

From: David Farber <dave () farber net>
Date: Mon, 1 May 2006 07:21:50 -0400


Begin forwarded message:

From: Jaap Akkerhuis <jaap () NLnetLabs nl>
Date: May 1, 2006 6:17:47 AM EDT
To: Carl Malamud <carl () media org>
Cc: dave () farber net
Subject: Re: [IP] Big holes in net's heart revealed

Being in the talk I might to comment that it was all more a sales talk
for a Distributed Hash Table based alternative (which has it's own
problems). There was a lot of FUD presented.


Hi Dave -

Here is their paper in case anybody wants to read the details:

http://www.cs.cornell.edu/People/egs/papers/dnssurvey.pdf

A simple takeaway ... upgrade your nameserver.  There is no excuse
to be running 5-year old versions of software on a machine that
provides critical infrastructure.

Carl


Something "well known" but not advertised till now. djf


It is advertised all the time in various place. Warnings about
outdated software gets ignored all the time. Surveys have been done
showing how many broken servers are still in production, but nobody
seems to listen, especially people running those servers.

To Quote Mans Nilsson from the RIPE dns-wg mailing list:
"Yes, we know. Emin's work points out some of the far-gone consequences 
     of not paying attention. We are, however pretty convinced that:

     1. The mentioned examples are extremes. Most of the namespace is
        in considerably better order.
     2. DNS has historically been a neglected part of the quality
control most web site operators perform. It simply is so redundant 
        and ubiquitous that it not is seen as a critical part.
     3. The ultimate fix for this is DNSSEC."

Emin said that DNSSEC wouldn't help.

And there are of course different styles of what is correct. The
zone farber.net has small problems depending who you ask
(http://www.zonecheck.fr/demo/ or http://dnsreport.com/). None of
these test tell you that the servers for this domain can be abused
for a dns amplification attacks (recursion enabled).

        jaap




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: