Re: Dan Kaminsky

From: Kevin Oberman (no email)
Date: Tue Aug 04 2009 - 14:32:46 EDT

  • Next message: Patrick W. Gilmore: "Re: Dan Kaminsky"

    > Date: Tue, 04 Aug 2009 13:32:42 -0400
    > From: Curtis Maurand <>
    >
    > andrew.wallace wrote:
    > > On Thu, Jul 30, 2009 at 11:48 PM, Dragos Ruiu<> wrote:
    > >
    > >> at the risk of adding to the metadiscussion. what does any of this have to
    > >> do with nanog?
    > >> (sorry I'm kinda irritable about character slander being spammed out
    > >> unnecessarily to unrelated public lists lately ;-P )
    > >>
    > >>
    > >
    > > What does this have to do with Nanog, the guy found a critical
    > > security bug on DNS last year.
    > >
    > He didn't find it. He only publicized it. the guy who wrote djbdns
    > fount it years ago. Powerdns was patched for the flaw a year and a half
    > before Kaminsky published his article.
    >
    > http://blog.netherlabs.nl/articles/2008/07/09/some-thoughts-on-the-recent-dns-vulnerability
    >
    > "However - the parties involved aren't to be lauded for their current
    > fix. Far from it. It has been known since 1999 that all nameserver
    > implementations were vulnerable for issues like the one we are facing
    > now. In 1999, Dan J. Bernstein <http://cr.yp.to/djb.html> released his
    > nameserver (djbdns <http://cr.yp.to/djbdns.html>), which already
    > contained the countermeasures being rushed into service now. Let me
    > repeat this. Wise people already saw this one coming 9 years ago, and
    > had a fix in place."

    Dan K. has never claimed to have "discovered' the vulnerability. As the
    article says, it's been know for years and djb did suggest a means to
    MINIMIZE this vulnerability.

    There is NO fix. There never will be as the problem is architectural
    to the most fundamental operation of DNS. Other than replacing DNS (not
    feasible), the only way to prevent this form of attack is DNSSEC. The
    "fix" only makes it much harder to exploit.

    What Dan K. did was to discover a very clever way to exploit the design
    flaw in DNS that allowed the attack. What had been a known problem that
    was not believed to be generally exploitable became a real threat to the
    Internet. Suddenly people realized that an attack of this sort was not
    only possible, but quick and easy (relatively). Dan K. did what a
    security professional should do...he talked to the folks who were
    responsible for most DNS implementations that did caching and a
    work-around was developed before the attack mechanism was made public.

    He was given credit for finding the attack method, but the press seemed
    to get it wrong (as they often do) and lots of stories credited him with
    finding the vulnerability.

    By the way, I know that Paul Vixie noted this vulnerability quite some
    years ago, but I don't know if his report was before or after djb's.

    Now, rather then argue about the history of this problem
    (non-operational), can we stick to operational issues like implementing
    DNSSEC to really fix it (operational)? Is your DNS data signed? (No,
    mine is not and probably won't be for another week or two.)

    -- 
    R. Kevin Oberman, Network Engineer
    Energy Sciences Network (ESnet)
    Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
    E-mail: 			Phone: +1 510 486-8634
    Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
    

  • Next message: Patrick W. Gilmore: "Re: Dan Kaminsky"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD