nanog mailing list archives
Re: Exploit for DNS Cache Poisoning - RELEASED
From: Sean Donelan <sean () donelan com>
Date: Thu, 24 Jul 2008 10:32:19 -0400 (EDT)
On Thu, 24 Jul 2008, Paul Ferguson wrote:
Let's hope some very large service providers get their act together real soon now.There is always a tension between discovery, changing, testing andfinally deployment.Sure, I can empathize, to a certain extent. But this issue has been known for 2+ weeks now. Not sure I can be very empathic now, given the seriousness, and the proper warning ISPs have been given.
Also recognize some of the simple testing tools get a bit confused by some of the more complex DNS configurations used by the mega-ISP DNS clusters; and generate false positives (and maybe even false negative) results. You can see it happens when the testing tool reports widely different number of queries checked. Several of the ISPs with complex DNS clusters are patching and upgrading them; however the current state of some of the patches wouldn't support the query load those providers normally experience. So they've been working on alternative mitigation strategies. However, its difficult to now if the alternative strategies actually mitigate the actual threat without knowing the actual threat. And finally, there probably are some providers who haven't made plans tochange their DNS. Unfortunately, the testing tools can't read minds (yet), so its difficult to know which ISPs are in this category.
Current thread:
- Re: Exploit for DNS Cache Poisoning - RELEASED, (continued)
- Re: Exploit for DNS Cache Poisoning - RELEASED Valdis . Kletnieks (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Alexander Harrowell (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Pete Carah (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Graeme Fowler (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Graeme Fowler (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Florian Weimer (Jul 26)
- RE: Exploit for DNS Cache Poisoning - RELEASED Tomas L. Byrnes (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 24)