nanog mailing list archives
Re: Dan Kaminsky
From: Paul Vixie <vixie () isc org>
Date: Tue, 04 Aug 2009 19:25:54 +0000
Curtis Maurand <cmaurand () xyonet com> writes:
What does this have to do with Nanog, the guy found a critical security bug on DNS last year.He didn't find it. He only publicized it. the guy who wrote djbdns fount it years ago.
first blood on both the DNS TXID attack, and on what we now call the Kashpureff attack, goes to chris schuba who published in 1993: http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/schuba-DNS-msthesis.pdf i didn't pay any special heed to it since there was no way to get enough bites at the apple due to negative caching. when i saw djb's announcement (i think in 1999 or 2000, so, seven years after schuba's paper came out) i said, geez, that's a lot of code complexity and kernel overhead for a problem that can occur at most once per DNS TTL. and sure enough when we did finally put source port randomization into BIND it crashed a bunch of kernels and firewalls and NATs, and is still paying painful dividends for large ISP's who are now forced to implement it. why forced? what was it about kaminsky's announcement that changed this from a once-per-TTL problem that didn't deserve this complex/costly solution into a once-per-packet problem that made the world sit up and care? if you don't know the answer off the top of your head, then maybe do some reading or ask somebody privately, rather than continuing to announce in public that bernstein's problem statement was the same as kaminsky's problem statement. and, always give credit to chris schuba, who got there first.
Powerdns was patched for the flaw a year and a half before Kaminsky published his article.
nevertheless bert was told about the problem and was given a lengthy window in which to test or improve his solutions for it. and i think openbsd may have had source port randomization first, since they do it in their kernel when you try to bind(2) to port 0. most kernels are still very predictable when they're assigning a UDP port to an outbound socket. -- Paul Vixie KI6YSY
Current thread:
- Re: Dan Kaminsky, (continued)
- Re: Dan Kaminsky Mark Andrews (Aug 05)
- Re: Dan Kaminsky Jorge Amodio (Aug 05)
- Re: Dan Kaminsky Ben Scott (Aug 05)
- Re: Dan Kaminsky Jorge Amodio (Aug 05)
- Re: Dan Kaminsky Randy Bush (Aug 07)
- RE: Dan Kaminsky Buhrmaster, Gary (Aug 07)
- Re: Dan Kaminsky Jorge Amodio (Aug 07)
- QR-Codes... was: Re: Dan Kaminsky Dragos Ruiu (Aug 07)
- Re: Dan Kaminsky Jorge Amodio (Aug 07)
- Re: Dan Kaminsky Nick Hilliard (Aug 05)
- Re: Dan Kaminsky bert hubert (Aug 04)
- Re: DNS hardening, was Re: Dan Kaminsky bert hubert (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Phil Regnauld (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Steven M. Bellovin (Aug 05)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Mark Andrews (Aug 05)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Naveen Nathan (Aug 05)
- RE: dnscurve and DNS hardening, was Re: Dan Kaminsky Skywing (Aug 05)