[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Patrick W. Gilmore patrick at ianai.net
Thu Jul 10 01:13:54 UTC 2008

On Jul 9, 2008, at 8:26 AM, bert hubert wrote:
> On Wed, Jul 09, 2008 at 10:42:17AM +0000, Lutz Donnerhacke wrote:
>> * Duane Wessels wrote:
>>> http://www.kb.cert.org/vuls/id/800113
>>>   Recent additional research into [DNS defects and deficiencies]
>>>   and methods of combining them to conduct improved cache poisoning
>>>   attacks have yielded extremely effective exploitation techniques.
>> That is very weak claim. Poisoning is not a new problem. What is  
>> really new?
> I'd worry, if I were you. "Trust the story". Once the story breaks,  
> you'll
> be able to test this for yourself.

The last time we had something like this was the BGP/MD5 fiasco.  We  
were told to trust the messengers, it was horrifically bad, the  
Internet was about to die.

In that case, the cure was (literally) infinitely worse than the  
disease.  (Cumulatively, years of session downtime due to  
implementation of and problems with MD5 vs. _ZERO_ downtime due to the  
supposed problem.  And we still have people going down to this very  
day over MD5 issues.)

To be honest, I think this is worse than that, so I agree mitigation  
steps should be taken.  Plus the mitigation has far, far less  
likelihood of causing downtime.  But I still cringe when people talk  
about a decade old problem and say "look, I found a new thing about an  
exploit from the 90s which hasn't really changed, you should fix NOW  


More information about the dns-operations mailing list